DOI QR코드

DOI QR Code

Research on Efficient Automated Web Vulnerability Inspection Methods

  • Tae-Seop Kim (Dept. of Cyber Security, Pai Chai University) ;
  • Ah Reum Kang (Dept. of Cyber Security, Pai Chai University)
  • 투고 : 2024.10.14
  • 심사 : 2024.11.14
  • 발행 : 2024.11.29

초록

본 연구는 웹 애플리케이션을 손쉽게 제작할 수 있는 현대의 인터넷 환경에서, 수동점검만으로는 웹 애플리케이션 서비스의 안정성을 충분히 확보하기 어렵다는 문제를 해결하고자 자동점검을 통해 수동점검을 얼마나 대체할 수 있는지를 확인하고, 부족한 부분에 대한 개선사항을 파악한 후 이를 자동점검 솔루션에 반영하는 것을 목표로 한다. 이를 위해 상용 솔루션을 사용하여 175개의 홈페이지를 대상으로 자동점검과 수동점검을 비교 분석하였다. 분석 결과, 행정안전부의 웹 취약점 점검항목 21개 중 10개 항목에서 자동점검이 가능하다는 것이 확인되었다. 특히, 가장 많이 발견된 상위 5개 항목이 전체 취약점의 약 80%를 차지하여 자동점검의 실효성이 입증되었다고 볼 수 있다. 그러나 구조가 복잡한 항목은 자동점검이 어려워, 수동점검과 자동점검을 서로 보완하여 사용할 때 웹 취약점 점검의 효율성을 극대화할 수 있다.

In the modern Internet environment where web applications can be easily produced, this study aims to check how much manual inspection can be replaced through automatic inspection to solve the problem that it is difficult to secure sufficient stability of web application services only with manual inspection, identify improvements to the shortcomings, and reflect them in the automatic inspection solution. To this end, automatic inspection and manual inspection were compared and analyzed for 175 homepages using a commercial solution. As a result of the analysis, it was confirmed that automatic inspection is possible in 10 items out of 21 web vulnerability inspection items of the Ministry of Public Administration and Security. In particular, the top five items found the most accounted for about 80% of the total vulnerabilities, so the effectiveness of automatic inspection has been proven. However, items with complex structures are difficult to automatically check, so when manual inspection and automatic inspection are used complementarily, the efficiency of web vulnerability inspection can be maximized.

키워드

과제정보

This work was supported by the research grant of Pai Chai University in 2024.

참고문헌

  1. National Statistical Portal, Artificial Intelligence (AI) technology and services used, 2024.02.
  2. Akamai, SOTI Report, 2023.11.
  3. Verizon business, 2024 Data Breach Investigagions Report, 2024
  4. Tae-Seop Kim, In-June Jo, "Improvement Mechanism for Automatic Web Vulnerability Diagnosis", The Journal of the Korea Contents Association, v.22 no.2, pp 125-134, 2022
  5. Kim, Gwang-Hyun, "Implementation and Design of Proxy System for Web vulnerability Analysis", The Journal of The Korea Institute of Electronic Communication Sciences, ,Vol.9, No.9, pp.1011-1018, 2014 https://doi.org/10.13067/JKIECS.2014.9.9.1011
  6. Jae-Ho Lee, "Model-based Web Vulnerability Inspection Using Web Page's Function Analysis and Inspection Priority", The Convergent Research Society Among Humanities, Sociology, Science, and Technology, Vol.9, No.3, pp.727-736. 2019
  7. Jang Hee-Seo, "WVulnerability Analysis using the Web Vulnerability Scanner", Convergence security journal, v.12, no.4, pp.71-76, 2012
  8. OWASP ZAP, https://www.zaproxy.org/
  9. Burp Suite, https://portswigger.net/burp
  10. Acunetix, https://www.acunetix.com/
  11. Sparrow Dast, https://sparrow.im/kr/product/dast/
  12. Web Security Checker, https://www.ncloud.com/product/security/webSecurityChecker
  13. HCL AppScan, https://www.hcl-software.com/appscan
  14. SecureGuard WSE, http://www.nilesoft.co.kr/
  15. https://owasp.org/Top10/
  16. https://www.sans.org/top25-software-errors/
  17. The Ministry of Public Administration and Security's criteria for checking security vulnerabilities for mobile service servers (webs and apps). 2014.11
  18. Korea Internet & Security Agency, Detailed Guide to Analysis and Evaluation of Technological Vulnerabilities in Major Information and Communication Infrastructure, 2021.03
  19. YeongSik Pak, "An Empirical Study on the Web Vulnerabilities Analysis Model of Homepages", TDepartment of IT Policy Management Graduate School of Soongsil University. 2021
  20. Jeongwon Choi, Gunwoo Jeong, Youngkyung Choi, Junwon Heo, Jaeyoung Jang, Haho Choi, Yongkwon Jo, & Joowon Kim (2024-01-31). Proposal of a Web Vulnerability Automated Assessment Framework Using AI. Proceedings of Symposium of the Korean Institute of communications and Information Sciences, Gangwon. 2024
  21. Young-Bok Cho. Secure Coding for SQL Injection Prevention Using Generative AI. Journal of the Korea Society of Computer and Information , 29(9), 61-68. 2024