Security Analysis of Web Open-Source Projects Based on Java and PHP
-
Published:2023-06-10
Issue:12
Volume:12
Page:2618
-
ISSN:2079-9292
-
Container-title:Electronics
-
language:en
-
Short-container-title:Electronics
Author:
Yin Zhen1ORCID, Lee Scott Uk-Jin1ORCID
Affiliation:
1. Department of Computer Science and Engineering, Hanyang University, Ansan 15588, Republic of Korea
Abstract
During website development, the selection of suitable computer language and reasonable use of relevant open-source projects is imperative. Although the two languages, PHP and Java, have been extensively investigated in this context, there are not many security test reports based on their open-source projects. In this article, we conducted separate security analyses on web-related open-source projects based on PHP and Java. To this end, different open-source frameworks and services are used to design websites used to test experimental attacks on 12 popular open-source filters available on GitHub, as well as investigate the use of Lightweight Directory Access Protocol (LDAP) in the Firefox browser environment. Using malicious payloads published by Open Web Application Security Project (OWASP) and others, Cross-site Scripting (XSS), Local File Inclusion (LFI), SQL injection, and LDAP injection are performed on the test targets. The experimental results reveal that although PHP-based open-source projects are more vulnerable to attacks than Java-based ones, there is significant room for improvement. Finally, a whitelist-based filtering scheme is proposed. This scheme filters the inline attributes of label elements so that the filter has an excellent detection rate of malicious payloads while having an excellent pass rate of benign payloads. Effective references and suggestions for web developers are also included to aid the selection of open-source web projects, and feasible solutions to improve filter performance are proposed.
Subject
Electrical and Electronic Engineering,Computer Networks and Communications,Hardware and Architecture,Signal Processing,Control and Systems Engineering
Reference37 articles.
1. Marashdih, A.W., Zaaba, Z.F., and Suwais, K. (2018, January 3–4). Cross Site Scripting: Investigations in PHP Web Application. Proceedings of the 2018 International Conference on Promising Electronic Technologies (ICPET), Deir El-Balah, Palestine. 2. Tushnytskyy, R., Levus, Y., and Branec, I. (2011, January 11–14). Computer language benchmarks tool. Proceedings of the VIIth International Conference on Perspective Technologies and Methods in MEMS Design, Polyana, Ukraine. 3. Seixas, N., Fonseca, J., Vieira, M., and Madeira, H. (2009, January 16–19). Looking at web security vulnerabilities from the programming language perspective: A field study. Proceedings of the 2009 20th International Symposium on Software Reliability Engineering, Mysuru, India. 4. An Empirical Study of Security Risks of PHP Open-Source Software;Wang;Int. J. Softw. Eng. Knowl. Eng.,2014 5. Choudhary, S., and Kaur, P. (2018, January 11–13). A Study of Security Vulnerabilities on Java Web Application Frameworks. Proceedings of the 2018 3rd International Conference on Computing Sciences (ICCS), Wuxi, China.
|
|