Title: XSS in JAX-RS
Authors: Ortiz Grimaldo, Jessica Alejandra
Sierra Mayorga, Julián David
Director(s): Velandia Vega, John Alexander, dir.
Keywords: CROSSITE SCRIPTING
REST
JAX-RS
VULNERABILITIES
WEAKNESSES EXPLOTATION
HACKING
ATTACK
DYNAMIC ALGORITHM
INGENIERÍA DE SOFTWARE
ALGORITMOS
LENGUAJE DE PROGRAMACIÓN (COMPUTADORES ELECTRÓNICOS)
SEGURIDAD EN COMPUTADORES
Issue Date: 2016
Citation: Ortiz Grimaldo, J. A. (2017). XSS in JAX-RS. Trabajo de Grado. Universidad Católica de Colombia. Facultad de Ingeniería. Programa de Ingeniería de Sistemas y Computación. Bogotá, Colombia
Abstract: The Cross-site scripting attacks or XSS are one of the most used attacks to get sensitive information of one or many RESTful Services users at the same time. Any person could be a victim of one of these attacks and give their own data to the attackers, who could use them for phishing, online theft or other illegal purposes. This and other reasons prove that web’s services security, response to attacks, prevention measures and, mitigation risks are relevant fields of the study. They promote a better development of RESTful Services, according to the environmental RESTful Service’s needs.
Description: 125 p.
Bibliography References: XSS OWASP. Available at: www.owasp.org/index.php/Crosssite_Scripting_(XSS)

Hydara, I., Sultan, A. B. M., Zulzalil, H. & Admodisastro, N. Current state of research on cross-site scripting (XSS) - A systematic literature review. Inf. Softw. Technol. 58, 170–186 (2015).

OWASP. OWASP XSS Testing.

Shema, M. Cross-Site Scripting. Seven Deadliest Web Appl. Attacks 1–26 (2010). doi:10.1016/B978-1-59749-543-1.00001-3

Serme, G., De Oliveira, A. S., Massiera, J. & Roudier, Y. Enabling message security for RESTful services. Proc. - 2012 IEEE 19th Int. Conf. Web Serv. ICWS 2012 114–121 (2012). doi:10.1109/ICWS.2012.94

Fogie, S., Grossman, J., Hansen, R., Rager, a. & Petkov, P. D. XSS Attacks: Cross Site Scripting Exploits and Defense. Management (2007). doi:10.1007/s13398-014-0173-7.2

Sara, A., Menacho, V., Ismael, T. & Blasco, S. INTERFAZ WEB PARA LA. (2015).

Wang, X., Jhi, Y., Zhu, S. & Liu, P. Protecting web services from remote exploit code: a static analysis approach. WWW ’08 Proceeding 17th Int. Conf. World Wide Web 1139–1140 (2008). doi:10.1145/1367497.1367695

Mason, A. Caught in the cross-site scripting fire. Netw. Secur. 2012, 5–9 (2012).

Pietraszek, T. & Berghe, C. Vanden. Defending Against Injection Attacks Through Context Sensitive String Evaluation. Recent Adv. Intrusion Detect. 124–145 (2006). doi:10.1007/11663812_7

Clarke, P. J., Babich, D., King, T. M. & Kibria, B. M. G. A Prediction Model for the Combination of Class Characteristics in Large OO Applications. 1–23 (2006)

Wood, L. et al. Document Object Model (DOM) Level 1 Specification, version 1.0. W3C Recomm. Oct. 1998 1–212 (1998).

Masood, A. & Java, J. Static analysis for web service security - Tools amp; techniques for a secure development life cycle. Technol. Homel. Secur. (HST), 2015 IEEE Int. Symp. 1–6 (2015). doi:10.1109/THS.2015.7225337

Chomsiri, T. HTTPS hacking protection. Proc. - 21st Int. Conf. Adv. Inf. Netw. Appl. Work. AINAW’07 2, 590–594 (2007).

Wardman, B., Shukla, G. & Warner, G. Identifying vulnerable websites by analysis of common strings in phishing URLs. 2009 eCrime Res. Summit, eCRIME ’09 (2009). doi:10.1109/ECRIME.2009.5342610

Shar, L. K. & Tan, H. B. K. Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55, 1767–1780 (2013).

Visser, W. [22] Model Checking Programs. 1–36 (2002).

Masood, A. Cyber security for service oriented architectures in a Web 2.0 world: An overview of SOA vulnerabilities in financial services. 2013 IEEE Int. Conf. Technol. Homel. Secur. HST 2013 1–6 (2013). doi:10.1109/THS.2013.6698966

Saiedian, H. & Broyle, D. Security vulnerabilities in the same-origin policy: Implications and alternatives. Computer (Long. Beach. Calif). 44, 29–36 (2011).

OWASP. OWASAP XXE. Available at: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing.

Kitchenham, B. Procedures for performing systematic reviews. Keele, UK, Keele Univ. 33, 28 (2004).

Seffernick, M. Preventing Cross-Site Scripting with Script- Free HTML. (2013).

Kc, G. S., Keromytis, A. D. & Prevelakis, V. Countering code-injection attacks with instruction-set randomization. Proc. 10th ACM Conf. Comput. Commun. Secur. 272–280 (2003). doi:10.1145/948143.948146

Pfleeger, S. L. & Cunningham, R. K. Why measuring security is hard. IEEE Secur. Priv. 8, 46–54 (2010).

Center for Internet Security. The CIS Security Metrics. Cent. Internet Secur. 1.1.0, 175 (2010)

Johns, M. SessionSafe: Implementing XSS Immune Session Handling. Comput. Secur. ESORICS 2006 LNCS 4189, 444–460 (2006).

Niemietz, M. & Schwenk, J. Owning Your Home Network : Router Security Revisited. 9th Work. Web 2.0 Secur. Priv. (2015).

Nunan, A. E., Souto, E., Dos Santos, E. M. & Feitosa, E. Automatic classification of cross-site scripting in web pages using document-based and URL-based features. Proc. - IEEE Symp. Comput. Commun. 000702–000707 (2012). doi:10.1109/ISCC.2012.6249380

Choi, J. H., Choi, C., Ko, B. K. & Kim, P. K. Detection of cross site scripting attack in wireless networks using n-Gram and SVM. Mob. Inf. Syst. 8, 275– 286 (2012).

MITRE. APEC Common Parttern Attacks Enumeration and Classification. Available at: http://capec.mitre.org/.

Adamczyk, P., Smith, P. H., Johnson, R. E. & Hafiz, M. REST: From Research to Practice. (2011). doi:10.1007/978-1-4419-8303-9

Guardia, G. D. A., Pires, L. F., Vêncio, R. Z. N., Malmegrim, K. C. R. & De Farias, C. R. G. A methodology for the development of RESTful semantic web services for gene expression analysis. PLoS One 10, 1–28 (2015).

Puzio, P., Molva, R., Onen, M. & Loureiro, S. A Comprehensive Formal Security Analysis of OAuth 2.0. Proc. 2016 ACM Conf. Comput. Commun. Secur. 1, 363–370 (2016).

Controls, I. S. InfoSec Reading Room

CWE. CWE 382 Vulnerability Case. Available at: http://cwe.mitre.org/data/definitions/382.html.

Sommerville, I. Ingeniería del software. Danielr.Obolog.Es 105–150 (2005).

Probability, C. et al. A. The ASCII Code 1.

Schneier, B. Applied cryptography: Protocols, algorithm, and source code in C. Gov. Inf. Q. 13, 336 (1996)

Fellows, M. R. et al. Local Search : Is Brute-Force Avoidable ? 486–491 (1988).

de Reyna, J. A. & van de Lune, J. Algorithms for determining integer complexity. (2014).

Trakhtenbrot, B. A. A Survey of Russian Approaches to Perebor (Brute-Force Searches) Algorithms. Ann. Hist. Comput. 6, 384–400 (1984)

Stanford Encyclopedia of Philosophy. Available at: http://plato.stanford.edu/entries/computational-complexity/#RedNPCom.

Saparbaev, M. K., Mazin, a V, Ovchinnikova, L. P., Dianov, G. L. & Salganik, R. I. [Introduction of new DNA sequences into previously selected regions of a plasmid genome by means of the formation of heteroduplexes]. Molekuliarnaia genetika, mikrobiologiia i virusologiia (1988). doi:10.1163/9789004256064_hao_introduction

Harel, D., Tiuryn, J. & Kozen, D. Dynamic logic. Handb. Philos. Log. 2, 497– 604 (1984).

GitHub. Recursion and Dynamic Programming. Usunyu Available at: https://github.com/usunyu/Coding/tree/master/Cracking Coding Interview/Chap9 - Recursion and Dynamic Programming.

Jupiter. Programming-and-Bayesian-Methods-for-Hackers. Available at: http://nbviewer.jupyter.org/github/CamDavidsonPilon/ProbabilisticProgramming-and-Bayesian-Methods-forHackers/blob/master/Chapter1_Introduction/Ch1_Introduction_PyMC3.ipynb.

Windows Documentation host. Available at: https://www.microsoft.com/enus/download/details.aspx?id=269.

Fielding, R. T. & Taylor, R. N. Principled design of the modern Web architecture. Proc. 2000 Int. Conf. Softw. Eng. ICSE 2000 New Millenn. 2, 115–150 (2000).

Mead, N. R. & Stehney, T. Security quality requirements engineering (SQUARE) methodology. ACM SIGSOFT Softw. Eng. Notes 30, 1 (2005).

Hanley, D. & Hatch, A. Deloitte Tech Trends 2014: Inspiring Disruption. Deloitte Univ. Press 79–87 (2014).

Venkat, T., Rao, N., Tejaswini, V. & Preethi, K. Defending Against Web Vulnerabilities and Cross-Site Scripting. J. Glob. Res. Comput. Sci. 3, 61–64 (2012).

University, C. M. Software Engineering Institute. Available at: https://www.sei.cmu.edu/index.cfm.

cve. CVE.

Wang, J. A., Wang, H., Guo, M. & Xia, M. Security metrics for software systems. ACM Southeast Reg. Conf. 1 (2009). doi:10.1145/1566445.1566509

CVSS. CSVSS Vulnerabilities Software Calculator v 3.0.

Matematicas_Discretas Rosen.pdf

Jersey. Jersey Official Documentation

RestEasy. RestEasy Official Documentation. Available at: http://resteasy.jboss.org/.

Restlet. RestLet Official Documentation. Available at: https://restlet.com/.

Apache. Apache CXF Official Documentation. Available at: http://cxf.apache.org/.

Oracle. Oracle RESTFul Documentation.
URI: http://hdl.handle.net/10983/14017
Appears in Collections:ACI. Pregrado Sistemas



This item is protected by original copyright



This item is licensed under a Creative Commons License Creative Commons