UNIVERSITY OF SIALKOTE

Review Paper

Review Paper
Name……………………………………………………………………….
Roll Number……………………………………………………………………….

Evaluation of Web Application Security

Abstract:
World wide web has made itself a truly influence and affective part in our life so far. It has been
serving the world since almost two decades with millions of web pages and many of these
pages also using web applications. A web page is simple page on web that whom the end user
interacts and runs on domains. The web applications are used by the websites and web pages
and works from web servers. These are the responsible to read and manipulate the data from
the servers as the user as per defined. Web applications are becoming interactive, essential and
dynamic part of most of the web pages and websites in the world wide web system. These web
applications are also responsible for the working of the websites and web pages of the firms
and other users. So, therefore the security of these web applications has to be essentially
present as these have all the sensitive and general data of the web page. There are many
exploit vulnerabilities present there in any web application like phishing, XSS attacks and SQL
database injections. Also, these days the cyber-attacks are very much common and the security
of web applications becoming more and more important. These web applications have very
important and sometimes sensitive data to process through for government and other
corporates that can have very negative consequences if there any security breach occurred and
any unauthorized access happened. In this paper it will be discussed how to get these web
applications secured from these attacks.
UNIVERSITY OF SIALKOTE
Review Paper

Keywords:
Web application, cross-site scripting, SQL, SQL injections Obfuscation Method.

Introduction:
Web application is a program that is behind the working of any website and is installed on web
servers remotely via internet. Web application also executed remotely via internet on servers.
Websites and webpages are of two types as static websites and dynamic websites. Static
websites are simple websites that could consist of single or many pages and are regardless to
the user inputs and shows pre inputted data and can’t be modified by the users. While, in
dynamic websites the user can manipulate data of that website whom it has granted. There are
also two types of ends of any dynamic website as front-end and back-end. While static websites
have only front-end as it has only client-side. Dynamic websites have both front-end as client-
side and back-end as server-side. Web applications are the server-side components which are
there to tell the server about the implementation of the commands taken by the client-side. So,
the client-side is responsible of the interaction made with the user and server-side is consist of
web applications. Furtherly, front-end implemented by the languages which are HTML
(Hypertext Markup Language), JavaScript and CSS (Cascading Style Sheet). While the back-end
is implemented by PHP, Java, Python etc. These web applications consist of commands that
tells the server what to display and what to alter, these are the responsible to interact with SQL
database and display the data from database. HTTP (Hyper Text Transfer Protocol) is to
communicate between server and clients for secure transition. These are some technologies
that are used with HTTP like web browsers and CGI etc. for secure communication between
client and server. These web applications could have some sensitive and important financial
and confidential data. So, any kind of breach in the data could be very disastrous to the firm or
even a person. However, to secure these web applications from these breaches there are
number of technologies evolved these days. Working and securing of web application is shown
in some figures below.

Figure 1 General Process of Web Application

User
Front_End
Request & Response Server
Collection & Display of Data

The data is collected and displayed to the user in front-end side than inputs are requested to
the servers. These requests are then responded by the web applications that are installed on
UNIVERSITY OF SIALKOTE
Review Paper

servers. These web applications process the data from database and respond with the
processed data to the client-side to display data to the user.

Figure 2 Web Server

Web Server

Front-End HTML, CSS Files Back-End SQL Database, MySQL Maria DB

Database is processed by the web application. These web applications are implemented in php,
java, python etc. This data base is than after processed displayed to the front user. Database
could be altered as per user inputs in dynamic websites.

Figure 3 Types of Websites

Static Website

Dynamic Website

Figure 4 Components of Dynamic Website

Back-End SQL Database, MySQL Maria DB

Front-End HTML, CSS Files

Website
UNIVERSITY OF SIALKOTE
Review Paper

Figure 5 Technologies

Technologies

Web Browser HTTP Protocol PHP, ASP CGI HTML CSS etc. Server-Side
etc. Application

HTTP protocol is used to communicate between web servers and the web browsers. HTML and
CSS is client-side languages that display the front end to the user. As internet is growing the
security concerns are becoming higher and risk of hacking and malicious activities increased
with it. These unauthorized users can get access to the database by many means like getting
passwords or unauthorized access to the web applications and caused some serious damage.
The security of these web applications is concerned.

Literature Review:
We will study obfuscation method that is used to secure the web applications which is used
against cross site scripting attacks. It is used to secure by making applications very complicated
and also by hiding it and by modifying the original data to prevent cross site attacks. These
cross-sitting attacks caused because of those vulnerabilities which are mostly due to
compromised security and as per CISCO’s Cyber Security report almost 30-60% of these attacks
are based on cross-sit scripting attacks. It is the most commonly attacking method these days.
These cross-site attacks occurred, when malicious code is sent to the machine of victim and
executed in the form of scripting code of the website or sometimes the attacker also send SQL
injected query in the database to manipulate the data.
Cross-site scripting detection methods are mainly categorized into two static and dynamic
analysis. While static analysis is further divided into four types bounded checking, software
testing approach, taint propagation approach and untrusted scripts. While the dynamic analysis
is divided in as browser enforced embedded polices, syntactical proxy-based approach and
interpreter-based approach.
UNIVERSITY OF SIALKOTE
Review Paper

Landsman and Stromberg in 2003 describe impediments against SQL injection-based attacks.
Software testing-based methods as fault injection and the runtime monitoring is used for web
applications as well as proposed method is implemented in Web Application Vulnerability and
Error Scanner (WAVE) which is a black box testing framework for the automated Web
application security evaluation. XSS attacks are detailed and mitigating methods discussed by
Huang et al. 2005. Morgan 2006 also reported SQL injection’s attacks and their preventative
measures. Authors Mack et al. 2019 explored XSS attacks and the way of detection of these XSS
attacks. Marashdih et al., 2019 proposed the static analysis method for the detection of those
XSS vulnerability from the PHP scripting source code. The limitation of this method is that it is
not feasible for large applications.
Oliveira et al. 2020 proposed an approach for scaling the security of the web service structure.
The proposed approach is based on two factors, one as security qualification and the other is
trustworthiness assessment. Further, the main aim of the proposed framework is to detect
vulnerability from the framework in the first phase while in second phase the qualified
framework is explored for the verification of probably unsecure facets. The proposed approach
focused on benchmarking of evaluation framework it does not report any novel method for
securing the web applications. Rodríguez et al. 2020 presents systematizes several methods and
tools for mitigation of XSS attacks.

Method (Obfuscation Method):

Internet has become major part of our life. Web has played major role. Websites and web
applications implemented in online services and providing major boost in every field. Online
services are becoming common now in various sectors such as business, entertainment,
marketing, education, health and industrial sector. It gave much boost to these and other
sectors. Web have overall very boosting impact in daily routines and have confidential data like
business details, transactional details etc. so, it is very important to secure web applications so
this confidential data could not be stollen. The obfuscation method is used for securing the web
application.
In this method first of all the data (web data or SQL data) as input is taken than by using
obfuscation of data is obfuscated layout of obfuscation. After that, the code which is taken by
obfuscation of data is subsist. In the next step, data and layout obfuscation on obfuscation is
employed and the original data is extracted.

 At first step SQL or web data is taken as input.

 The original code is obfuscated using tools.
 Next the obfuscated code is obtained.
 Deobfuscation of the code using obfuscation tools.
 Finally, the original code is extracted.
UNIVERSITY OF SIALKOTE
Review Paper

Security framework of web application with obfuscation method is as shown in fig. bellow.

Figure. Obfuscation Method

Data
SQL data/Web Obfuscation Obfuscated
data Data/Layout
Layout

Data
SQL data/Web DeObfuscation
data
Layout

Result:
In first step, the SQL query is executed on open-source tool named as Paiza 2014 for the
implementation. Figure shows the SQL queries which are executed on Paiza which is an open-
source tool/editor for execution of SQL queries. Further, the Paiza tool is a portable compiler
for various languages as provides like c, python etc.
Figure 1a.
UNIVERSITY OF SIALKOTE
Review Paper

Next in the second step of the process, original SQL queries are obfuscated using Java script
obfuscator tool 2003 which is portable for JavaScript and .txt files. Moreover, the java
obfuscator tool also helps in reducing the file size for faster execution as well as it also reduces
time complexity and bandwidth consumptions. Figure. 1b depicts the obfuscated code (using
figure 1a SQL query) generated by an online JavaScript obfuscator tool 2003.

Figure 1b.

The outcome of the step second is the input of step third. In this step, obfuscated code is
acquired after implementation of the obfuscation process which is shown in second phrase of
figure 1c.

Figure 1c.
UNIVERSITY OF SIALKOTE
Review Paper

The proposed model used the concept of obfuscation in the implementation of web application
security while the existing approaches used static analysis and dynamic analysis for security.
The main aim of the proposed approach is to make web application harder for an adversary, so
that the information cannot be extracted by the adversary for their own pursue.

Conclusion:
Web security has more concerns these days as it has very sensitive data that could be used
illegally or could be damaged by the hackers and other users which are not authorized. In this
proposed method of defense, obfuscation method is used to secure the web applications from
cross-site scripting attacks. Obfuscation is a defensive technique in which the original program
code is converted and hidden by modifying it to complicated data which is similar to the original
program code without changing functionality of the program than DeObfuscation to get it
executed. Moreover, obfuscation make the program code harder. The purpose of the method is
to secure the data during the process of transmission from XSS and SQL injection attacks.
UNIVERSITY OF SIALKOTE
Review Paper

References
1. Li, Y. F., Das, P. K., & Dowe, D. L. (2014). Two decades of Web application testing—A survey of recent
advances. Information Systems, 43, 20-54.
2. Li, X., & Xue, Y. (2011). A survey on web application security. Nashville, TN USA, 25(5), 1-14.
3. Kumar, S., Mahajan, R., Kumar, N., & Khatri, S. K. (2017, September). A study on web application security
and detecting security vulnerabilities. In 2017 6th International Conference on Reliability, Infocom
Technologies and Optimization (Trends and Future Directions) (ICRITO) (pp. 451-455). IEEE.
4. Cisco, C. (2018). Annual Cybersecurity Report. Pg, 8, 19.
5. Landsmann, U. B. A., & Stromberg, D. (2003). Web application security: A survey of prevention techniques
against sql injection. Stockholm University.
6. Huang, Y. W., Tsai, C. H., Lin, T. P., Huang, S. K., Lee, D. T., & Kuo, S. Y. (2005). A testing framework for
Web application security assessment. Computer Networks, 48(5), 739-761.
7. Morgan, D. (2006). Web application security–SQL injection attacks. Network security, 2006(4), 4-5.
8. Mack, J., Hu, Y. H. F., & Hoppa, M. A. (2019). A Study of Existing Cross-Site Scripting Detection and
Prevention Techniques Using XAMPP and Virtual Box. Virginia Journal of Science, 70(3), 1.
9. Marashdih, A. W., Zaaba, Z. F., Suwais, K., & Mohd, N. A. (2019). Web Application Security: An
Investigation on Static Analysis with other Algorithms to Detect Cross Site Scripting. Procedia Computer
Science, 161, 1173-1181.
10. Oliveira, R. A., Raga, M. M., Laranjeiro, N., & Vieira, M. (2020). An approach for benchmarking the security
of web service frameworks. Future Generation Computer Systems, 110, 833-848.
11. Rodríguez, G. E., Torres, J. G., Flores, P., & Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and
mitigation: A survey. Computer Networks, 166, 106960.
12. Anckaert, B., Madou, M., De Sutter, B., De Bus, B., De Bosschere, K., & Preneel, B. (2007, October).
Program obfuscation: a quantitative approach. In Proceedings of the 2007 ACM workshop on Quality of
protection (pp. 15-20).
13. Hosseinzadeh, S., Rauti, S., Laurén, S., Mäkelä, J. M., Holvitie, J., Hyrynsalmi, S., & Leppänen, V. (2018).
Diversification and obfuscation techniques for software security: A systematic literature review.
Information and Software Technology, 104, 72-93. Paiza (2014). Retrieved from
https://paiza.io/en/projects/new
14. Java script obfuscator (2003). Retrieved from https://javascriptobfuscator.com/
15. Nagra, J., & Collberg, C. (2009). Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing
for Software Protection: Obfuscation, Watermarking, and Tamperproofing for Software Protection.
Pearson Education.