Remote Code Execution in Web Applications

 
 
 
  • Abstract
  • Keywords
  • References
  • PDF
  • Abstract


    Despite having dedicated applications for different operating system, web application is the most common interface accessed by all the devices. Web application security is an indispensible factor in today’s cyber world. Because of the robust resource available on Internet regarding web development, anyone today can develop a website even with zero coding skills. More than developing a perfect website, maintaining the security has become the prime goal today. Huge data breach in companies resulted due to a small security loophole in their website. Even a minor Cross Site Scripting (XSS) bug may lead to the whole server compromise depending upon the attacker who knows how to convert a simple bug into a disaster. Remote Code Execution (RCE) is one of the critical vulnerability that arises due to the unsafe handling of inputs by the server application. This vulnerability arises under various conditions that include but not limited to unsafe deserialization, XML External Entity attack, Server Side Request Forgery and Server Side Template Injection.

     

     


  • Keywords


    Web application, Scripting, Remote Code Execution, Deserialization.

  • References


      [1] Jagnere, P., "Vulnerabilities in social networking sites," Parallel Distributed and Grid Computing (PDGC), 2012 2nd IEEE International Conference on, pp.463, 468, 6-8 Dec. 2012.

      [2] Y. Zheng and X. Zhang, "Path sensitive static analysis of web applications for remote code execution vulnerability detection," 2013 35th International Conference on Software Engineering (ICSE), San Francisco, CA, 2013, pp. 652-661.doi: 10.1109/ICSE.2013.6606611

      [3] AnimeshDubey, Ravindra Gupta, Gajendra Singh Chandel,An Efficient Partition Technique to reduce the Attack Detection Timewith Web based Text and PDF files , International Journal of Advanced Computer Research (IJACR),Volume-3 Number-1 Issue-9March-2013.

      [4] Ying Dong, Yuqing Zhang, “Adaptively Detecting Malicious Queries in Web Attacks”.

      [5] Y. Zheng, X. Zhang, Path sensitive static analysis of web applicationsfor remote code execution vulnerability detection, in: International Conference on Software Engineering, 2013, pp.

      [6] 652–661.

      [7] Shanmughaneethi, V., R. Ravichandran, and S. Swamynathan. "PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications." International Journal on Web Service Computing 2.3, 2011.

      [8] Manish Sharma and Shivkumar Singh Tomar “Attack Detection and Security in Remote Code Execution” International Journal of Computer Applications (0975 – 8887) Volume 114 – No. 14, March 2015

      [9] J. Fonseca, M. Vieira, H. Madeira, Evaluation of web securitymechanisms using vulnerability & attack injection, Dependable& Secure Computing IEEE Transactions on 11 (5) (2014) 440–453.

      [10] R. E. L. de Jiménez, "Pentesting on web applications using ethical - hacking," 2016 IEEE 36th Central American and Panama Convention (CONCAPAN XXXVI), San Jose, 2016, pp. 1-6.doi: 10.1109/CONCAPAN.2016.7942364

      [11] Y. Makino and V. Klyuev, "Evaluation of web vulnerability scanners," 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), Warsaw, 2015, pp. 399-402. doi: 10.1109/IDAACS.2015.7340766

      [12] N. Qi and Z. Yang, "Research of Struts2 framework and web application based on Ajax," 2009 IEEE International Symposium on IT in Medicine & Education, Jinan, 2009, pp. 903-908.doi: 10.1109/ITIME.2009.5236203

      [13] E. Y. C. Wong, A. T. S. Chan and Hong Va Leong, "Xstream: a middleware for streaming XML contents over wireless environments," in IEEE Transactions on Software Engineering, vol. 30, no. 12, pp. 918-935, Dec. 2004. doi: 10.1109/TSE.2004.108

      [14] R. C. Seacord, "Java Deserialization Vulnerabilities and Mitigations," 2017 IEEE Cybersecurity Development (SecDev), Cambridge, MA, 2017, pp. 6-7. doi: 10.1109/SecDev.2017.13

      [15] R.Maheswari, S.Sheeba Rani, V.Gomathy and P.Sharmila,“Real Time Environment Simulation through Virtual Reality” in International Journal of Engineering and Technology(IJET) , Volume.7, No.7, pp 404-406, April 2018

      [16] D. Cappelli, A. Moore, R. Trzeciak, and T. J. Shimeall, “Common sense guide to prevention and detection of insider threats 3rd edition–version 3.1,” Published by CERT, Software Engineering Institute, Carnegie Mellon University, http://www. cert. org, 2009.

      [17] R. H. Anderson, “Research and development initiatives focused on preventing, detecting, and responding to insider misuse of critical defences information systems.” RAND CORP SANTA MONICA CA, Tech. Rep., 1999.

      [18] J. Hunker and C. W. Probst, “Insiders and insider threats-an overview of definitions and mitigation techniques.”JoWUA, vol. 2, no. 1, pp. 4–27, 2011.

      [19] Dipon Kumar Ghosh, Prithwika Banik , Dr. S. Balakrishnan (2018), Review-Guppy: A Decision-Making Engine for Ecommerce Products Based on Sentiments of Consumer Reviews”, International Journal of Pure and Applied Mathematics, Volume 119, No. 12, 2018, pp.1135-1141.

      [20] Venkatachalam K, S.Balakrishnan, R.Prabha, S.P.Premnath, Effective Feature Set Selection And Centroid Classifier Algorithm For Web Services Discovery”, International Journal of Pure and Applied Mathematics, Volume 119, No. 12, 2018, pp.1157-1172.

      [21] S. Balakrishnan, A. Jebaraj Rathnakumar and K. N. Sivabalan, “Information Security in D-Media (Digital Media)”, ARPN Journal of Engineering and Applied Sciences. May 2016, Vol. 11, No. 9, pp. 5707- 5710.


 

View

Download

Article ID: 22098
 
DOI: 10.14419/ijet.v7i4.19.22098




Copyright © 2012-2015 Science Publishing Corporation Inc. All rights reserved.