Abstract— Accessibility and security are two independent aspects of the website quality. For every web content, if they are separately considered and evaluated, the joint violation could not be highlighted. This paper proposes an approach for customizing the multi-aspects evaluation of web contents that are displayed at the client's browser. This approach is composed of two methods. In the first method, we define two rules sets to check the violation of the HTML nodes' attributes and values. The ISO 40500 [13] - based rules allow detecting accessibility violations. The OWASP [12] based rules allow detecting security violations. In the second method, we define the attack patterns for checking the conformance of the scripts and inputs data from users. These checking methods could be jointly or separately operated. The approach is experimented in the form of a web application.
Tài liệu tham khảo [1]. Google Accessibility Developer Tools. Chrome Web Store.[Online] https://chrome.google.com/webstore/detail/accessibility-developer-t/fpkknkljclfencbdbgkenhalefipecmb?hl=en [2]. Bypass Blocks.[Online], https://www.w3.org/TR/ UNDERSTANDING-WCAG20/navigation-mechanisms-skip.html [3]. Thi Huong Giang Vu, Dat Trinh Tuan, Van Hung Phan, “Checking and Correcting the Source Code of Web Pages for Accessibility” 2012. IEEE, Computing and Communication Technologies, Research, Innovation, and Vision for the Future (RIVF). pp. 1-4, 2012. [4]. Cross-Site Request Forgery (CSRF).[Online] https://www.owasp.org/index.php/Cross-Site_Request_For gery_(CSRF) [5]. Document Object Model (DOM). W3C.[Online] https://www.w3.org/DOM/ [6]. Fuzzing with WebScarab. OWASP.[Online] https://www.owasp.org/index.php/Fuzzing_with_WebScarab [7]. AInspector Sidebar. Hoyt, Nicholas.[Online] https://addons.mozilla.org/enUS/firefox/addon/ainspector-sidebar/ [8]. HTTP Fuzzer Tool. Acunetix.[Online] http://www.acunetix.com/blog/docs/http-fuzzer-tool/ [9]. ISO/IEC 40500:2012. ISO.[Online] http://www .iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=58625 [10]. Non-text Content.[Online] https://www.w3.org /TR/UNDERSTANDING WCAG20/text-equiv-all.html [11].ModSecurity Core Rule Set Project. OWASP. [Online] https://www.owasp.org/index.php/Category: OWASP_ModSecurity_Core_Rule_Set_Project [12]. 2013 OWASP Top Ten Project. OWASP.[Online] http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf [13]. Web Application Security Accessibility Project. OWASP. [Online]https://www.owasp.org/index.php/ WASP_Web_Application_Security_Accessibility_Project [14]. Zed Attack Proxy Project. OWASP.[Online] https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project [15]. Edward Rolando Núñez-Valdéz, Oscar Sanjuán Martínez, Gloria García Fernández, Luis Joyanes Aguilar, Juan Manuel Cueva Lovelle , “Security Guidelines for the Development of Accessible Web Applications through the implementation of intelligent systems”. IJIMAI 1, pp. 79-86, 2009. [16]. Symantec. 2016 Internet Security Threat Report. [17]. Vũ Thị Hương Giang, Nguyễn Thị Thu Trang. “Hướng dẫn thiết kế trang web cho người khiếm thị”. ISBN: 978-604-938-730-2: NXB Bách Khoa, 2015. [18]. Ismailova, Rita, “Web site accessibility, usability and security: a survey of government websites in Kyrgyz Republic”. Universal Access in the Information Society, pp. 1-8, 2015. [19]. 2007 OWASP Top Ten Project. OWASP.[Online] 2007. https://www.owasp.org/index.php/Top_10_2007 [20]. Using the title attribute of the frame and iframe elements.W3C.[Online]. https://www.w3.org/TR/WCA G20-TECHS/H64.html [21]. Using longdesc W3C.[Online]. https://www.w3 .org/TR/WCAG20-TECHS/H45.html [22]. Understanding SC 1.1.1 W3C.[Online] https://www.w3.org/TR/UNDERSTANDING-WCAG2 0/text-equiv-all.html |