Giải pháp kiểm tra đồng thời mức độ an toàn và khả năng tiếp cận của trang web

08:30 | 09/02/2017

CSKH-02.2016 - (Tóm tắt) - An toàn và dễ tiếp cận là hai khía cạnh độc lập của chất lượng trang web. Tuy nhiên, nếu kiểm tra riêng từng tiêu chí này thì sẽ khó đánh giá mối tương quan giữa các khía cạnh này. Bài viết này mô tả một cách tiếp cận cho phép kiểm tra tính an toàn và tính dễ tiếp cận cho các nội dung web, được hiển thị ở trình duyệt phía máy khách (client).

Abstract— Accessibility and security are two independent aspects of the website quality. For every web content, if they are separately considered and evaluated, the joint violation could not be highlighted. This paper proposes an approach for customizing the multi-aspects evaluation of web contents that are displayed at the client's browser. This approach is composed of two methods. In the first method, we define two rules sets to check the violation of the HTML nodes' attributes and values. The ISO 40500 [13] - based rules allow detecting accessibility violations. The OWASP [12] based rules allow detecting security violations. In the second method, we define the attack patterns for checking the conformance of the scripts and inputs data from users. These checking methods could be jointly or separately operated. The approach is experimented in the form of a web application.

Xem toàn bộ bài báo tại đây.

Tài liệu tham khảo

[1]. Google Accessibility Developer Tools. Chrome Web Store.[Online] https://chrome.google.com/webstore/detail/accessibility-developer-t/fpkknkljclfencbdbgkenhalefipecmb?hl=en

[2]. Bypass Blocks.[Online], https://www.w3.org/TR/ UNDERSTANDING-WCAG20/navigation-mechanisms-skip.html

[3]. Thi Huong Giang Vu, Dat Trinh Tuan, Van Hung Phan, “Checking and Correcting the Source Code of Web Pages for Accessibility” 2012. IEEE, Computing and Communication Technologies, Research, Innovation, and Vision for the Future (RIVF). pp. 1-4, 2012.

[4]. Cross-Site Request Forgery (CSRF).[Online] https://www.owasp.org/index.php/Cross-Site_Request_For gery_(CSRF)

[5]. Document Object Model (DOM). W3C.[Online] https://www.w3.org/DOM/

[6]. Fuzzing with WebScarab. OWASP.[Online] https://www.owasp.org/index.php/Fuzzing_with_WebScarab

[7]. AInspector Sidebar. Hoyt, Nicholas.[Online] https://addons.mozilla.org/enUS/firefox/addon/ainspector-sidebar/

[8]. HTTP Fuzzer Tool. Acunetix.[Online] http://www.acunetix.com/blog/docs/http-fuzzer-tool/

[9]. ISO/IEC 40500:2012. ISO.[Online] http://www .iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=58625

[10]. Non-text Content.[Online] https://www.w3.org /TR/UNDERSTANDING WCAG20/text-equiv-all.html

[11].ModSecurity Core Rule Set Project. OWASP. [Online] https://www.owasp.org/index.php/Category: OWASP_ModSecurity_Core_Rule_Set_Project

[12]. 2013 OWASP Top Ten Project. OWASP.[Online] http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

[13]. Web Application Security Accessibility Project. OWASP. [Online]https://www.owasp.org/index.php/ WASP_Web_Application_Security_Accessibility_Project

[14]. Zed Attack Proxy Project. OWASP.[Online] https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

[15]. Edward Rolando Núñez-Valdéz, Oscar Sanjuán Martínez, Gloria García Fernández, Luis Joyanes Aguilar, Juan Manuel Cueva Lovelle , “Security Guidelines for the Development of Accessible Web Applications through the implementation of intelligent systems”. IJIMAI 1, pp. 79-86, 2009.

[16]. Symantec. 2016 Internet Security Threat Report.

[17]. Vũ Thị Hương Giang, Nguyễn Thị Thu Trang. “Hướng dẫn thiết kế trang web cho người khiếm thị”. ISBN: 978-604-938-730-2: NXB Bách Khoa, 2015.

[18]. Ismailova, Rita, “Web site accessibility, usability and security: a survey of government websites in Kyrgyz Republic”. Universal Access in the Information Society, pp. 1-8, 2015.

[19]. 2007 OWASP Top Ten Project. OWASP.[Online] 2007. https://www.owasp.org/index.php/Top_10_2007

[20]. Using the title attribute of the frame and iframe elements.W3C.[Online]. https://www.w3.org/TR/WCA G20-TECHS/H64.html

[21]. Using longdesc W3C.[Online]. https://www.w3 .org/TR/WCAG20-TECHS/H45.html

[22]. Understanding SC 1.1.1 W3C.[Online] https://www.w3.org/TR/UNDERSTANDING-WCAG2 0/text-equiv-all.html