<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Common vulnerabilities in real world web applications</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Natarajan Krishnaraj</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Chirag Madaan</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Sanjana Awasthi</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Raggav Subramani</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Harsh Avinash</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Sankalp Mukim</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Vellore Institute of Technology</institution>
          ,
          <addr-line>Vellore Campus, Tiruvalam Rd, Katpadi, Vellore, Tamil Nadu, 632014</addr-line>
          ,
          <country country="IN">India</country>
        </aff>
      </contrib-group>
      <fpage>9</fpage>
      <lpage>22</lpage>
      <abstract>
        <p>For practically every part of our life, we use web applications. Numerous web apps are being developed and used, which is expanding the possibility for application security issues. Attacks on web apps are occurring more frequently now than ever before. Every time a modification is made to the architecture of a web application, there is a potential that new vulnerabilities may be created. If this happens, an attacker could infect the system and leak data that could be fatal to the organisation. Understanding the typical weaknesses in web applications and the methods that may be used to minimise them is crucial for ifnding a solution to this issue. In this assignment, we will look at major security threats that might afect web applications in the real world, including request forgery attacks, injection attacks, cryptographic failures and broken access control mechanisms. We will examine these attacks in relation to modern web frameworks, which are widely used nowadays to create web applications. Our study is based on the OWASP Top Ten, a list of the most common and serious security threats to web applications. We will also study the best security practices recommended by professionals after each attack category that should be followed to prevent / mitigate the attack. This study's major objective is to give Web developers a better understanding of how to secure web applications.</p>
      </abstract>
      <kwd-group>
        <kwd>eol&gt;web applications</kwd>
        <kwd>application security issues</kwd>
        <kwd>attacks</kwd>
        <kwd>vulnerabilities</kwd>
        <kwd>architecture</kwd>
        <kwd>attacker</kwd>
        <kwd>data leak</kwd>
        <kwd>weaknesses</kwd>
        <kwd>methods</kwd>
        <kwd>request forgery attacks</kwd>
        <kwd>injection attacks</kwd>
        <kwd>cryptographic failures</kwd>
        <kwd>broken access control mechanisms</kwd>
        <kwd>web frameworks</kwd>
        <kwd>OWASP Top Ten</kwd>
        <kwd>security threats</kwd>
        <kwd>security practices</kwd>
        <kwd>developers</kwd>
        <kwd>secure web applications</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <p>
        Today, we utilise web applications for practically all of our daily duties, including ordering
takeout, checking our emails, booking flights, and even reading the news. Web applications are
being used and numbering in the millions. There is a higher likelihood of vulnerabilities in web
applications as there are more of them. In H1-2020, there is a growth in cyber attacks on web
apps of more than 800% [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]. This study is based around Modern web application development
frameworks because technologies used in the Industry are always developing and so is the
security of web applications. The vulnerabilities that were common in the web application a
few years ago, are now mitigated by modern web application development frameworks. Still,
lfaws in application logic and bad security practices by developers can lead to security risks
that can be fatal to the organisation.
      </p>
      <p>Most common attacks to real-world web applications according to OWASP Top Ten includes
Injection attacks such as SQL Injection and Cross-site Scripting, Request forgery attacks like
Server-side Request Forgery and Cross-site Request Forgery, and security risks like Broken
Access Control and Cryptographic failures. SQL Injection is an attack where an attacker submits
a malicious payload as user input which modifies the SQL query that the backend server sends
to the database. This may result in the attacker being able to access or modify confidential
information stored on the database. Cross-site Scripting is where an attacker can insert harmful
code into a website that is subsequently executed by unwary visitors who access the page.
This may result in the compromise of private data or the installation of malicious software
on the user’s computer. Traditional encryption and obfuscation methods are vulnerable to
compromises due to the rapidly evolving threat environment if not handled correctly, potentially
exposing sensitive data due to a series of potential flaws known as cryptographic failures. A
Server-Side Request Forgery (SSRF) is a vulnerability which allows an attacker to trick the
backend of the web application to make requests to an unintended server. SSRF assaults are
frequently used by criminals to attack internal systems that are protected by firewalls and
inaccessible from the outside network. A Cross-Site Request Forgery (CSRF) attack occurs when
an attacker deceives a user into sending an unintended request to a web application without his
knowledge. This can be used to change their password, make unauthorised transactions, and
carry out other tasks. A security technique known as an access control mechanism establishes
who has access to resources like files, folders, and websites. Unauthorised users may access the
resource when access control is compromised. This may occur if the access control procedures
are not followed correctly or if the system has a vulnerability that can be exploited. To avoid
such vulnerabilities, developers and administrators of online applications on the Internet should
stick to clearly defined and best security procedures.</p>
    </sec>
    <sec id="sec-2">
      <title>2. Literature survey</title>
      <p>
        Numerous studies have been conducted on typical web application vulnerabilities and solutions.
In order to quickly address these security issues, Strukov and Gudilin [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ] has developed a
method of experimental examination of web application security that gives a finite amount of
time to find the maximum number of vulnerabilities in the computer systems.
      </p>
      <p>
        In their work, Kaur et al. [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ] examined several vulnerabilities that can occur in web
applications. The paper’s conclusion lists a number of countermeasures that deal with threats to
web applications and lessen the impact by focusing on the weak spots that expose the web
application to the severity. They have also classified various web application vulnerabilities
according to the EDI matrix (exploitability, detection rate, and impact).
      </p>
      <p>
        By utilising authentication and session management, modern web applications can ofer
various features to various web application users. A case study on weak authentication and
poor session management vulnerabilities was conducted by Hassan et al. [
        <xref ref-type="bibr" rid="ref4">4</xref>
        ]. He looked into
267 websites from the public and private sectors in Bangladesh and discovered that 56% of the
websites tested were weak points.
      </p>
      <p>
        There is a potential of producing brand-new vulnerabilities every time changes are made
to a layer of the web application architecture. Lala et al. [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ] emphasised the use of coding
changes, patching, and configuration adjustments to mitigate web application vulnerabilities. In
accordance with the recommendations of the Open Web Application Security Project (OWASP),
the goal of this paper is to design and create a secure web application.
      </p>
      <p>
        Every year, organisations sustain significant losses as a result of web application
vulnerabilities. In order to identify and prevent attacks like cross-site scripting (XSS) and cross-site
request forgery (CSRF), Buah et al. [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ] examined the security of online banking services.
      </p>
      <p>
        In their paper, Priyanka and Smruthi [
        <xref ref-type="bibr" rid="ref7">7</xref>
        ] concentrated on well-known vulnerabilities like SQL
Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), and showed
how to attack these vulnerabilities by taking DVWA into account. Finally, they deduced various
preventive measures that may be used to mitigate these threats by comparing the Havij and
SQLMAP tools.
      </p>
      <p>
        One of the most often discovered online application vulnerabilities is SQL injection. In
most cases, it enables an attacker to view data that they would not typically be able to access.
Other users’ info might also be included in this. In many instances, an attacker can update or
remove this data, permanently altering the application’s behaviour or content. The methods
for detecting SQL attacks, the many types of SQL injection, the causes of SQL injection, and
preventative technology for SQL vulnerabilities were all covered by Kareem et al. [
        <xref ref-type="bibr" rid="ref8">8</xref>
        ] in his
assessment of SQL query protection approaches.
      </p>
      <p>Kumar and Taterh [9] assessed SQL injection vulnerability using a variety of injection
techniques, including user input, cookies, and server variables. They also conducted a comparative
analysis of various levels of SQL Injection vulnerabilities.</p>
      <p>Secure communication using mathematical procedures to encrypt and decode data is known
as cryptography. It is utilised in many diferent applications, such as secure messaging, file
sharing, and email. Traditional encryption and obfuscation methods can be compromised
due to a series of potential flaws known as cryptographic failures when used improperly in
the continually evolving threat environment, revealing sensitive data. Duong and Rizzo [10]
demonstrates how attackers can take advantage of several cryptographic design vulnerabilities
to steal secret keys and fake authentication tokens in order to gain access to private data in
web applications.</p>
      <p>Xu et al. [11] investigate three password-based anonymous multi-factor authentication
schemes for cloud environments (i.e., the schemes presented at MONET’19, IEEE Syst J’19, and
IEEE Syst J’20), and show that each of these three schemes is vulnerable to of-line guessing
attacks and lacks a crucial property (i.e., forward secrecy). They also suggest a number of
sensible defences against these flaws.</p>
    </sec>
    <sec id="sec-3">
      <title>3. Attacks</title>
      <p>Although an attacker’s exploitation methods change frequently, their fundamental attack
concepts are generally constant. Here are a few of the most typical.</p>
      <sec id="sec-3-1">
        <title>3.1. SQL injection</title>
        <p>A SQL query is “injected” into the programme through the client’s input data in a SQL injection
attack. By taking advantage of the SQL injection vulnerability in the vulnerable web
application, an attacker may be able to read sensitive data from the database, alter database data
(Insert/Update/Delete), carry out database administration tasks (like shutting down the DBMS),
and in some cases, issue commands to the operating system.</p>
        <p>Numerous high-profile data breaches in recent years have been caused by SQL injection
attacks, which have led to reputational damage and legal repercussions. In certain situations, an
attacker may be able to access a persistent backdoor, which might lead to a long-lasting breach
that could go unnoticed for a very long time.</p>
        <p>SQL injection frequently involves blind vulnerabilities. This indicates that the programme
does not include information about any database issues or the results of the SQL query in
its answers. Blind vulnerabilities can still be used to get unwanted access to data, but the
corresponding approaches are typically more complex and challenging to execute.</p>
        <p>An actual-world illustration of blind SQL injection would resemble this.</p>
        <p>Let’s imagine that an online store employs a tracking cookie for analytics and runs a SQL
query that contains the cookie value (figure 1).</p>
        <p>No error messages are shown, nor are the results of the SQL query returned. But if the query
returns any rows, the application adds a “Welcome back” message to the page.</p>
        <p>An attacker can modify the value of his tracking ID which is stored in his cookies and
construct a payload that contains a conditional value, if it’s true the application will print a
“Welcome back” message.
‘ or (select substring(password, 1, 1)
from users where username ‘administrator’) = ‘a’ –</p>
        <p>This exploit checks if the first character of the administrator’s password is ‘a’ or not. If
it’s true, the overall condition will be true and a “Welcome back” message is included in the
response. An attacker can now brute force all characters at all positions of the password and
get the final administrator’s password (figure 2).</p>
        <p>This way the attacker is successfully able to retrieve administrator’s password one bit at a
time.</p>
        <p>Methods to prevent SQL injection attacks:
• Parameterised queries – Many cases of SQLi can be eliminated simply by using
parameterised queries instead of concatenating user input to the SQL query.
• Whitelisting – User input should always be treated as untrusted and filtered through a
whitelist which only allows some of the input that matches a pattern.
• Employ verified mechanisms – Do not try to build SQLi protection from scratch. Most
modern programming tools can give you access to SQLi protection features.</p>
      </sec>
      <sec id="sec-3-2">
        <title>3.2. Cross-site scripting</title>
        <p>Cross-site scripting or XSS is a vulnerability that allows an attacker to inject malicious javascript
code into the web application which is then served to the victim. The malicious code gets
executed on the victim’s browser and can steal confidential information like session ID which is
generally stored in the cookies. These attacks are efective whenever a web application accepts
user input without validating or encoding it before using it to make output.</p>
        <p>Figure 3 shows how an attacker submits a malicious input in the comment box of an application
and the application stores this input in the database. When a victim user visits the comment
box, the application fetches the attacker’s malicious comment and appends it to the HTML code
which is sent to the victim. In this case, the attacker’s malicious code is simply a script tag that
is used to execute javascript code with javascript code as alert(1) which just pops up an alert
with the value 1. The attacker could do all sorts of things like capture the victim’s session id
from his cookie and send it to a drop server which will basically allow an attacker to hijack the
victim user’s session and perform all the tasks that the victim user can perform. The malicious
code executed on the victim’s browser is usually a part of javascript code, but it can also be
HTML, Flash or any other type of code that the victim’s browser may execute.</p>
        <p>Cross-site scripting vulnerabilities can be very hard to detect and remove from a web
application. The simplest method to detect XSS in a piece of code is to conduct a security assessment
of it and look for any locations where input from an HTTP request can accidentally end up in
the HTML output. Be aware that a malicious JavaScript might be transmitted using a variety of
diferent HTML tags.</p>
        <p>There are three main types of cross-site scripting attacks:
• Reflected XSS – The most fundamental kind of cross-site scripting attack is this one. It
happens when a programme unsafely incorporates data from an HTTP request into the
immediate response.
• Stored XSS – It is also called a second-order or persistent XSS attack. It occurs when the
malicious user input from anattacker is stored on the database and sent to the victim user
in all later HTTP responses in an unsafe way.
• DOM-based XSS – It occurs when data is processed from an untrusted source in an
unsafe way by some client-side javascript code which usually writes the data back to the
DOM (Document Object Model).</p>
        <sec id="sec-3-2-1">
          <title>Generic tips to prevent XSS:</title>
          <p>• Don’t trust user input – Take into account that all user input is faulty. If user input is
included in HTML output, an XSS is conceivable. Input from verified and/or internal
users should be handled similarly to input from the general public.
• Use escaping / encoding – Use the appropriate escaping/encoding technique, such as
HTML escape, JavaScript escape, CSS escape, URL escape, etc., depending on where user
input will be used. Use pre-existing libraries rather than creating your own unless it is
absolutely necessary.
• Sanitise HTML – If user input needs to contain HTML, you can’t escape or encrypt it
because doing so would render any acceptable tags useless. In such cases, parse and
sanitise HTML using a trusted and proven library.
• Content security policy – Use a Content Security Policy as well to mitigate the efects of
a potential XSS problem (CSP). The CSP HTTP response header lets you specify which
dynamic resources are allowed to load in accordance with the request source.</p>
        </sec>
      </sec>
      <sec id="sec-3-3">
        <title>3.3. Cryptographic failures</title>
        <p>Due to a weak or nonexistent cryptographic strategy, a major web application security defect
known as a cryptographic failure exposes private application data. Examples include passwords,
patient medical information, trade secrets, credit card numbers, email addresses, and other
private user data. It is dificult to do it right because there are diferent encryption approaches,
each of which has advantages and disadvantages that online solution architects and developers
need to be fully aware of.</p>
        <p>Modern modern applications consume data both while it is in motion and while it is at rest,
making stringent security controls necessary for full threat protection. A few deployments
employ shoddy encryption techniques that are quickly breakable. Even with the flawless
implementation of cryptographic algorithms, users may decide not to adhere to established
practices for data protection, leaving sensitive data vulnerable to theft.</p>
        <p>The efective use of cryptography depends largely on how well it is implemented. The
majority of the protection will be removed by a tiny configuration or coding error, making the
cryptographic implementation inefective. End-to-end encryption is an actual example of how
cryptography is utilised in web applications. The RSA technique may be used by an application
to encrypt symmetric keys for encryption. Applications may be vulnerable to attacks that
jeopardise the confidentiality of the communications if they wrongly implement RSA or use
weak keys.</p>
        <p>Some of the attacks on RSA are,
• Common Modulus attack
• Fermat’s Factorisation
• Pollard’s p-1 Factorisation
• Common-Prime Attack
• Wiener’s Attack
• Coppersmith’s Attack
• Franklin Reiter’s Attack on related messages
• Hastad’s Broadcast Attack
• Least Significant Bit Oracle Attack</p>
        <sec id="sec-3-3-1">
          <title>A real world example of an attack on RSA algorithm might be look like:</title>
          <p>Let’s say a person Alice wants to send a secret text to Bob and chooses to encrypt the text
with Bob’s public key. If key generation is not properly implemented, the website may generate
keys such that the public key exponent is very large. This results in an attack called Wiener’s
attack on RSA where continued fraction method is used to expose the private key and hence
decrypt the message while in transit.</p>
          <p>Let’s say Alice encrypts the secret text in the following way (figure 4):</p>
          <p>Now attacker who already has Bob’s public key can apply the algorithm for Wiener’s attack
and decrypt the password in the following way (figure 5).</p>
          <p>Methods to prevent cryptographic failures:
• Use updated and established cryptographic functions, algorithms, and protocols.
• Follow secure standards defined for choosing keys and implement key rotation .
• Use authenticated encryption instead of plain encryption.</p>
        </sec>
      </sec>
      <sec id="sec-3-4">
        <title>3.4. Server-side request forgery</title>
        <p>Server-Side Request Forgery (SSRF) is a web application vulnerability which allows an attacker
to trick the backend of the web application to make requests to an unintended server. This
server can be in the internal network of the backend server or in the external network controlled
by the attacker. This may allow the attacker to access some functionality with the backend
server’s access rights which the attacker didn’t have access to, thus breaking the access control
mechanism implemented by the application (figure 6).</p>
        <p>A generic SSRF attack targets any programme that accepts data imports from URLs or allows
users to read data from URLs. It is possible to alter URLs by changing them or fiddling with
URL path traversal. Attackers frequently give the server a URL (or modify an existing one),
and the active server code reads from or submits data to the URL. Attackers can utilise URLs
to gain access to services and private data that were not meant to be made public, such as
HTTP-enabled databases and server configuration information.</p>
        <p>A successful SSRF attack may result in unauthorised business operations or access to data,
either on the vulnerable application itself or on other back-end systems with which the
application can communicate. In certain situations, the SSRF vulnerability might grant an attacker
the ability to carry out any command. An SSRF exploit that connects to external third-party
systems may result in malicious forward assaults that appear to emanate from the firm hosting
the vulnerable application.</p>
        <p>A common security tactic used to minimise the attack surface from external networks is
limiting the use of public-facing servers. There are suficient servers left over for internal
communication. Utilising SSRF, attackers can scan internal networks and get information about
them. Once they have gained access to the server, an attacker can utilise this information to
compromise other systems on the network.</p>
        <p>Methods to prevent SSRF attacks:
• Whitelist IP Addresses and DNS names that the application requires access to.
• Proper response handling – Response should only contain information that is anticipated.
• Disable unused URL schemas – Enable only URL schemas thatapplication relies on, e.g. –</p>
        <p>HTTP, HTTPS.</p>
        <p>• Proper authentication on internal services.</p>
      </sec>
      <sec id="sec-3-5">
        <title>3.5. Cross-site request forgery</title>
        <p>Cross-Site Request Forgery (CSRF) is a vulnerability that allows an attacker to trick users into
sending unintentional requests to the application server which may result in the attacker being
able to perform any task that the user can perform on the web application. For e.g. the attacker
may be able to change the user’s password or email, make transactions, delete the user’s profile
and perform privileged tasks using CSRF vulnerability.</p>
        <p>A real world example of CSRF vulnerability might look like what’s shown in the following
example:</p>
        <p>Let’s say an application provides the functionality to update a user’s login ID using a form
(figure 7). The application manages user sessions using a session-ID that is stored in the cookies
in the scope of the vulnerable website.</p>
        <p>An attacker can easily retrieve the path where the application sends the form data and could
construct a simple HTML payload that submits the form unintentionally upon visiting (figure 8).</p>
        <p>The susceptible website will get an HTTP request when the victim views the attacker’s HTML
page, and if the user is already logged in, the browser will include his session id from the cookie
in the HTTP request. As a result, the attacker will be able to make the website believe that the
victim has submitted the request, enabling the attacker to carry out any actions that the user is
capable of (figure 9).</p>
        <p>Methods to prevent CSRF attacks:
• Store session ID in a hidden input field instead of the cookie .
• Create an unpredictable CSRF token and store it in a huddle input field and send it with
every form submission, check if the CSRF token is valid and is tied to the session ID in the
cookie, if the checks are passed, only then allow for the functionality to be performed.
• Implement Captcha or use a Captcha service that is required to submit the form.</p>
      </sec>
      <sec id="sec-3-6">
        <title>3.6. Broken access control</title>
        <p>Even while access control looks like a simple problem, it is really dificult to manage eficiently.
The access control model of the web application is closely tied to the content and functionality
that a website provides. The users may also be a part of a range of jobs or groups with diferent
capabilities.</p>
        <p>Developers frequently underrate how dificult it is to implement a reliable access control
mechanism. Many of these strategies were not actively made; rather, they are the outcome of
how the website has evolved through time. In these circumstances, many places in the code
introduce access control restrictions. As the site is put into use, the ad hoc collection of rules
becomes progressively more challenging to comprehend.</p>
        <p>Many of these problematic access control techniques are easily accessible and exploitable.
Frequently, all that is required is a request for features or content that shouldn’t be permitted.
Once a flaw is discovered, an inadequate access control system might have severe results. In
addition to accessing unauthorised material, an attacker may be able to change or remove
content, perform unauthorised actions, or even take over site administration.</p>
        <p>One specific type of access control concern is administrative interfaces that permit site
administrators to control a site over the Internet. Such tools are frequently used by site administrators
to eficiently manage users, data, and content on their websites. To enable more exact site
administration, sites usually ofer a variety of administrative responsibilities. Due to their
importance, these interfaces are frequently excellent targets for attacks from both insiders and
outsiders.</p>
        <p>
          Hassan et al. [
          <xref ref-type="bibr" rid="ref4">4</xref>
          ] examines the impact of the failed authentication and session management
vulnerabilities on online applications. According to the report, this vulnerability is growing more
widespread as a result of attackers’ inventiveness, shoddy system architecture, and incorrect
web application implementation. The impact on web applications and several methods of
exploitation of this vulnerability are covered in the study. The report comes to the conclusion
that this vulnerability poses a serious threat to web applications and must be fixed.
        </p>
        <p>Methods to prevent broken access control:
• Continuous inspection and test access control.
• Deny access by default.
• Limit CORS usage.
• Enable mandatory or role-based access control.</p>
      </sec>
    </sec>
    <sec id="sec-4">
      <title>4. Conclusion</title>
      <p>In conclusion, the study of security threats to web applications is essential for web developers
and administrators. Web applications are being used everywhere and have become a part of
our everyday lives. Attacks on web applications are becoming more frequent, so it is important
to understand the potential vulnerabilities that may occur. The study of common attacks on
real-world web applications can help developers and administrators better understand how
to mitigate such attacks and prevent them from causing damage to the organisation. In this
paper we have studied Injection attacks such as SQL injection and XSS, Request forgery attacks,
cryptographic failures and broken access control mechanisms. We also have discussed ways to
prevent these attacks real world web from happening in applications.
Review, Asian Journal of Research in Computer Science 10 (2021) 13–32. doi:10.9734/
ajrcos/2021/v10i330242.
[9] A. Kumar, S. Taterh, Analysis of Various Levels of Penetration by SQL Injection Technique
Through DVWA, Journal of Advanced Computing and Communication Technologies 4
(2016) 28–32. URL: http://www.jacotech.org/index.php/paper/paper/paperDetails/87.
[10] T. Duong, J. Rizzo, Cryptography in the Web: The Case of Cryptographic Design Flaws
in ASP.NET, in: 2011 IEEE Symposium on Security and Privacy, 2011, pp. 481–489.
doi:10.1109/SP.2011.42.
[11] M. Xu, D. Wang, Q. Wang, Q. Jia, Understanding security failures of anonymous
authentication schemes for cloud environments, Journal of Systems Architecture 118 (2021) 102206.
doi:10.1016/j.sysarc.2021.102206.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <given-names>J.</given-names>
            <surname>Wilson</surname>
          </string-name>
          ,
          <article-title>Cyber-attacks on web applications up 800 per cent</article-title>
          in
          <source>H1 2020: Report</source>
          ,
          <year>2020</year>
          . URL: https://www.thesafetymag.com/ca/topics/technology/ cyber
          <article-title>-attacks-on-web-applications-up-800-per-cent-in-</article-title>
          <string-name>
            <surname>h1-</surname>
          </string-name>
          2020
          <source>-report/240124.</source>
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>V.</given-names>
            <surname>Strukov</surname>
          </string-name>
          ,
          <string-name>
            <given-names>V.</given-names>
            <surname>Gudilin</surname>
          </string-name>
          , Experimental Investigation of Web Application Security,
          <source>in: 2021 IEEE 4th International Conference on Advanced Information and Communication Technologies (AICT)</source>
          ,
          <year>2021</year>
          , pp.
          <fpage>245</fpage>
          -
          <lpage>250</lpage>
          . doi:
          <volume>10</volume>
          .1109/AICT52120.
          <year>2021</year>
          .
          <volume>9628957</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>P.</given-names>
            <surname>Kaur</surname>
          </string-name>
          ,
          <string-name>
            <surname>I. Sharma</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Kaur</surname>
          </string-name>
          , Web Application Vulnerabilities &amp; Countermeasures, in: 2021
          <source>5th International Conference on Information Systems and Computer Networks (ISCON)</source>
          ,
          <year>2021</year>
          , pp.
          <fpage>1</fpage>
          -
          <lpage>6</lpage>
          . doi:
          <volume>10</volume>
          .1109/ISCON52037.
          <year>2021</year>
          .
          <volume>9702496</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <surname>M. M. Hassan</surname>
            ,
            <given-names>S. S.</given-names>
          </string-name>
          <string-name>
            <surname>Nipa</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          <string-name>
            <surname>Akter</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          <string-name>
            <surname>Haque</surname>
            ,
            <given-names>F. N.</given-names>
          </string-name>
          <string-name>
            <surname>Deepa</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          <string-name>
            <surname>Rahman</surname>
            ,
            <given-names>M. A.</given-names>
          </string-name>
          <string-name>
            <surname>Siddiqui</surname>
            ,
            <given-names>M. H.</given-names>
          </string-name>
          <string-name>
            <surname>Sharif</surname>
          </string-name>
          ,
          <source>Broken Authentication and Session Management Vulnerability: A Case Study Of Web Application</source>
          ,
          <source>International Journal of Simulation: Systems, Science and Technology</source>
          <volume>19</volume>
          (
          <year>2018</year>
          ). URL: http://ijssst.info/Vol-
          <volume>19</volume>
          /No-2/paper6.pdf. doi:
          <volume>10</volume>
          .5013/IJSSST.a.
          <volume>19</volume>
          .02. 06.
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>S. K.</given-names>
            <surname>Lala</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Kumar</surname>
          </string-name>
          ,
          <string-name>
            <surname>S. T.</surname>
          </string-name>
          ,
          <article-title>Secure Web development using OWASP Guidelines</article-title>
          ,
          <source>in: 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS)</source>
          ,
          <year>2021</year>
          , pp.
          <fpage>323</fpage>
          -
          <lpage>332</lpage>
          . doi:
          <volume>10</volume>
          .1109/ICICCS51141.
          <year>2021</year>
          .
          <volume>9432179</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>G.</given-names>
            <surname>Buah</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Memusi</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Munyi</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T. Brown</given-names>
            , R. A.
            <surname>Sowah</surname>
          </string-name>
          ,
          <article-title>Vulnerability Analysis of Online Banking Sites to Cross-Site Scripting and Request Forgery Attacks: A Case Study in East Africa</article-title>
          ,
          <source>in: 2021 IEEE 8th International Conference on Adaptive Science and Technology (ICAST)</source>
          ,
          <year>2021</year>
          , pp.
          <fpage>1</fpage>
          -
          <lpage>5</lpage>
          . doi:
          <volume>10</volume>
          .1109/ICAST52759.
          <year>2021</year>
          .
          <volume>9681978</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <given-names>A. K.</given-names>
            <surname>Priyanka</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S. S.</given-names>
            <surname>Smruthi</surname>
          </string-name>
          , WebApplication Vulnerabilities:
          <article-title>Exploitation and Prevention</article-title>
          , in: 2020
          <source>Second International Conference on Inventive Research in Computing Applications (ICIRCA)</source>
          ,
          <year>2020</year>
          , pp.
          <fpage>729</fpage>
          -
          <lpage>734</lpage>
          . doi:
          <volume>10</volume>
          .1109/ICIRCA48905.
          <year>2020</year>
          .
          <volume>9182928</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <given-names>F. Q.</given-names>
            <surname>Kareem</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S. Y.</given-names>
            <surname>Ameen</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A. A.</given-names>
            <surname>Salih</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D. M.</given-names>
            <surname>Ahmed</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S. F.</given-names>
            <surname>Kak</surname>
          </string-name>
          ,
          <string-name>
            <given-names>H. M.</given-names>
            <surname>Yasin</surname>
          </string-name>
          ,
          <string-name>
            <given-names>I. M.</given-names>
            <surname>Ibrahim</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A. M.</given-names>
            <surname>Ahmed</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Z. N.</given-names>
            <surname>Rashid</surname>
          </string-name>
          ,
          <string-name>
            <given-names>N.</given-names>
            <surname>Omar</surname>
          </string-name>
          , SQL Injection Attacks Prevention System Technology:
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>