Analisis Dan Perancangan Keamanan Frontend Dalam Aplikasi Web: XSS dan CSRF
Keywords:
SDLC, XSS, CSRF, CRSF token, input sanitationAbstract
Definitely Secure Bank (DSB) is a web application designed to model digital bank financial transactions. In the early stages of development, this DSB application has several security vulnerabilities, including Cross-Site Scripting (XSS) attacks with a non-persistent type on the web help page and Cross-Site Request Forgery (CSRF) attacks on the financial transaction process. In the DSB application and other modern web applications, the most common vulnerabilities encountered are vulnerabilities to XSS and CSRF attacks. XSS attacks occur when someone successfully injects malicious javascript scripts into a web page, which can be executed from the user's browser. While CSRF attacks are attacks to trick users into sending unwanted requests to trusted websites. This study aims to analyze frontend security vulnerabilities on DSB and implement solutions to prevent them. The analysis is carried out by identifying vulnerable points in the application and evaluating their potential for exploitation. The proposed solution to prevent XSS attacks is to apply input sanitation to all user-entered data on the help page. Input sanitation will clean data from malicious scripts before being processed by the system. To prevent CSRF attacks, the proposed solution is to use CSRF tokens when making transactions on DSB. A CSRF token is an encrypted random value that is added to each HTTP request and verified by the server. Implementing these solutions can improve DSB security and prevent exploitation of XSS and CSRF attack vulnerabilities.
References
A. Alamsyah, "Pengantar javascript," [Online]. Available: https://scholar.google.de/citations?view_op=view_citation&hl=en&user=IZuCfzsAAAAJ&citation_for_view=IZuCfzsAAAAJ:u5HHmVD_uO8C.
B. B. Gupta and P. Chaudhary, Cross-Site Scripting Attacks, Boca Raton, 2020.
S. Azam, B. Shanmugam and K. Kannoorpatti, "Preventive Measures for Cross Site Request Forgery Attacks on Web-based Applications," 10 2018. [Online]. Available: https://www.researchgate.net/publication/328381749_Preventive_Measures_for_Cross_Site_Request_Forgery_Attacks_on_Web-based_Applications.
V. Zhou, "Definietly Secure Bank," 2022. [Online]. Available: https://dsb.victorzhou.com/login.
C. o. C. S. &. E. E. H. U. C. C. Independent Researcher, "Cross-Site Scripting Attacks and Defensive Techniques: A Comprehensive Survey*," Independent Researcher, College of Computer Science & Electronic Engineering, Hunan University, Changsha, China., 2022.
S. Onofri and D. Onofri, "Utilization of CSRF Token," in Attacking and Exploiting Modern Web Applications: Discover the mindset, techniques, and tools to perform modern web attacks and exploitation, Packt Publishing, 2023, p. 253.
b. M. Harwood and R. Price, Internet and Web Application Security 3rd Edition, Jones & Bartlett Learning; 3rd edition (December 12, 2022), 2022.
D. Intern, “Dicoding,” 21 Maret 2021. [Online]. Available: https://www.dicoding.com/blog/apa-itu-activity-diagram/.
M. H. Y. &. N. N. Purnasari, “Jurnal Ilmu Siber dan Teknologi Digital,” 2023. [Online]. Available: http://penerbitgoodwood.com/index.php/jisted/article/view/2298.
Open Worldwide Application Security Project (OWASP), "Token Based Mitigation & Framework Security," in Cross Site Scripting & Cross Site Request Forgery Prevention, Open Worldwide Application Security Project (OWASP), 2024, p. Introduction.
M. S. P. &. K. P. Singh, An Analytical Study on Cross-Site Scripting. 2020 International Conference on Computer Science, Engineering and Applications, India: IEE, 2020.
S. Suroto dan A. Asman, “ANCAMAN TERHADAP KEAMANAN INFORMASI OLEH SERANGAN CROSS-SITE SCRIPTING (XSS) DAN METODE PENCEGAHANNYA,” Zona Komputer: Program Studi Sistem Informasi Universitas Batam, Batam, 2021.
S. J. Y. Weamie, "Cross-Site Scripting Attacks and Defensive Techniques: A Comprehensive Survey*," Independent Researcher, College of Computer Science & Electronic Engineering, Hunan University, Changsha, China., 2022.
P. Yadav and C. D. Parekh, "A report on CSRF security challenges & prevention techniques," 2017. [Online]. Available: https://ieeexplore.ieee.org/document/8275852.
J. Walke, "Encyclopedia, Wikipedia The free," 12 May 2024. [Online]. Available: https://en.wikipedia.org/wiki/React_(JavaScript_library).
M. M. M. Lubis, Tommy, D. Handoko and N. Wulan, "Analisis Implementasi Laravel 9 Pada Website E-Book Dalam Mengatasi N+1 Problem Serta Penyerangan Csrf dan Xss," JIRSI, p. 32, 2023.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Seminar Nasional Sistem Informasi dan Teknologi (SISFOTEK)
This work is licensed under a Creative Commons Attribution 4.0 International License.
http://creativecommons.org/licenses/by/4.0