• Title/Summary/Keyword: Web Vulnerabilities

Search Result 110, Processing Time 0.025 seconds

A Study on Online Fraud and Abusing Detection Technology Using Web-Based Device Fingerprinting (웹 기반 디바이스 핑거프린팅을 이용한 온라인사기 및 어뷰징 탐지기술에 관한 연구)

  • Jang, Seok-eun;Park, Soon-tai;Lee, Sang-joon
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.5
    • /
    • pp.1179-1195
    • /
    • 2018
  • Recently, a variety of attacks on web services have been occurring through a multiple access environment such as PC, tablet, and smartphone. These attacks are causing various subsequent damages such as online fraud transactions, takeovers and theft of accounts, fraudulent logins, and information leakage through web service vulnerabilities. Creating a new fake account for Fraud attacks, hijacking accounts, and bypassing IP while using other usernames or email addresses is a relatively easy attack method, but it is not easy to detect and block these attacks. In this paper, we have studied a method to detect online fraud transaction and obsession by identifying and managing devices accessing web service using web-based device fingerprinting. In particular, it has been proposed to identify devices and to manage them by scoring process. In order to secure the validity of the proposed scheme, we analyzed the application cases and proved that they can effectively defend against various attacks because they actively cope with online fraud and obtain visibility of user accounts.

A Study on Secure Model based Virtualization for Web Application Security (웹 어플리케이션 보안을 위한 가상화 기반 보안 모델)

  • Yang, Hwan Seok;Yoo, Seung Jae
    • Convergence Security Journal
    • /
    • v.14 no.4
    • /
    • pp.27-32
    • /
    • 2014
  • Utilization of web application has been widely spread and complication in recent years by the rapid development of network technologies and changes in the computing environment. The attack being target of this is increasing and the means is diverse and intelligent while these web applications are using to a lot of important services. In this paper, we proposed security model using virtualization technology to prevent attacks using vulnerabilities of web application. The request information for query in a database server also can be recognized by conveying to the virtual web server after ID is given to created session by the client request and the type of the query is analyzed in this request. VM-Master module is constructed in order to monitor traffic between the virtual web servers and prevent the waste of resources of Host OS. The performance of attack detection and resource utilization of the proposed method is experimentally confirmed.

Effective Countermeasures against Vulnerability Assessment for the Public Website of Financial Institution (금융기관 공개용 홈페이지 취약점 분석평가에 대한 효율적인 대처방안)

  • Park, Hyun-jin;Kim, In-seok
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.4
    • /
    • pp.885-895
    • /
    • 2017
  • Security issues arise due to various types of external intrusions as much as the rapidly changing IT environment. Attacks using vulnerabilities in web applications are increasing, and companies are trying to find the cause of the vulnerability, prevent external intrusion, and protect their systems and important information. Especially, according to the Supervision Regulation, each financial institution and electronic financial service provider shall perform vulnerability analysis evaluation for the website for disclosure once every six months and report the result to the Financial Services Commission. In this study, based on the Web vulnerability items defined in the Supervision Regulation, based on the inspection cases of actual financial institution, we analyze the most frequently occurring items and propose effective countermeasures against them and ways to prevent them from occurring in advance.

String analysis for detection of injection flaw in Web applications (웹 응용프로그램의 삽입취약점 탐지를 위한 문자열분석)

  • Choi, Tae-Hyoung;Kim, Jung-Joon;Doh, Kyung-Goo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.17 no.6
    • /
    • pp.149-153
    • /
    • 2007
  • One common type of web-application vulnerabilities is injection flaw, where an attacker exploits faulty application code instead of normal input. In order to be free from injection flaw, an application program should be written in such a way that every potentially bad input character is filtered out. This paper proposes a precise analysis that statically checks whether or not an input string variable may have the given set of characters at hotspot. The precision is accomplished by taking the semantics of condition into account in the analysis.

A Study of Software Architecture Design Methods for Multiple Access Con trol under Web-based Medical Information System Environment (웹 기반 의료정보시스템 다중 접근제어를 위한 소프트웨어아키텍쳐 설계방법)

  • Noh, Si-Choon;Hwang, Jeong-Hee
    • Convergence Security Journal
    • /
    • v.11 no.4
    • /
    • pp.43-49
    • /
    • 2011
  • Web-based health information provides a lot of conveniences, however the security vulnerabilities that appear in the network environment without the risk of exposure in the use of information are growing. Web-based medical information security issues when accessing only the technology advances, without attempting to seek a safe methodology are to increase the threat element. So it is required. to take advantage of web-based information security measures as a web-based access control security mechanism-based design. This paper is based on software architecture, design, ideas and health information systems were designed based on access control security mechanism. The methodologies are to derive a new design procedure, to design architecture and algorithms that make the mechanism functio n. To accomplish this goal, web-based access control for multiple patient information architecture infrastructures is needed. For this software framework to derive features that make the mechanism was derived based on the structure. The proposed system utilizes medical information, medical information when designing an application user retrieves data in real time, while ensuring integration of encrypted information under the access control algorithms, ensuring the safety management system design.

Vulnerability Analysis of the Creativity and Personality Education based on Digital Convergence Curation System (창의·인성 교육기반의 디지털 융합 큐레이션 시스템에 관한 취약점 분석)

  • Shin, Seung-Soo;Kim, Jung-In;Youn, Jeong-Jin
    • Journal of the Korea Convergence Society
    • /
    • v.6 no.4
    • /
    • pp.225-234
    • /
    • 2015
  • With the growing number of people that use web services, the perception of the importance of securing web applications is also increasing. There are many different types of attacks that target web applications. In the rapidly-changing knowledge and information society, which came into being with the advancements made in information and communication technology, there is currently an urgent need for building web sites for the purposes of developing one's creativity and character. In this paper, attack schemes that use SQL injections and XSS and target educational digital curation systems which provide educational contents with the aim of developing of one's creativity and character are analyze, in terms of how the attacks are carried out and their vulnerabilities. Furthermore, it suggests ways of dealing appropriately with these web-based attacks that use SQL injections and XSS.

A Study of Quality-based Software Architecture Design Model under Web Application Development Environment (품질기반 웹 애플리케이션 개발을 위한 소프트웨어아키텍쳐 설계절차 예제 정립)

  • Moon, Song Chul;Noh, Si Choon
    • Convergence Security Journal
    • /
    • v.12 no.4
    • /
    • pp.115-122
    • /
    • 2012
  • As the most common application development of software development time, error-free quality, adaptability to frequent maintenance, such as the need for large and complex software challenges have been raised. When developing web applications to respond to software reusability, reliability, scalability, simplicity, these quality issues do not take into account such aspects traditionally. In this situation, the traditional development methodology to solve the same quality because it has limited development of new methodologies is needed. Quality of applications the application logic, data, and architecture in the entire area as a separate methodology can achieve your goals if you do not respond. In this study secure coding, the big issue, web application factors to deal with security vulnerabilities, web application architecture, design procedure is proposed. This proposal is based on a series of ISO/IEC9000, a web application architecture design process.

Novelty Detection on Web-server Log Dataset (웹서버 로그 데이터의 이상상태 탐지 기법)

  • Lee, Hwaseong;Kim, Ki Su
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.23 no.10
    • /
    • pp.1311-1319
    • /
    • 2019
  • Currently, the web environment is a commonly used area for sharing information and conducting business. It is becoming an attack point for external hacking targeting on personal information leakage or system failure. Conventional signature-based detection is used in cyber threat but signature-based detection has a limitation that it is difficult to detect the pattern when it is changed like polymorphism. In particular, injection attack is known to the most critical security risks based on web vulnerabilities and various variants are possible at any time. In this paper, we propose a novelty detection technique to detect abnormal state that deviates from the normal state on web-server log dataset(WSLD). The proposed method is a machine learning-based technique to detect a minor anomalous data that tends to be different from a large number of normal data after replacing strings in web-server log dataset with vectors using machine learning-based embedding algorithm.

Automatic Patch Information Collection System Using Web Crawler (웹 크롤러를 이용한 자동 패치 정보 수집 시스템)

  • Kim, Yonggun;Na, Sarang;Kim, Hwankuk;Won, Yoojae
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.6
    • /
    • pp.1393-1399
    • /
    • 2018
  • Companies that use a variety of software use patch management systems provided by security vendor to manage security vulnerabilities of software to improve security. System administrators monitor the vendor sites that provide new patch information to maintain the latest software versions, but it takes a lot of cost and monitoring time to find and collect patch information because the patch cycle is irregular and the structure of web page is different. In order to reduce this, studies to automate patch information collection based on keyword or web service have been conducted, but since the structure to provide patch information in vendor site is not standardized, it was applicable only to specific vendor site. In this paper, we propose a system that automates the collection of patch information by analyzing the structure and characteristics of the vendor site providing patch information and using web crawler to reduce the cost and monitoring time consumed in collecting patch information.

Research on Web Cache Infection Methods and Countermeasures (웹 캐시 감염 방법 및 대응책 연구)

  • Hong, Sunghyuck;Han, Kun-Hee
    • Journal of Convergence for Information Technology
    • /
    • v.9 no.2
    • /
    • pp.17-22
    • /
    • 2019
  • Cache is a technique that improves the client's response time, thereby reducing the bandwidth and showing an effective side. However, there are vulnerabilities in the cache technique as well as in some techniques. Web caching is convenient, but it can be exploited by hacking and cause problems. Web cache problems are mainly caused by cache misses and excessive cache line fetch. If the cache miss is high and excessive, the cache will become a vulnerability, causing errors such as transforming the secure data and causing problems for both the client and the system of the user. If the user is aware of the cache infection and the countermeasure against the error, the user will no longer feel the cache error or the problem of the infection occurrence. Therefore, this study proposed countermeasures against four kinds of cache infections and errors, and suggested countermeasures against web cache infections.