Proceedings of the Fifth International Conference on Intelligent Computing and Control Systems (ICICCS 2021)

IEEE Xplore Part Number: CFP21K74-ART; ISBN: 978-0-7381-1327-2

Secure Web development using OWASP Guidelines

Shubham Kumar Lala Akshat Kumar Dr. Subbulakshmi T.
III Year CSE, School of Computer III Year CSE, School of Computer Professor, School of Computer Science
Science and Engineering, VIT Science and Engineering, VIT and Engineering, VIT University
University Chennai, Tamil Nadu, India University Chennai, Tamil Nadu, India Chennai, Tamil Nadu, India
shubhamkumarlala.skl@gmail.com akshatkumar.dev@gmail.com research.subbulakshmi@gmail.com

Abstract— Website security is a major concern for large

organizations as well as individual developers, the rarer the A. The Frontend:
technology used the harder it becomes to come up with secure
practices for developing a website. Vulnerabilities that are not The front end is used to display the main content of
fixed during development, and are deployed as such become the webpage, it is usually the only thing that the client
easy targets for hackers. This could cause the company or the sees once the site is v isited. If the website is static then
2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS) | 978-1-6654-1272-8/21/$31.00 ©2021 IEEE | DOI: 10.1109/ICICCS51141.2021.9432179

individual to lose a lot of money. It is not just the developers only the front end is required.
who are affected, end users who end up on vulnerable websites
may get exposed to XSS attack which could compromise their
HTM L is used to form the layout of the whole
system or an unsecured configuration of database system could
page, CSS is used to give styling to the page, and
lead to a potential data leak and hence the password of every JavaScript is used to give logic to the page. Websites
registered user on the website is compromised, users who use having only the frontend are prone to Cross-Site
the same password on multiple websites are affected the most. Scripting (XSS) injection attacks.
The motivation for this paper comes from the fact that there is Advanced technologies like Angular and ReactJS
an overwhelming number of vulnerabilities in any application have a built-in mechanism to prevent XSS injection
under development and every developer, experienced or not
needs a starting point to patch these vulnerabilities that might
however while building a website using the primit ive
have occurred in their application, this research provides the
technologies various steps have to be taken care of to
most common vulnerabilities which should be taken care of in successfully prevent XSS injection.
any application and thus provide the much-needed starting B. The Backend:
point for developers. The objective of this paper is to design
and develop a secure web application according to Open Web Backend is required for dynamic website, it is
Application Security Project (OWAS P) guidelines. This paper usually responsible for communicating with the
highlights the mitigation of vulnerabilities in the web database and providing data to the front end to display.
application using configuration changes, coding and applying
patches. The vulnerabilities SQL injection, Broken Any sensitive information is usually kept in the
authentication, Sensitive data exposure, Broken Access backend and never sent to the frontend because the
Control, and XML external entities discussed in this paper are client can see the frontend data however, it is
listed under the OWAS P top 10 vulnerabilities. The security of extremely hard to access the data at the backend. The
the web application is tested and proved to have defense frontend languages can only run in the browser
mechanism implemented for the mentioned vulnerabilities. however the backend languages can be used to
communicate with the system they are compiled on.
Keywords—Vulnerabilities, OWAS P, SQL injection,
Session Management, Broken authentication, Password C. The Database:
Hashing, S ensitive data exposure, and S erver verification.
The database is the place to store any data which
I. INTRODUCTION has to be retained and should not be accessible by the
A Web application (Web app) is an application program client. There are mainly two types of database – SQL
that is stored on a remote server and delivered over the database and NoSQL database.
Internet through a browser interface. A web application
generally consists of three main parts – 1) SQL database:
These types of databases are used when the data to
 Front – End, be stored is structured and the structure is not expected
 Back – End and to change.
 Database. 2) NoSQL database:
There are many providers for the above three components. When the data has no structure and could vary
Some examples are – from user to user then a NoSQL database is used.

 Front – End - Angular, ReactJS, Vue.js, etc. II. OBJECTIVE

 Back – End - NodeJS, php, Laravel, etc. The main objective of this paper is to provide methods
 Database – MySQL, MongoDB, Cassandra, Redis, to build a secure web application using NodeJS. This paper
etc. focuses on the various vulnerabilities and the methods to
secure the web application from these vulnerabilities. This
For this paper, the front-end has been made using paper also provides the code that can be used to secure the
HTML with ejs, for back-end NodeJS has been used web application.
and for the database MySQL has been used. This paper also explains the levels of security that a
developer should maintain to ensure that the user data is

978-0-7381-1327-2/21/$31.00 ©2021 IEEE 323

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 30,2021 at 19:10:17 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Intelligent Computing and Control Systems (ICICCS 2021)
IEEE Xplore Part Number: CFP21K74-ART; ISBN: 978-0-7381-1327-2

always protected. These levels are discussed first in this IV. RELATED WORKS
paper and then the methods to make the web application
As the technology becomes better and complex
secure follow.
with the increase in vulnerability for a cyber threat.
III. PROPOSED IDEA Different testing techniques help to find a loophole in the
security. Following a standard procedure and defined policy
The task at hand revolves around eliminating the
can reduce these loopholes. To mitigate the threats, it is
OWASP vulnerabilities for a self-tailored site that consists
of most of the vulnerabilities highlighted by OWASP has necessary to install security patches. [1] Patel. K in his paper
been used for testing. In the given figure (Fig. 1) of the includes a survey on the current vulnerabilities and the
proposed idea, the “OWASP Vu lnerabilities” colu mn detection of those vulnerabilities.
highlights the vulnerabilities that have been considered for
this paper. The “Vulnerability Location” column points out Network threats often come fro m mult iple sources
the features in the web application where there is a and affect a variety of domains. Collaborative sharing and
possibility of an attack and which should be implemented analysis of Cyber Threat In formation (CTI) can greatly
keeping in mind the possible attacks. The column improve the predict ion and prevention of cyber-attacks. [2]
“Vu lnerability Prevention” describes the steps that can be However, CTI data containing sensitive and confidential
taken for the elimination of the vulnerability fro m the web informat ion can cause privacy exposure and disclos ure of
application. security risks, which will deter organizations fro m sharing
The website is an MCQ test-taking website that their CTI data. Th is concern can be handled by creating API
generates a certificate of either participation or merit, based Gateway, wh ich provides a bridge between end-users and
upon the result of the test. The objective of this paper is to their data sources. Through this, users can select which data
use this website to show how to eliminate all the possible is sharable with privacy-preserving means.
vulnerabilities. SQL in jection attack is eliminated during
the login and registration by hashing the password and Cross-site scripting (XSS) refers to an
sanitizing the code. unintentional client-side code in jection attack. It makes use
of un-validated or un-encoded user input and returns the
Sensitive data exposure is prevented by not sending any
malicious output. [3] In type 1 XSS, malicious code or script
sensitive data to the client-side and using only the server to
verify the details as well as the answers. Also, the database is is embedded in a Web request. It is usually done through an
hashed using SHA256 with salt to provide maximu m email that encourages the user to click on a provided
security for the registered users. malicious link or a website with a malicious lin k. This can
be greatly avoided by not following the malicious links.
Broken Authentication is prevented by using sessions to This vulnerability is one of the most widespread security
store the login details of the currently active users. This problems for web applicat ions. Various approaches to
redirects the users to the home page if they access a domain defending against attacks that use XSS vulnerabilities are
they are not supposed to. Sessions also help to log-out a available today but no single approach solves all the
particular user successfully. Also, XM L External Entit ies
loopholes. [4] An efficient approach discussed by I. Yusof
can be prevented by using a JavaScipt Object Notation
and A. K. Pathan to prevent persistent XSS attacks is by
(JSON) Object in wh ich malicious codes could not be
applying the pattern filtering method.
passed.
Broken access control is prevented by password- XSS attack takes the user to a webpage designed to
protecting pages that are not supposed to be visited by the steal user’s sessions and cookies. Nearly 68 percent of
client. websites are vulnerable to XSS attacks. [5] G. Habib i and N.
Surantha suggest equipment of machine learning methods
namely Support Vector Machine (SVM ), K -Nearest
Neighbour (KNN), and Naïve Bayes. Machine learning
algorith m equipped with the n-gram method imp rove the
detection performance of XSS attacks.

SQL in jection could be easily imp lemented using

some set of special characters. The PHP framework
implemented a method of Magic Quotes that add s ‘\’ in
front of the special characters such as \,’ and ” which is
transformed to \\, \’ and \”. [6]

Penetration testing is an important part of any

application deployment. Penetration testing can help to
identify potential vulnerabilit ies and insight on how those
vulnerabilities could be mitigated. [7] A. Goutam and V.
Tiwari in their paper have come up with a framework to test
Fig. 1 – T he proposed idea. the vulnerability of a financial application.

978-0-7381-1327-2/21/$31.00 ©2021 IEEE 324

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 30,2021 at 19:10:17 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Intelligent Computing and Control Systems (ICICCS 2021)
IEEE Xplore Part Number: CFP21K74-ART; ISBN: 978-0-7381-1327-2

SQL injection is a very basic yet extremely various ways to detect vulnerabilit ies on websites made with
powerful method of gaining access to any system. In ASP.NET.
applications where the user details are verified during the
login process are highly susceptible to this form of attack. When a new vulnerability is detected, it has to be
[8] P. N. Joshi, N. Ravishankar, M . B. Raju, and N. C. recorded in Co mmon Vu lnerabilities and Exposures (CVE)
Ravi developed a secure system for authentication access and it also has to be scored by Common Vulnerab ilities
and applied SQL injection attacks to check the security. Scoring System (CVSS), however, this takes a lot of time.
D. Iorga, D. Corlătescu, O. Grigorescu, C. Săndescu, M.
M. Dua and H. Singh [9] discuss the various Dascălu and R. Rughiniş [16] proposed the idea of using
attacks possible attacks on a website like SQL in jection and mach ine learn ing models to detect vulnerability in news
XSS attacks. Their idea uses a XAMPP server for client and website. Various models were trained and their
server communication. performances were recorded.

R. A. Katole, S. S. Sherekar and V. M. Thakare [10] There are various ways to detect XSS attacks, it
discuss the importance of SQL in jection attacks in modern- quickly beco mes a mammoth task to choose which would
day websites. They have also proposed an idea to detect work the best for the g iven website. M . Liu, B. Zhang, W.
SQL in jection attacks by removing the parameter values of Chen and X. Zhang [17] in their paper have analyzed
the SQL query. various XSS detection mechanis ms, classified them into 3
different categories, and performed a survey on their
Session management is an important area to performance.
consider while developing any web application. Sessions
that are not handled properly could lead to the leakage of A vulnerable website could indirectly affect the
informat ion. R. Lukanta, Y. Asnar and A. I. Kistijantoro end-users as well. A phishing website is created when a
[11] developed a tool to detect session vulnerability, this vulnerable website is scanned and its counterfeit website is
tool adds more features on top of currently existing tools hosted without the knowledge of the server owner. B.
like Nikto. Wardman, G. Shukla, and G. Warner [18] have discussed
the common vulnerabilities wh ich allow such phishing sites
Registering different users without checking the to show up, and also their idea info rms the owner if their
validity of every user could easily lead to a serious website has been compromised.
vulnerability that could later be used to perform a DOS
attack on the system. A good way of checking the valid ity of It’s not just the website that could host an
the emails and the user is through the Time-Based One- enormous number of vulnerabilities, some technology used
Time Password proposed by H. Seta, T. Wati, and I. C. inside the website could also be the cause for a breach. For
Kusuma [12]. Th is way a token will be generated which example, a website using a QR code to send documents. The
could validate the user and hence prevent DOS attacks on a website may not be vulnerable however QR code in itself
smaller scale. The authors decided to use hashing for an has several vulnerabilit ies which might not be known to the
extra layer of security. This paper however uses session developer. A. Averin and N. Zyulyarkina [19] d iscuss the
management to keep the OTP confidential. Therefore, there threats in using QR codes in blockchain applications.
is no need to apply hash on an OTP which could potentially
slow down the process. F. Yu and Y. Tung [20] have developed an online
service where developers could detect view and patch the
Just the knowledge of different vulnerab ilities and various vulnerabilit ies on their websites. It is done using
the ways to mitigate them does not ensure that one could static string analysis.
develop a secure system. A. Anis, M. Zulkern ine, S. Iqbal,
C. Liem and, C. Chambers [13] in their paper d iscuss the J. Zhao and R. Gong [21] and H. A L-A mro and E. El-
various secure coding practices which could help developers Qawas meh [22] have discussed SQL injection, Cross-Site
develop secure code on the client-side. The approach is built Script ing session hijacking, and other vulnerabilities in PHP
on JavaScript which is the language used by the majority of and ASP.NET respectively. They have shown the ways to
web applications. fix the vulnerab ility but not the consequences of not fixing
the vulnerability.
K. Vijayalakshmi and A. A. Leema [14] point out
that most of the XSS prevention mechanism use simp le
filtering that cleans the malicious code, however, this V. LEVELS OF USER AUTHENTICATION AND
filtering process does not work for some cases and hence SECURING USER DATA
they have proposed an approach in their paper which takes A. Level - 1
care of few of the edge cases where simple XSS might fail.
Usage of username and password to login to a specific
user’s portal. This is ess e ntial so th at no othe r us er c an
Different technologies used for developing web intrude on the privacy of any other user by accessing their
applications might have different types of vulnerabilities profile.
that should be taken care of. Therefo re, the implementation
of detection and prevention mechanisms vary fro m language
to language. H. A L-A mro and E. El-Qawas meh [15] discuss

978-0-7381-1327-2/21/$31.00 ©2021 IEEE 325

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 30,2021 at 19:10:17 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Intelligent Computing and Control Systems (ICICCS 2021)
IEEE Xplore Part Number: CFP21K74-ART; ISBN: 978-0-7381-1327-2

B. Level – 2 4) External XML Entities –

Authenticating the user by sending a mail with a One- XML is used to transfer data between client and
Time-Password (OTP) to their email ID and verify ing the the server. For example, the questions are sent in XM L
OTP at the time of registration. This will validate that the format to display to the users. For easy management of
user is a valid one. XML data fro m the client-side vulnerable XM L
parsers are used as external libraries on the server-
C. Level – 3 side. This causes the system to become insecure.
The user’s password should be hashed using hashing
5) Broken Authentication –
algorithms such as SHA-256. This ensures that in the case of If the user logs out i.e., clicks the “Log Out”
a data breach the user data is safe from the attacker, it is safe button, the user should be taken to the root page of the
because decryption of a string hashed with SHA 256 using a website and under no circumstances the user should be
computer takes approximately 4 trillion years. able to view the contents of his profile without logging
D. Level – 4 in.
To ensure that the user's password is safe the password The website did take the user to the root page i.e.,
can be salted (salting adds some extra string to the user’s the login page of this website, but once the back
password and then hashes it). This results in an even longer button was pressed, the user could easily get back to
string and will take an even longer time to decrypt. his profile and view the contents as if they were
logged in.
E. Level – 5
B. Secure Web Application (Prevention) –
Enabling Two-Factor Authentication. Letting the user
set up the number and verify it. This allows the user to log - After the init ial tests, the web application was made
in only if they provide the correct OTP sent to their mobile secure using the steps that follow this section but the results
number at the time of login. that were brought out are as follows –

VI. ARCHITECTURE 1) SQL Injection –

The web application no longer processed any type
A. Insecure Web Application (Environment and Detection) -
of SQL commands and just pointed out that the
The initial environ ment for the research was taken to be credentials were wrong.
an insecure web application having no layer of security.
This app was tested for OWASP vulnerabilities. Following 2) Brute Force Login Attack –
are the conclusions drawn from the testing – Providing an additional Co mpletely Automated
Public Turing test to tell Co mputers and Humans
1) SQL Injection – Apart (CAPTCHA) field increased the number of
On entering the SQL co mmands to drop the user’s permutations one must need to have, also this
table in the login form, the table was dropped from the CAPTCHA code refreshes on a new login attempt, so
database. This occurred because the form was not able there is less probability that the attacking tool could
to process whether this was a normal insertion in the guess the correct credentials.
table or a command to do some manipulation.
This method did solve the problem for the Brute
2) Brute Force Login Attack – Force Login Attack for the web application.
A vulnerability testing tool such as Burp-Suit can
implement mu ltiple login attempts by using techniques 3) Password Sniffing –
such as permutation to predict the correct login The passwords were encrypted using Data
credentials. The tool checks for the “route” to which Encryption Standard (DES) hashing algorithm. In this
the individual credentials lead to. case even if one gets successful at extracting the
encrypted passwords from the database, it would take
The credentials leading to pages such as “Home”, years for them to decrypt one password.
etc. are the correct login credentials and could be used
to access the personal information of the user. On The encryption was successfully done for the
implementing this, the tool did give the credentials passwords for the considered web application and the
that were leading to the “Home” route. login was also successful after the encryption.

Also, a higher value was given for those 4) External XML Entities –
credentials whose password might be right. All XM L transfers between the client and the
server are removed and replaced with JSON transfer.
3) Password Sniffing – All the XM L parser dependencies from the server file
A password that is not encrypted before storing has code have been removed. Changed the HTTP request
a high chance of getting sniffed and used by hackers. header to JSON type. (Content-type/JSON).
The hackers can use SQL injection methods to read
the passwords of users. For backend languages that require additional
libraries to process Json their dependencies should be
The website did not store the passwords in the added. Changed the client side code to receive and
encrypted format in the databas e and could be easily send JSON objects. JavaScript has a built-in JSON
used by the hackers to extract sensitive information parser.
related to the users.
5) Broken Authentication –

978-0-7381-1327-2/21/$31.00 ©2021 IEEE 326

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 30,2021 at 19:10:17 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Intelligent Computing and Control Systems (ICICCS 2021)
IEEE Xplore Part Number: CFP21K74-ART; ISBN: 978-0-7381-1327-2

This issue was tackled by implementing sessions prevention technique was successfully implemented
in the web application. As soon as a user clicks the for the web application.
“Log Out” button the session corresponding to that
individual user is destroyed. So in this scenario, unless VII. METHODS TO SECURE THE WEB APPLICATION
the session is started for the user using the correct A. Architecture Diagram –
credentials the user cannot return to their profile. This

Fig. 2 – T he steps that are followed to develop a secure web application.

1) Environment –
The “Environment” in the above architecture diagram shows the insecure web application.
2) Detection –
The “Detection” column shows the hints and errors one can check to ensure if the website is vulnerable to attacks.

3) Prevention –
The “Prevention” column shows the steps one can follow to make the web application secure.

978-0-7381-1327-2/21/$31.00 ©2021 IEEE 327

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 30,2021 at 19:10:17 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Intelligent Computing and Control Systems (ICICCS 2021)
IEEE Xplore Part Number: CFP21K74-ART; ISBN: 978-0-7381-1327-2

VIII. IMPLEMENTATION res.redirect("/home");

}
A. SQL Injection –
}
Using SQL injection attacker can gain access to });
the entire database using reverse shell connection. It is
an extremely dangerous attack that should be taken If this statement is used then the queries that are
care of in any web application.
entered in the login forms will be placed in the '?' as it is.
This format of insertion may lead to some serious issues
The attacker sends a malformed query in the like dropping of table etc.
input text, the query is formed such that the query
results to true even if the password or username is ii. Corrected Code-
wrong. This way the attacker gets access to the
sql.query("select * from users where
database.[1][3]
rollno=?",[rollno],function(err,result){
The major reason why it occurs is that the input if(err) { console.log(err); }
fro m the user is not parsed before using the input in else {
the search query.[7] if(result.length != 0)
To avoid SQL injection 2 things can be done in {
NodeJs – if(x == result[0].password)
{
1) Instead of appending the queries with the query req.session.userId = rollno;
string, use a binding function to bind it to the string.[8] res.redirect("/home");
2) Always turn off mult iple SQL statements in the SQL }
connection, this way the attacker cannot use the }
mu ltip le statements to evaluate an expression to true. }
The attacker can gain root access using SQL injection }
vulnerability. B. Broken Authentication –
 Example –
It usually occurs when the users can brute force
a. Multiple Statements – and find the password, or when the user can go back
to the login page after logging in.
i. Malformed Code –
var mysql = require("mysql"); Using this the attacker can access the data of
var connection = mysql.createConnection({ another user. Or in shared computers when a person
host:"localhost",user: "root", password: "root", logs out and still another person using the same PC
database: "vlab_check", multipleStatements: true can access the account of the other person due to poor
}); session management. Usually, intruder attacks like
module.exports = connection; Battering Ram and cluster bomb attacks are used to
exploit broken authentication.
If this statement is used, then the attacker will be Avoiding broken authentication –
able to send queries through the forms which will be
processed by the backend. 1) To prevent a brute force attack on the log-
in page, the easiest and safest method is to use
ii. Corrected Code – CAPTCHA. Since CAPTCHA cannot be filled by
var mysql = require("mysql");
the automation tool, user intervention is required
var connection = mysql.createConnection({ host:
and the automation of attack cannot be done.
"host",
user: "username", password:
2) To prevent automation tools from finding
"password", database:
other passwords once a password has already
"database_name",
been found, use sessions and cookies to avoid
multipleStatements: false
}); going back to the login page again after log in has
module.exports = connection; been done and the user did not log-out. This way
the user has to manually run the attack every t ime
b. Binding the query- a password has been found.[9]

i. Malformed Code – Since HTTP requests are stateless, session

sql.query("select * from users where management is important to identify different users
and also to identify which user has logged out and a
rollno=’"+rollno+"’ and
password should be entered if the user logs in again.
passw ord =’"+p assw o rd+" ’",fu nction( err ,result){
if(err) { console.log(err); } else {
The following code snippet is a middle-ware that
if(result.length != 0)
is, it is run after the request from the user and before
{
the response from the server, hence it becomes the
req.session.userId = rollno; perfect place to check for a session. If the user has

978-0-7381-1327-2/21/$31.00 ©2021 IEEE 328

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 30,2021 at 19:10:17 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Intelligent Computing and Control Systems (ICICCS 2021)
IEEE Xplore Part Number: CFP21K74-ART; ISBN: 978-0-7381-1327-2

logged in then the user id of the session should be set, i. Malformed Code –
therefore if the user tries to access the route without var rollno = req.body.regno.toUpperCase();
logging in with an undefined user id, this middleware var password = req.body.password;
will redirect the user to the login page.
Password is stored in the database the way user
Similarly, if the user is giving a test and goes
types without any encryption.
back to the log-in page due to an internet issue,
then after logging in the user is redirected to the iii. Corrected Code –
test from where he left. var crypto = require("crypto-js");
password = crypto.SHA256(password).toString();
 Example –
Cookies and Sessions –
var middleware = function(){ Password is changed to the updated encrypted
// In the login page password and store in the database. Password is the
return function(req,res,next){ input gotten from the user.
if(req.session.userId === undefined){
D. Server Verification –
// checks if user has already logged in
next(); To client –
} Test of subject, question index, Nu mber o f
else if(req.session.test){ questions, the question with 4 options, the button status (
// checks if the user is giving test flagged, answered, unvisited), the time.
res.redirect("/test/review/" As it can be seen the answer is not sent to the
+req.session.subject); client, only the question and option.
}
else{ res.redirect("/home") }  Example –
} res.render("test.ejs",{subject: currentUser.subject,
} questionIndex:
currentUser.questionIndex,nu mOfQuestions:
C. Sensitive Data Exposure – NUM_OF_QUESTIONS,
This attack varies fro m application to application question: currentUser.questionMatrix
as well as from person to person. It depends upon the [currentUser.questionIndex],
application and the person to classify a piece of buttonStatus: currentUser.buttonStatus,
information as sensitive. timeValue: currentUser.time});

This vulnerability is extremely important to fix in

high-profile web pages like banking sites. If the E. XML External Entities –
account details of one person are exposed to the This vulnerability is mainly due to the data
attacker this could be a huge problem for both the exchange using XML. XM L Exte rnal Entities is the
bank and the victim. vulnerability that is caused when a malicious XML
script that contains a reference to an external entity
Sensitive data exposure could be done without is parsed by the web application and runs the
on eˆ’ s kno wl ed g e, as d ata th at do es not seem as malformed code that is inside that script. XML is
sensitive to a person may be seen sensitive in the eyes used as a data object for sending data through API
of the other person. calls. If malicious data is sent via the API call an
attack can be easily executed and this attack may
Ways to handle sensitive data – result in denial of service, disclosure of confidential
data, server-side request forgery, port scanning, etc.
1) Always use the server to handle sensitive
A simple approach to eliminate this vulnerability is
data. Like in our case the answers to the questions to change the data object that is used to send the
are never sent to the client-side and all the data via the API calls. The web application being
verification is always done at the server-side, this discussed uses JavaScript Object Notation (JSON)
is because the data on the client-side can easily be object for transferring data via the API calls. This
viewed by the client, this is not the case with data object eliminates the possibility of an XML
server-side code. External Entit ies attack. This attack occurs when
XML input containing a reference to an external
2) Data related to passwords must always be entity is processed by a weakly configured XML
hashed and stored, this is because in the future if parser.[4][6]
there is any breach the passwords of the users are
safe as it can be extremely d ifficu lt and time - This is perhaps the easiest vulnerability to fix. Just
consuming to crack encryptions like SHA256 use JSON (JavaScript Object Notation) to pass the
data between client and server, in single-page
with salt.
applications using REST Application Programming
Interface (API).
 Example –
Hashing –

978-0-7381-1327-2/21/$31.00 ©2021 IEEE 329

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 30,2021 at 19:10:17 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Intelligent Computing and Control Systems (ICICCS 2021)
IEEE Xplore Part Number: CFP21K74-ART; ISBN: 978-0-7381-1327-2

Most the major backend services now provide Select * fro m user_table where username = ‘1'or'1'='1’ and
native support for JSON data transfer. password = ‘1'or'1'='1’
 Example – ‘1’ = ‘1’ is always true and hence the whole query valid.
Therefore, all the details present in the database are listed.
res.render("home.ejs",{isLoggedIn: isLoggedIn});
Rendering the home page, with login informat ion
sent as a JSON object to the ejs viewer.
In this examp le, isLoggedIn on the left side is the
key and isLoggedIn variable on the right is the value.
It is a co mmon convention to name both the key-value
pairs as the same variable name while sending data to
ejs.
Fig. 5 – Execution of malicious SQL query

IX. RESULTS Hence the attacker can gain entry into the site without being
a legitimate user.
A. SQL –
However, when the security measures are applied in the
NodeJS is a relatively new backend language therefore code such as binding the query instead of writ ing the
automated vulnerability scanners don’t work well with most variable names appended with quotation marks the resulting
of the NodeJS applications. Manual testing of vulnerabilities query becomes:
is one of the ways to validate the security of the application. Select * fro m user_table where username = 1'or'1'='1 and
password = 1'or'1'='1
When this statement is entered as a query the result is an
error therefore the attacker does not gain access to the site.

Fig. 3 – Users in the database

Fig. 6 – Handling malicious query

Therefore, SQL in jection is handled correctly by binding

query.

B. Broken Authentication –
HTTP is a stateless protocol, that is there is no connection
between the current request and previous request, all of the
requests are anonymous. Therefore, to identify different
users the developers usually store temporary data in the
session storage of the browser. Session storage is deleted
once the browser is closed or after the time limit for the data
is elapsed.

In practice a misconfigured session management could

result in the fo llowing scenario, A user logs into the site,
then logs out and does not close the browser, another user
Fig. 4 – Standard SQL injection could just press the back button on the browser and the
previous user’s page is shown to the attacker, this happens
1'or'1'='1, is a standard SQL injection statement. because once the previous user logs out the session is not
The SQL query to retrieve a user based on username and destroyed, and once the back button is pressed the session is
password is restored.
Select * fro m user_table where username = ‘username’ and
password = ‘password’
The underlined variables are replaced by the text user types,
in the case of SQL in jection, both username and password
are: 1'or'1'='1.
Therefore, the statement now becomes,

978-0-7381-1327-2/21/$31.00 ©2021 IEEE 330

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 30,2021 at 19:10:17 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Intelligent Computing and Control Systems (ICICCS 2021)
IEEE Xplore Part Number: CFP21K74-ART; ISBN: 978-0-7381-1327-2

vulnerabilities using PHP for instance [21] provides the

vulnerability patch details of SQL in jection, Cross -Site
Script ing and various other vulnerabilit ies using PHP. [22]
provides the patch details in ASP.NET applicat ions.
However, not many papers provide the details in NodeJS.
Therefore, the novelty of the research work lies in the
implementation of security features using NodeJS.

XI. CONCLUSION
The purpose of this research was to find all the weak
points in a web application corresponding to the OWASP
guidelines. Based on the analysis, it can be concluded that a
simp le web applicat ion with no security is highly prone to
attacks and can be easily taken down. Basic SQL queries fo r
deleting the database will be executed with no checks in a
simp le web application, and this alone is enough to bring
down the web application. After the implementation of the
Fig. 7 – Misconfigured session
security guidelines provided by OWASP, the web
It can be seen in the logs that the user logged in, then application taken for consideration showed no negative
logged out, however upon pressing the back button the user results for the attacks that were performed on the web
is once again inside the website and it does not show up in application earlier. The attacks such as SQL in jection, XSS
the logs because browsers cache the previously visited pages did not do any negative effect on the application. The
for faster retrieval o f visited pages. However, this poses a limitat ion of this research is that it is implemented for the
security threat as can be seen in this example. The way to web application that had backend as NodeJs. Other backend
patch this is to tell the browser to load the backend script o f service providers such as php, Java, etc. may not be able to
the page again and not display the page from the cache. deal with the imp lementation idea provided in th is research
paper. Another limitation of this research paper was that the
testing of the mentioned vulnerabilities was performed with
some specific tools and with certain levels of testing. The
web application may behave differently if the levels of the
testing are changed.

REFERENCES
[1] K. Patel, "A Survey on Vulnerability Assessment & Penetration
Testing for Secure Communication," 2019 3rd International
Conference on Trends in Electronics and Informatics (ICOEI),
T irunelveli, India, 2019.
[2] W. Fan et al., "Enabling Privacy-Preserving Sharing of Cyber Threat
Information in the Cloud," 2019 6th IEEE International Conference
on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE
International Conference on Edge Computing and Scalable Cloud
(EdgeCom), Paris, France, 2019.
[3] S. N. Bukhari, M. Ahmad Dar and U. Iqbal, "Reducing attack surface
corresponding to Type 1 cross-site scripting attacks using secure
development life cycle practices," 2018 Fourth International
Conference on Advances in Electrical, Electronics, Information,
Communication and Bio-Informatics (AEEICB), Chennai, India,
Fig. 8 – Session configuration 2018.
[4] I. Yusof and A. K. Pathan, "Preventing persistent Cross-Site Scripting
After fixing the vulnerability it can be seen that when the (XSS) attack by applying pattern filtering approach," The 5th
back button is pressed the user is taken to the registration International Conference on Information and Communication
Technology for The Muslim World (ICT4M), Kuching, Malaysia,
page instead of the home page of the previous user. 2014.
[5] G. Habibi and N. Surantha, "XSS Attack Detection With Machine
Learning and n-Gram Methods," 2020 International Conference on
X. NOVELTY Information Management and Technology (ICIMTech), Bandung,
Th is is research is done using NodeJS as a backend Indonesia, 2020.
language. NodeJS uses JavaScript to handle the backend [6] J. Kim, "Injection Attack Detection Using the Removal of SQL Query
Attribute Values," 2011 International Conference on Information
process of the web applicat ion. It is a relatively new Science and Applications, Jeju, Korea (South), 2011.
technology that is gaining popularity very quickly however [7] A. Goutam and V. T iwari, "Vulnerability Assessment and Penetration
there aren’t many works that focus on the security aspect Testing to Enhance the Security of Web Application," 2019 4th
while using NodeJS. This paper introduces the common International Conference on Information Systems and Computer
Networks (ISCON), Mathura, India, 2019.
vulnerabilities in a language-independent form and the patch
[8] P. N. Joshi, N. Ravishankar, M. B. Raju and N. C. Ravi,
for those vulnerabilit ies using NodeJS. There are nu merous ”Contemplating Security of Http From SQL Injection and Cross
papers and articles which provide imp lementation detail of Script,” 2017 IEEE International Conference on Computational

978-0-7381-1327-2/21/$31.00 ©2021 IEEE 331

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 30,2021 at 19:10:17 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fifth International Conference on Intelligent Computing and Control Systems (ICICCS 2021)
IEEE Xplore Part Number: CFP21K74-ART; ISBN: 978-0-7381-1327-2

Intelligence and Computing Research (ICCIC), Coimbatore, India,

2017.
[9] M. Dua and H. Singh, ”Detection prevention of website
vulnerabilities: Current scenario and future trends,” 2017 2nd
International Conference on Communication and Electronics Systems
(ICCES), Coimbatore, India, 2017.
[10] R. A. Katole, S. S. Sherekar and V. M. Thakare, ”Detection of SQL
injection attacks by removing the parameter values of SQL query,”
2018 2nd International Conference on Inventive Systems and Control
(ICISC), Coimbatore, India, 2018.
[11] R. Lukanta, Y. Asnar and A. I. Kistijantoro, ”A vulnerability
scanning tool for session management vulnerabilities,” 2014
International Conference on Data and Software Engineering
(ICODSE), Bandung, Indonesia, 2014.
[12] H. Seta, T. Wati and I. C. Kusuma, ”Implement Time Based One
Time Password and Secure Hash Algorithm 1 for Security of Website
Login Authentication,” 2019 International Conference on Informatics,
Multimedia, Cyber and Information System (ICIMCIS), Jakarta,
Indonesia, 2019.
[13] A. Anis, M. Zulkernine, S. Iqbal, C. Liem and C. Chambers,
"Securing Web Applications with Secure Coding Practices and
Integrity Verification," 2018 IEEE 16th Intl Conf on Dependable,
Autonomic and Secure Computing, 16th Intl Conf on Pervasive
Intelligence and Computing, 4th Intl Conf on Big Data Intelligence
and Computing and Cyber Science and Technology
Congress(DASC/PiCom/DataCom/CyberSciT ech), Athens, Greece,
2018.
[14] K. Vijayalakshmi and A. A. Leema, "Extenuating web vulnerability
with a detection and protection mechanism for a secure web access,"
2017 Fourth International Conference on Signal Processing,
Communication and Networking (ICSCN), Chennai, India, 2017.
[15] H. AL-Amro and E. El-Qawasmeh, "Discovering security
vulnerabilities and leaks in ASP.NET websites," Proceedings Title:
2012 International Conference on Cyber Security, Cyber Warfare and
Digital Forensic (CyberSec), Kuala Lumpur, Malaysia, 2012.
[16] D. Iorga, D. Corlătescu, O. Grigorescu, C. Săndescu, M. Dascălu and
R. Rughiniş, "Early Detection of Vulnerabilities from News Websites
using Machine Learning Models," 2020 19th RoEduNet Conference:
Networking in Education and Research (RoEduNet), Bucharest,
Romania, 2020.
[17] M. Liu, B. Zhang, W. Chen and X. Zhang, "A Survey of Exploitation
and Detection Methods of XSS Vulnerabilities," in IEEE Access, vol.
7.
[18] B. Wardman, G. Shukla and G. Warner, "Identifying vulnerable
websites by analysis of common strings in phishing URLs," 2009
eCrime Researchers Summit, Tacoma, WA, USA, 2009.
[19] A. Averin and N. Zyulyarkina, "Malicious Qr-Code Threats and
Vulnerability of Blockchain," 2020 Global Smart Industry Conference
(GloSIC), Chelyabinsk, Russia, 2020.
[20] F. Yu and Y. T ung, "Patcher: An Online Service for Detecting,
Viewing and Patching Web Application Vulnerabilities," 2014 47th
Hawaii International Conference on System Sciences, Waikoloa, HI,
USA, 2014.
[21] J. Zhao and R. Gong, "A New Framework of Security Vulnerabilities
Detection in PHP Web Application," 2015 9th International
Conference on Innovative Mobile and Internet Services in Ubiquitous
Computing, Santa Catarina, Brazil, 2015.
[22] H. AL-Amro and E. El-Qawasmeh, "Discovering security
vulnerabilities and leaks in ASP.NET websites," Proceedings Title:
2012 International Conference on Cyber Security, Cyber Warfare and
Digital Forensic (CyberSec), Kuala Lumpur, Malaysia, 2012.

978-0-7381-1327-2/21/$31.00 ©2021 IEEE 332

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 30,2021 at 19:10:17 UTC from IEEE Xplore. Restrictions apply.