| المستخلص: |
Personal information, as well as web pages security are important for everyone because attackers used to steel our sensitive information or damaged that websites. XSS is one type of the methods that is used by attackers. Since web browser supports the execution of scripting commands embedded in the retrieved content, attacker can exploit this feature maliciously to violate the client security. CMSs give web developer an easy way to have personal websites, for those people without security prior experience, and who would be under great hunting of attackers. They believe that CMSs just a plug-in, but it is really a website. This current work provides security guidance for CMSs amateurs. This includes both professional and amateurs; those of limited experience in security issues, to involve secure configuration through designing their web pages. In this work, we concentrate on crossing site scripting (XSS) attacks problem, as one of the most common attacks in the recent WWW. In this research, experiments are limited to Joomla and WordPress websites. At the end, we extracted some security guidance and rules in general for all CMSs designers. Some of these rules are beneficial; especially for Joomla and WordPress developers. In this work, we trained a group of amateurs to develop their websites using Joomla and WordPress through our extracted security guidance. We believe that this work was not done before. In conclusion, we found that different versions of WordPress, upon being attacked by the same malicious code, have the same results. Meanwhile, different versions of Joomla are more secure than WordPress. Any version of Joomla, that is attacked, will be followed by a solution for that version. We also infer that amateurs’ capability to develop their websites using Joomla had jumped from nothing to 85.5% at the end of work. The same result achieved with WordPress, which reached to 90%. We found that amateurs understood the importance of our extracted security guidance, and they were perfectly able to apply that guidance in their developed websites. Moreover, they were practically able to use the safe rules to secure their web pages, which were developed based on Joomla and WordPress to a high degree up to 95%, and it is an acceptable degree of success. They enjoyed this kind of work, as we could call an Ethical Hacker. Scanned websites of amateurs, which were developed at the end of the training program, were excellent, as security levels reached to 95%. The results we obtained by scanning tools were XSS free, but we cannot say that the percentage is 100%, because there is no complete security work. The comments we received from the true hackers, whom we asked to examine our developed websites, gave us the same results.
|
