学位论文简介
Web application developers and security professionals frequently use security tools such as security scanners, vulnerability assessments, and penetration testing tools to find and repair vulnerabilities in modern web applications. However, because they frequently function by injecting code or modifying web pages, malicious actors can use these tools to perform phishing as a pretext for XSS attacks.
The research begins with an in-depth analysis of existing XSS and its associated attacks and phishing emails that used embedded links through security tools as a pretext. It then explores the strategies, methodologies, and effects these attacks have on online applications and their users. In addition, the research investigates the challenges and limitations of the most effective prevention techniques and practices currently available to protect against attacks of this nature. Based on an investigation, this research suggests a collection of best practices and preventive measures that can be taken to mitigate the number of XSS and phishing attacks that use security tools as a pretext.
This includes a set of suggestions that businesses, security professionals, and developers who design online applications should follow to secure their web applications from these attacks. Comprehensive testing and simulations are used in real-world web applications to evaluate the efficacy and feasibility of the suggested strategies for avoiding phishing and XSS attacks.
This thesis contributes significantly by performing a comparative analysis of software development vulnerabilities using a portion of the 150,000 worldwide datasets comprising the CVE and CWE security vulnerability databases. This was done to determine which security flaws were the most prevalent. Data collected include a CVE-ID, a CWE-ID, a description, a severity score (CVSS), and a list of CWE categories under which the vulnerability fits[1].
Furthermore, this study examined three of the most popular types of XSS attacks and provided examples of their devastating use in the real world. These examples demonstrate some of the best-kept secrets hackers may use to circumvent or violate application security standards on computer systems and web applications. BeEF and Metasploit are two of the most prominent solutions for system exploitation frameworks, according to the conclusions of this study. These frameworks were chosen from a number of tools.
This study used manual and automated methods to create JavaScript payloads for use in cyberattacks on a real-world DVWA project. The goal of this concept study was to conduct an experimental investigation. I test BeEF by directing the victim's browser to an application that establishes a reverse connection to the hacker's command and control server. This goal is effectively fulfilled for the selected target using Windows Internet Explorer in combination with the DVWA Web application.
This study created a phishing email with an embedded HTA program that uses a reverse connection to route victims to a server controlled by the hacker as a pretext for an XSS attack. The HTA software program link was placed in the phishing email to reroute users maliciously.
To avoid cross-site scripting attacks and phishing emails that employ XSS as a vector, the researchers presented several new strategies and tactics that had never been used before. According to studies, these strategies and approaches were the most effective.
The study's findings imply that future research should focus on the automatic identification and mitigation of XSS assaults using machine learning and artificial intelligence technology. In addition to strengthening the methodologies, tools, and approaches already accessible, it is vital to train developers on the most effective ways to minimize and restrict the incidence of such assaults. The development of an outstanding platform for locating human activities[2] in the modern era in order to detect and prevent web vulnerabilities is an area requiring further research.
主要学术成果
[1] S. J. Y. Weamie, “Cross-Site Scripting Attacks and Defensive Techniques : A Comprehensive Survey *,” Int. J. Commun. Netw. Syst. Sci., vol. 15, no. August 9, 2022, pp. 126–148, 2022, doi: 10.4236/ijcns.2022.158010.
[2] G. D. Kiazolu, S. Aslam, M. Z. Ullah, M. Han, S. J. Y. Weamie, and R. H. B. Miller, “Location-Independent Human Activity Recognition Using WiFi Signal BT - Signal and Information Processing, Networking and Computers,” 2023, pp. 1319–1329.
