Skip to main content
SpringerLink
Log in

An OWASP Top Ten Driven Survey on Web Application Protection Methods

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12528))

Included in the following conference series:

Abstract

Web applications (WAs) are constantly evolving and deployed at broad scale. However, they are exposed to a variety of attacks. The biggest challenge facing organizations is how to develop a WA that fulfills their requirements with respect to sensitive data exchange, E-commerce, and secure workflows. This paper identifies the most critical web vulnerabilities according to OWASP Top Ten, their corresponding attacks, and their countermeasures. The application of these countermeasures will guarantee the protection of the WAs against the most severe attacks and prevent several unknown exploits.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Category: OWASP CSRFGuard project - OWASP. https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project. Accessed 30 July 2020

  2. Category: OWASP top ten project - OWASP. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. Accessed 230 July 2020

  3. Excess XSS: A comprehensive tutorial on cross-site scripting. http://excess-xss.com/. Accessed 30 July 2020

  4. Information leakage - OWASP. https://www.owasp.org/index.php/Information_Leakage. Accessed 30 July 2020

  5. InfoSecPro.com - computer, network, application and physical security consultants. http://www.infosecpro.com/applicationsecurity/a52.htm. Accessed 30 July 2020

  6. The web application security consortium/information leakage. http://projects.webappsec.org/w/page/13246936/Information%20Leakage. Accessed 30 July 2020

  7. Website. https://lthieu.wordpress.com/2012/11/22/cross-site-request-forgery-a-small-demo. Accessed 30 July 2020

  8. Website. https://developers.google.com/safe-browsing/. Accessed 30 July 2020

  9. Adida, B.: Sessionlock: securing web sessions against eavesdropping. In: Proceedings of the 17th International Conference on World Wide Web, WWW 2008, New York, NY, USA, pp. 517–524. ACM (2008)

    Google Scholar 

  10. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: 2010 23rd IEEE Computer Security Foundations Symposium, pp. 290–304, July 2010. https://doi.org/10.1109/CSF.2010.27

  11. Anwar, D., Anwar, R.: Transparent data encryption-solution for security of database contents. Int. J. Adv. Comput. Sci. Appl. 2(3) (2011)

    Google Scholar 

  12. Ardagna, C.A., di Vimercati, S.D.C., Paraboschi, S., Pedrini, E., Samarati, P., Verdicchio, M.: Expressive and deployable access control in open web service applications. IEEE Trans. Serv. Comput. 4(2), 96–109 (2011)

    Article  Google Scholar 

  13. Barracuda: Barracuda WAF. White paper (2019)

    Google Scholar 

  14. Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70542-0_2

    Chapter  Google Scholar 

  15. Blome, A., Ochoa, M., Li, K., Peroli, M., Dashti, M.T.: Vera: a flexible model-based vulnerability testing tool. In: 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation, pp. 471–478, March 2013. https://doi.org/10.1109/ICST.2013.65

  16. Braun, B., Pauli, K., Posegga, J., Johns, M.: LogSec: adaptive protection for the wild wild web. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing, pp. 2149–2156. ACM (2015)

    Google Scholar 

  17. Büchler, M.: Semi-automatic security testing of web applications with fault models and properties. Ph.D. thesis, Technical University Munich (2015). http://nbn-resolving.de/urn:nbn:de:bvb:91-diss-20151218-1273062-1-3

  18. Bugliesi, M., Calzavara, S., Focardi, R.: Formal methods for websecurity. J. Log. Algebr. Methods Program. 87, 110–126 (2017). https://doi.org/10.1016/j.jlamp.2016.08.006. http://www.sciencedirect.com/science/article/pii/S2352220816301055

  19. Calvi, A., Viganò, L.: An automated approach for testing the security of web applications against chained attacks. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing, SAC 2016, New York, NY, USA, pp. 2095–2102. ACM (2016). https://doi.org/10.1145/2851613.2851803. http://doi.acm.org/10.1145/2851613.2851803

  20. Cao, Y., Ye, C., Weili, H., Yueran, L.: Anti-phishing based on automated individual white-list. In: Proceedings of the 4th ACM Workshop on Digital Identity Management - DIM 2008 (2008)

    Google Scholar 

  21. Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching time temporal logic. In: Kozen, D. (ed.) Logic of Programs 1981. LNCS, vol. 131, pp. 52–71. Springer, Heidelberg (1982). https://doi.org/10.1007/BFb0025774. http://dl.acm.org/citation.cfm?id=648063.747438

    Chapter  Google Scholar 

  22. Cook, B.: Formal reasoning about the security of amazon web services. In: Computer Aided Verification - 30th International Conference, CAV 2018, Held as Part of the Federated Logic Conference, FloC 2018, Oxford, UK, 14–17 July 2018, Proceedings, Part I, pp. 38–47 (2018). https://doi.org/10.1007/978-3-319-96145-3_3

  23. Cui, Y., Cui, J., Hu, J.: A survey on XSS attack detection and prevention in web applications. In: Proceedings of the 2020 12th International Conference on Machine Learning and Computing, pp. 443–449 (2020)

    Google Scholar 

  24. Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. 12(1), 1:1–1:24 (2012)

    Article  Google Scholar 

  25. De Ryck, P., Desmet, L., Piessens, F., Johns, M.: Primer on client-side web security. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12226-7

    Book  Google Scholar 

  26. Doshi, J., Trivedi, B.: Sensitive data exposure prevention using dynamic database security policy. Int. J. Comput. Appl. Technol. 106(15), 18600–9869 (2014)

    Google Scholar 

  27. Ferraiolo, D., Cugini, J., Kuhn, D.R.: Role-based access control (RBAC): features and motivations. In: Proceedings of 11th Annual (1995)

    Google Scholar 

  28. Fredj, O.B.: Spheres: an efficient server-side web application protection system. Int. J. Inf. Comput. Secur. 11(1), 33–60 (2019)

    Google Scholar 

  29. Gupta, S., Gupta, B.B.: XSS-SAFE: a server-side approach to detect and mitigate cross-site scripting (XSS) attacks in javascript code. Arab. J. Sci. Eng. 41, 897–927 (2015). https://doi.org/10.1007/s13369-015-1891-7

    Article  Google Scholar 

  30. Halfond, W., Orso, A., Manolios, P.: WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans. Software Eng. 34(1), 65–81 (2008)

    Article  Google Scholar 

  31. Imperva: WAF gateway. White paper pp. 1–2 (2019)

    Google Scholar 

  32. Jemal, I., Cheikhrouhou, O., Hamam, H., Mahfoudhi, A.: SQL injection attack detection and prevention techniques using machine learning. Int. J. Appl. Eng. Res. 15(6), 569–580 (2020)

    Google Scholar 

  33. Johns, M., Martin, J., Bastian, B., Michael, S., Joachim, P.: Reliable protection against session fixation attacks. In: Proceedings of the 2011 ACM Symposium on Applied Computing - SAC 2011 (2011)

    Google Scholar 

  34. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Securecomm and Workshops, 2006. pp. 1–10. ieeexplore.ieee.org, August 2006

    Google Scholar 

  35. Jürjens, J.: Model-based security testing using UMLsec. Electron. Notes Theor. Comput. Sci. 220(1), 93–104 (2008).https://doi.org/10.1016/j.entcs.2008.11.008

  36. Kiernan, J., Jerry, K., Rakesh, A., Haas, P.J.: Watermarking relational data: framework, algorithms and analysis. VLDB J. Int. J. Very Large Data Bases 12(2), 157–169 (2003)

    Article  Google Scholar 

  37. Krichen, M.: Model-based testing for real-time systems. Ph.D. thesis, PhD thesis, PhD thesis, Universit Joseph Fourier, December 2007

    Google Scholar 

  38. Krichen, M.: A formal framework for conformance testing of distributed real-time systems. In: Lu, C., Masuzawa, T., Mosbah, M. (eds.) OPODIS 2010. LNCS, vol. 6490, pp. 139–142. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17653-1_12

    Chapter  Google Scholar 

  39. Krichen, M.: Contributions to model-based testing of dynamic and distributed real-time systems. Ph.D. thesis, École Nationale d’Ingénieurs de Sfax (Tunisie) (2018)

    Google Scholar 

  40. Krichen, M.: Improving formal verification and testing techniques for internet of things and smart cities. Mobile Netw. Appl. 1–12 (2019)

    Google Scholar 

  41. Krichen, M., Alroobaea, R.: A new model-based framework for testing security of IoT systems in smart cities using attack trees and price timed automata. In: 14th International Conference on Evaluation of Novel Approaches to Software Engineering - ENASE 2019 (2019)

    Google Scholar 

  42. Krichen, M., Cheikhrouhou, O., Lahami, M., Alroobaea, R., Jmal Maâlej, A.: Towards a model-based testing framework for the security of internet of things for smart city applications. In: Mehmood, R., Bhaduri, B., Katib, I., Chlamtac, I. (eds.) SCITA 2017. LNICST, vol. 224, pp. 360–365. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94180-6_34

    Chapter  Google Scholar 

  43. Krichen, M., Lahami, M., Cheikhrouhou, O., Alroobaea, R., Maâlej, A.J.: Security testing of internet of things for smart city applications: a formal approach. In: Mehmood, R., See, S., Katib, I., Chlamtac, I. (eds.) Smart Infrastructure and Applications. EICC, pp. 629–653. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-13705-2_26

    Chapter  Google Scholar 

  44. Lahami, M., Fakhfakh, F., Krichen, M., Jmaiel, M.: Towards a TTCN-3 test system for runtime testing of adaptable and distributed systems. In: Nielsen, B., Weise, C. (eds.) ICTSS 2012. LNCS, vol. 7641, pp. 71–86. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34691-0_7

    Chapter  Google Scholar 

  45. Lahami, M., Krichen, M., Alroobaea, R.: TEPaaS: test execution platform as-a-service applied in the context of e-health. Int. J. Auton. Adapt. Commun. Syst. 12(3), 264–283 (2019)

    Article  Google Scholar 

  46. Lebeau, F., Legeard, B., Peureux, F., Vernotte, A.: Model-based vulnerability testing for web applications. In: 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops. pp. 445–452, March 2013. https://doi.org/10.1109/ICSTW.2013.58

  47. Lee, I., Jeong, S., Yeo, S., Moon, J.: A novel method for SQL injection attack detection based on removing SQL query attribute values. Math. Comput. Modell. 55(1–2), 58–68 (2012). https://doi.org/10.1016/j.mcm.2011.01.050. http://www.sciencedirect.com/science/article/pii/S0895717711000689. Advanced Theory and Practice for Cryptography and Future Security

  48. Mamadhan, S., Manesh, T., Paul, V.: SQLStor: blockage of stored procedure SQL injection attack using dynamic query structure validation. In: 2012 12th International Conference on Intelligent Systems Design and Applications (ISDA), pp. 240–245 (2012)

    Google Scholar 

  49. Meo, F.D., Viganò, L.: A formal approach to exploiting multi-stage attacks based on file-system vulnerabilities of web applications. In: Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Bonn, Germany, July 3–5, 2017, Proceedings, pp. 196–212 (2017). https://doi.org/10.1007/978-3-319-62105-0_13

  50. Mnif, A., Cheikhrouhou, O., Jemaa, M.B.: An ID-based user authentication scheme for wireless sensor networks using ECC. In: ICM 2011 Proceeding, pp. 1–9. IEEE (2011)

    Google Scholar 

  51. Moosa, A.: Artificial neural network based web application firewall for SQL injection. Proc. World Acad. Sci. Eng. Technol. 64, 12–21 (2010)

    Google Scholar 

  52. Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 541–555. ieeexplore.ieee.org, May 2013

    Google Scholar 

  53. Park, J.S., Sandhu, R., Ghanta, S.L.: RBAC on the web by secure cookies. In: Atluri, V., Hale, J. (eds.) Research Advances in Database and Information Systems Security. ITIFIP, vol. 43, pp. 49–62. Springer, Boston, MA (2000). https://doi.org/10.1007/978-0-387-35508-5_4

    Chapter  Google Scholar 

  54. Prakash, P., Kumar, M., Kompella, R.R., Gupta, M.: PhishNet: predictive blacklisting to detect phishing attacks. In: 2010 Proceedings IEEE INFOCOM, pp. 1–5. ieeexplore.ieee.org, March 2010

    Google Scholar 

  55. Prokhorenko, V., Choo, K.K.R., Ashman, H.: Web application protection techniques: a taxonomy. J. Netw. Comput. Appl. 60, 95 – 112 (2016).https://doi.org/10.1016/j.jnca.2015.11.017. http://www.sciencedirect.com/science/article/pii/S1084804515002908

  56. Queille, J.P., Sifakis, J.: Specification and verification of concurrent systems in CESAR. In: Dezani-Ciancaglini, M., Montanari, U. (eds.) Programming 1982. LNCS, vol. 137, pp. 337–351. Springer, Heidelberg (1982). https://doi.org/10.1007/3-540-11494-7_22. http://dl.acm.org/citation.cfm?id=647325.721668

    Chapter  Google Scholar 

  57. Scott, D., Sharp, R.: Specifying and enforcing application-level web security policies. IEEE Trans. Knowl. Data Eng. 15(4), 771–783 (2003)

    Article  Google Scholar 

  58. Shabtai, A., Elovici, Y., Rokach, L.: A Survey of Data Leakage Detection and Prevention Solutions. Springer, Boston (2012). https://doi.org/10.1007/978-1-4614-2053-8

    Book  Google Scholar 

  59. Shahriar, H., Hossain, S., Sarah, N., Wei-Chuen, C., Edward, M.: Design and development of Anti-XSS proxy. In: 8th International Conference for Internet Technology and Secured Transactions (ICITST 2013) (2013)

    Google Scholar 

  60. Shahriar, H., Zulkernine, M.: Information-theoretic detection of SQL injection attacks. In: 2012 IEEE 14th International Symposium on High-Assurance Systems Engineering (HASE), pp. 40–47 (2012)

    Google Scholar 

  61. Swamy, N., et al.: Gradual typing embedded securely in javascript. In: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2014, New York, NY, USA, pp. 425–437. ACM (2014). https://doi.org/10.1145/2535838.2535889. http://doi.acm.org/10.1145/2535838.2535889

  62. Taly, A., Erlingsson, U., Mitchell, J.C., Miller, M.S., Nagra, J.: Automated analysis of security-critical javascript APIs. In: 2011 IEEE Symposium on Security and Privacy, pp. 363–378, May 2011. https://doi.org/10.1109/SP.2011.39

  63. Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., Kruegel, C.: SWAP: Mitigating XSS attacks using a reverse proxy. In: 2009 ICSE Workshop on Software Engineering for Secure Systems, SESS 2009, pp. 33–39. IEEE (2009)

    Google Scholar 

  64. Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. NY Times, pp. 1–13 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Sousse, Sousse, Tunisia

    Ouissem Ben Fredj

  2. Taif University, Taif, Saudi Arabia

    Omar Cheikhrouhou

  3. University of Monastir, Monastir, Tunisia

    Omar Cheikhrouhou

  4. Al-Baha University, Al Bahah, Saudi Arabia

    Moez Krichen

  5. University of Sfax, Sfax, Tunisia

    Moez Krichen

  6. University of Moncton, Moncton, Canada

    Habib Hamam

  7. King Saud University, Riyadh, Saudi Arabia

    Abdelouahid Derhab

Authors
  1. Ouissem Ben Fredj
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Omar Cheikhrouhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Moez Krichen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Habib Hamam
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Abdelouahid Derhab
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ouissem Ben Fredj .

Editor information

Editors and Affiliations

  1. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

  2. Telecom Paris, Palaiseau, France

    Jean Leneutre

  3. Polytechnique Montréal, Montréal, QC, Canada

    Nora Cuppens

  4. IRT SystemX, Palaiseau, France

    Reda Yaich

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fredj, O.B., Cheikhrouhou, O., Krichen, M., Hamam, H., Derhab, A. (2021). An OWASP Top Ten Driven Survey on Web Application Protection Methods. In: Garcia-Alfaro, J., Leneutre, J., Cuppens, N., Yaich, R. (eds) Risks and Security of Internet and Systems. CRiSIS 2020. Lecture Notes in Computer Science(), vol 12528. Springer, Cham. https://doi.org/10.1007/978-3-030-68887-5_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-68887-5_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-68886-8

  • Online ISBN: 978-3-030-68887-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation