Enhance Web Application Security Using Obfuscation
Devendra Kumara, Dr. Anil Kumarb, Dr. Laxman Singhc a Research Scholar, AKTU, Lucknow, India
bDepartment of Computer Science, B.I.E.T, Jhansi, India cDepartment of Electronics, NIET, Greater Noida, India
a kdevbali@gmail.com, b solankibiet13@gmail.com, c Laxman.mehlawat2@gmail.com
Article History: Received: 11 January 2021; Revised: 12 February 2021; Accepted: 27 March 2021; Published
online: 23 May 2021
Abstract: The World Wide Web has befallen into a truly pervasive and metamorphic force in our life since past two decades.
Web applications serving millions of web pages on regular basis. Though, web applications have became asynchronous, interactive and dynamic due to several assessment phases. Thus, web application’s security is necessary as a result of its ubiquitousness and our reliance on it has made it indispensable to clinch the safety, eminence, and preciseness of web applications. In this paper, author proposed a novel approach namely as obfuscation to secure web applications from SQL injection attack, XSS (cross-site scripting) attack. Further, the proposed approach can also be used to secure code from reverse engineering attacks
Keywords: Web application, Obfuscation, SQL injection, Cross-Site Scripting (XSS)
1. Introduction
A program is called web application which is installed and executed on the remote web server via internet and it request and respond through HTTP protocol. Figure 1 presents the basic structure of web applications. Web applications can be categorized into two types as static and dynamic which is shown in figure 2. Static web applications prevent to modify web contents regardless of the user input while in dynamic web application web contents can be altered as per user’s input, interactions and sequences of interactions (Li et al., 2014). Further, web applications consist of various components and technologies which are shown in figure 2 and 3. However, web application usually consists of back-end which is related to server-side while front-end related to client-side. Further, front-end is implemented using HTML, CSS (cascading style sheet) and java script and back end is implemented using PHP, Python, Java, Ruby etc(Li et al., 2011). Although, there are number of technologies has been evolved for web applications as HTTP protocol for secure transmission, web browser, CGI etc. which is shown in figure 2. As it is well known that web application is basically used to remit security services online thus they incline a scarce objective for adversaries. As aforementioned web application consists of front end and back end which comprehend sensitive data (financial, confidential information) so the breaching of this data would lead to enormous depletion of data and legitimate sequel. However, al lots of techniques have been developed for the protection of web applications which are shown in figure 3.
Figure 1. General structure of Web Application
Web applications are one of the frequent ways for transmission and delivery of messages over the internet thus, the security of web applications is most concern research issues in present scenario. In this paper, an obfuscation-based method is proposed for securing web applications against cross-site scripting attacks. These types of intrusions precisely induced web servers, application servers and web application (Kumar et al., 2017).
This paper is organized into five sections. Section 1 describes the basic introduction of web applications, its components and technologies. Section 2 elaborates related work about web applications. Section 3 thrashes out proposed approach. Section 4 portrayed result discussions finally Section 5 conclude the manuscript.
Figure 2. Web Application’s types and components
Figure 3. Web Application’s technologies Contributions
The technical contributions of this manuscript can be described as mentioned below:
1. Proposed a novel approach which is based on obfuscation for securing web applications. 2. Proposed approach used dynamic obfuscation for securing web applications
3. Proposed approach protects web applications from cross-site scripting attacks.
4. Obfuscation-based proposed method protects web applications against sql injection attacks.
2. Related Work
Web applications essentially used in several sectors as health care, education, banking, business, and manufacturing etc. Further, one of the main concern in web application is in permissive a user a safe and trusted platform for communication with the web application so that communication can be secure. As per the CISCO Cyber Security Annual report the entire web applications have one frequent attack namely as vulnerability and these attacks are more monotonous, peculiar and citified. Previous literature (CISCO Cyber Security, 2018, Mack et al., 2019 and Huang et al., 2005) reported that 30-60% of all attacks lead to the cross site scripting attack (XSS)
which is the most commonly used attack in present scenario. XSS attack occurred in the system when a malicious code is sent/executed in the form of script from the browser on victim’s machine. Additionally, in SQL injection attacks an attacker injects own code into preexisting query or in back end data base. Further, XSS (Cross-Site Scripting) detection methods can be classified into two categories as static analysis and dynamic analysis. Static analysis further assorted into four types as bounded checking, software testing approach, taint propagation approach and untrusted scripts while dynamic analysis is categorized as browser enforced embedded policies, syntactical proxy-based approach and interpreter-based approach.
Landsmann and Stromberg (2003) describe impediments against SQL injection attack. Software testing based method as fault injection and runtime monitoring used for web applications as well as proposed method implemented in Web Application Vulnerability and Error Scanner (WAVE) which is a black box testing framework for automated Web application security evaluation. XSS attacks detailed and mitigating methods discussed by the authors (Huang et al., 2005). Morgan (2006) reported SQL injection’s attacks and their preventative measures. Authors (Mack et al., 2019) explored XSS attacks and the way of detection of XSS attacks. Marashdih et al., (2019) proposed static analysis method for the detection of XSS vulnerability from the PHP source code. The limitation of this method is it is not feasible for large applications.
Oliveira et al., (2020) proposed an approach for scaling the security of web service structure. The proposed approach based on two factors as security qualification and trustworthiness assessment. Further, the main aim of the proposed framework is to detect vulnerability from the framework in the first phase while in second phase the qualified framework is explored for the verification of probably unsecure facets. The proposed approach focused on benchmarking of evaluation framework it doesn’t reported any novel method for securing the web applications. Rodríguez et al., (2020) presents systematizes several methods and tools for mitigation of XSS attacks.
As aforementioned literature reveals that web application security is most prominent research area. Thus, in this article a novel obfuscation method is proposed for securing against SQL injection and XSS attack.
3. Proposed Obfuscation Approach for SQL Injection and Cross-Site Scripting Attack (XSS)
Web plays a significant role in our society. As our society dependable on web due online services which are provide by web in various sectors as education, marketing, business, entertainment sector, and industry thus web had eloquent impact on our daily lives. Moreover, web applications contains distinct kinds of confidentional data as online transaction related, online shopping data hence, and the security of web application is mandatory. The proposed approach based on obfuscation which is a protection method against reverse engineering (Anckaert et al., 2007). Although, obfuscation makes code obscure for an adversary (Hosseinzadeh et al., 2018). The proposed security framework of web application is shown in figure 4.
Figure 4. Proposed Security Framework for SQL Injection and XSS attack
Figure 4 shows the proposed security model which is based on obfuscation. At first step SQL data or web data will be taken as input next in second phase input data is obfuscated using data obfuscation and layout obfuscation. The third step subsist of obfuscate code which is the outcome of second step. In fifth step, data and layout obfuscation employed on deobfuscated code so that original data can be extracted.
The proposed approach consists of four steps which are described below:
B. Obfuscate Original Data: In this step, original code obfuscated using Java obfuscator tool (2003). C. Deobfuscated Code: In fourth step author obtained deobfuscated code.
D. Data and Layout Obfuscation: Fourth step refers to the deobfuscation of obfuscated code using Java
obfuscator tool (2003).
E. Original Code: Finally original code annexed as output of the fourth step. 4. Result Discussion
Take Inputs of SQL Queries or Web Data:
In this step SQL query injected on open source tool named as Paiza (2014) for implementation. Figure 5 shows the SQL queries which are executed on Paiza (2014) which is an open source tool/editor for execution of SQL queries. Further, paiza is portable compiler for various languages as provides c, python etc.
Figure 5. An illustration of SQL Queries Use Obfuscation (Data and Layout obfuscation):
In the second step original SQL queries obfuscated using Java script obfuscator tool (2003) which is portable
for javascript and .txt file. Moreover java obfuscator tool helps in reducing the file size for faster execution as well as it reduce time complexity and bandwidth consumptions. Figure. 6 depicts the obfuscated code (using figure 5 SQL query) generated by an online JavaScript obfuscator tool (2003).
Dynamic Obfuscation:
Let O = (I, T, p) be a dynamic obfuscation system consisting of program to- program transformations I and T. Let p be the period of T.
Let P = 〈f0, f1, ..., fn–1 〉 be a program comprising n components to be obfuscated. Then P0 =〈T, I(f0), I(f1), ..., I(fn–1)〉 is an initial obfuscated version of P.
At runtime, for i ≥ 1, Pi =〈 T, Ti (I (f0)), Ti (I(f1)), ..., Ti (I(fn–1)) 〉 is a sequence of obfuscated configurations of P. Ti (f) represents i applications of T to f.
Figure 6. Paradigm of obfuscated code Deobfuscated Code:
The outcome of the step second is the input of step third. In this step, obfuscated code acquired after implementation of obfuscation which is shown in second phrase of figure 6.
Employ Data and Layout obfuscation:
In this step, data and layout obfuscation will apply on deobfuscated code which is shown in figure 7.
Figure 7. Deobfuscation of obfuscated data
Original Data: Finally, in this step author retrieved original code as shown in first part of figure 7.
The proposed model used the concept of obfuscation in the implementation of web application security while the existing approaches used static analysis and dynamic analysis for security. The main aim of proposed approach is to make web application harder for an adversary so that information cannot be extracted by the adversary for their own pursue.
5. Conclusion and Future Work
Web data security is more concern research issue in today’s scenario. Web application comprehends more sensitive data which can be pinched by hackers as well as by users to yield financial advantages. Hence, in this manuscript a peculiar approach is proposed for the protection of web application. The proposed approach is based on obfuscation which is a defense mechanism against reverse engineering. Obfuscation O (P) employed on original program P’ and generate O (P’) new P’ which is similar as original without changing its functionality. Further, obfuscation makes program harder as well as obfuscation reduce time complexity due to its beauty of concise the code during execution. The future scope of the proposed blueprint is to keep secure sensitive data of web application during transmission process from SQL injection and XSS attacks. In future, we proposed two tier security architecture that protect web applications from static analysis (before execution) and dynamic execution (during execution).
References
1. Li, Y. F., Das, P. K., & Dowe, D. L. (2014). Two decades of Web application testing—A survey of recent advances. Information Systems, 43, 20-54.
2. Li, X., & Xue, Y. (2011). A survey on web application security. Nashville, TN USA, 25(5), 1-14. 3. Kumar, S., Mahajan, R., Kumar, N., & Khatri, S. K. (2017, September). A study on web application
security and detecting security vulnerabilities. In 2017 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)(ICRITO) (pp. 451-455). IEEE. 4. Cisco, C. (2018). Annual Cybersecurity Report. Pg, 8, 19.
5. Landsmann, U. B. A., & Stromberg, D. (2003). Web application security: A survey of prevention techniques against sql injection. Stockholm University.
6. Huang, Y. W., Tsai, C. H., Lin, T. P., Huang, S. K., Lee, D. T., & Kuo, S. Y. (2005). A testing framework for Web application security assessment. Computer Networks, 48(5), 739-761.
7. Morgan, D. (2006). Web application security–SQL injection attacks. Network security, 2006(4), 4-5. 8. Mack, J., Hu, Y. H. F., & Hoppa, M. A. (2019). A Study of Existing Cross-Site Scripting Detection and
Prevention Techniques Using XAMPP and Virtual Box. Virginia Journal of Science, 70(3), 1.
9. Marashdih, A. W., Zaaba, Z. F., Suwais, K., & Mohd, N. A. (2019). Web Application Security: An Investigation on Static Analysis with other Algorithms to Detect Cross Site Scripting. Procedia Computer Science, 161, 1173-1181.
10. Oliveira, R. A., Raga, M. M., Laranjeiro, N., & Vieira, M. (2020). An approach for benchmarking the security of web service frameworks. Future Generation Computer Systems, 110, 833-848.
11. Rodríguez, G. E., Torres, J. G., Flores, P., & Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: A survey. Computer Networks, 166, 106960.
12. Anckaert, B., Madou, M., De Sutter, B., De Bus, B., De Bosschere, K., & Preneel, B. (2007, October). Program obfuscation: a quantitative approach. In Proceedings of the 2007 ACM workshop on Quality of protection (pp. 15-20).
13. Hosseinzadeh, S., Rauti, S., Laurén, S., Mäkelä, J. M., Holvitie, J., Hyrynsalmi, S., & Leppänen, V. (2018). Diversification and obfuscation techniques for software security: A systematic literature review. Information and Software Technology, 104, 72-93.
Paiza (2014). Retrieved from https://paiza.io/en/projects/new
14. Java script obfuscator (2003). Retrieved from https://javascriptobfuscator.com/
15. Nagra, J., & Collberg, C. (2009). Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Pearson Education.
