University Publications

To provide security for web applications in recent years is considered an obsession for many companies and users. The Cross site scripting (XSS) attacks always occupy the top most priority over other site or Web application threats. Once an intruder advances intended access of the authenticate user’s web-browser and may perform session hijacking, cookie-stealing, malicious redirection and malware spreading. As prevention against such attacks, it is essential to implement security measures that certainly block the third party intrusion. In this paper, we provide an analysis and defense mechanism against XSS attacks. We propose a model that highlights the key weaknesses enabling these attacks, and that provides a common perspective for studying the available defenses. The research concerned with websites created by using open source tools that face an attacks which allow attacker to steal user passwords, take control of a user's session, run malicious code, or be used as part of a phishing scam. Then the research present a solution of storing passwords and sensitive data Using new security model (NSM) that is composed from a secret query key (SQK) randomly represents a publicly string stored in the database that consists of hexadecimal representation of an 8 byte for each user password generated. This hashes the password with the secret query key(SQK) so that it can be stored securely in a database. Then we encrypt the output of this statement (64 byte hexadecimal string) representing the 32 byte sha256 hash of the password. The output after encryption using SHA-256 cryptographic function generates a strong password that cannot be recovered from the hash. This hash encryption technique is merged with stored procedure statements which are generated by recomputed query statements to produce a strong security model (NSM) for the purpose of encrypting and decrypting passwords during, registration ,login, and authentication processes, This model deploying a novel security technique that is very effective and completely prevents cross site scripting (XSS) attacks.