• Title/Summary/Keyword: web application vulnerability

Search Result 54, Processing Time 0.019 seconds

Vulnerability Analysis using the Web Vulnerability Scanner (Web Vulnerability Scanner를 이용한 취약성 분석)

  • Jang, Hee-Seon
    • Convergence Security Journal
    • /
    • v.12 no.4
    • /
    • pp.71-76
    • /
    • 2012
  • As the use of Mashups, web3.0, JavaScript and AJAX(Asynchronous JavaScript XML) widely increases, the new security threats for web vulnerability also increases when the web application services are provided. In order to previously diagnose the vulnerability and prepare the threats, in this paper, the classification of security threats and requirements are presented, and the web vulnerability is analyzed for the domestic web sites using WVS(Web Vulnerability Scanner) automatic evaluation tool. From the results of vulnerability such as XSS(Cross Site Scripting) and SQL Injection, the total alerts are distributed from 0 to 31,177, mean of 411, and standard deviation of 2,563. The results also show that the web sites of 22.5% for total web sites has web vulnerability, and the previous defenses for the security threats are required.

Implementation and Design of Proxy System for Web vulnerability Analysis (웹 취약점 분석을 위한 프락시 시스템의 설계 및 구현)

  • Kim, Gwang-Hyun
    • The Journal of the Korea institute of electronic communication sciences
    • /
    • v.9 no.9
    • /
    • pp.1011-1018
    • /
    • 2014
  • Because of the proliferation of web services through web site, web hacking attempts are increasing using vulnerabilities of the web application. In order to improve the security of web applications, we have to find vulnerabilities in web applications and then have to remove. This paper addresses a vulnerability in a web application on existing problems and analyze and propose solutions to the vulnerability. This paper have checked the stability of existing web security solutions and evaluated its suitability through analysis of vulnerability. Also, we have implemented the vulnerability analysis tools for web Proxy system and proposed methods to optimize for resolution of web vulnerabilities.

Vulnerability Analysis and Threat Mitigation for Secure Web Application Development (안전한 웹 애플리케이션 개발을 위한 취약점 분석 및 위협 완화)

  • Moon, Jae-Chan;Cho, Seong-Je
    • Journal of the Korea Society of Computer and Information
    • /
    • v.17 no.2
    • /
    • pp.127-137
    • /
    • 2012
  • Recently, as modern Internet uses mashups, Web 3.0, JavaScript/AJAX widely, the rate at which new vulnerabilities are being discovered is increasing rapidly. It can subsequently introduce big security threats. In order to efficiently mitigate these web application vulnerabilities and security threats, it is needed to rank vulnerabilities based on severity and consider the severe vulnerabilities during a specific phase of software development lifecycle (SDLC) for web applications. In this paper, we have first verified whether the risk rating methodology of OWASP Top 10 vulnerabilities is a reasonable one or not by analyzing the vulnerability data of web applications in the US National Vulnerability Database (NVD). Then, by inspecting the vulnerability information of web applications based on OWASP Top-10 2010 list and CWE (Common Weakness Enumeration) directory, we have mapped the web-related entries of CWE onto the entries of OWASP Top-10 2010 and prioritized them. We have also presented which phase of SDLC is associated with each vulnerability entry. Using this approach, we can prevent or mitigate web application vulnerabilities and security threats efficiently.

A Study On Advanced Model of Web Vulnerability Scoring Technique (웹 취약점 스코어링 기법의 advanced 모델 연구)

  • Byeon, Autumn;Lim, Jong In;Lee, Kyong-Ho
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.5
    • /
    • pp.1217-1224
    • /
    • 2015
  • Web application security problems are addressed by the web vulnerability analysis which in turn supports companies to understand those problems and to establish their own solutions. Ministry of Science, ICT and Future Planning (MSIP) has released its guidelines for analysis and assessment of the web vulnerability. Although it is possible to distinguish vulnerability items in a manner suggested in the MSIP's guidelines, MSIP's factors and criteria proposed in the guidelines are neither sufficient nor efficient in analyzing specific vulnerability entries' risks. This study discusses analysis of the domestic and international Vulnerability Scoring system and proposes an appropriate evaluating method for web vulnerability analysis.

Verification Methods of OWASP TOP 10 Security Vulnerability under Multi-Tenancy Web Site's Environments (멀티테넌시 기반 웹 사이트의 OWASP TOP 10 보안취약성 검증 방법)

  • Lee, Do Hyeon;Lee, Jong Wook;Kim, Jeom Goo
    • Convergence Security Journal
    • /
    • v.16 no.4
    • /
    • pp.43-51
    • /
    • 2016
  • Nowadays hacked using a security vulnerability in a web application, and the number of security issues on the web site at many sites due to the exposure of personal information is increasing day by day. In this paper, considering the open-source Web Application Security Project at the time of production of the website. Proposed the OWASP TOP 10 vulnerability verification method, by applying the proposed method and then analyzed for improved method and vulnerability to verify the performance of security vulnerability.

Evaluating the web-application resiliency to business-layer DoS attacks

  • Alidoosti, Mitra;Nowroozi, Alireza;Nickabadi, Ahmad
    • ETRI Journal
    • /
    • v.42 no.3
    • /
    • pp.433-445
    • /
    • 2020
  • A denial-of-service (DoS) attack is a serious attack that targets web applications. According to Imperva, DoS attacks in the application layer comprise 60% of all the DoS attacks. Nowadays, attacks have grown into application- and business-layer attacks, and vulnerability-analysis tools are unable to detect business-layer vulnerabilities (logic-related vulnerabilities). This paper presents the business-layer dynamic application security tester (BLDAST) as a dynamic, black-box vulnerability-analysis approach to identify the business-logic vulnerabilities of a web application against DoS attacks. BLDAST evaluates the resiliency of web applications by detecting vulnerable business processes. The evaluation of six widely used web applications shows that BLDAST can detect the vulnerabilities with 100% accuracy. BLDAST detected 30 vulnerabilities in the selected web applications; more than half of the detected vulnerabilities were new and unknown. Furthermore, the precision of BLDAST for detecting the business processes is shown to be 94%, while the generated user navigation graph is improved by 62.8% because of the detection of similar web pages.

Security Measures by Diagnosing Vulnerabilities in Web Applications

  • Kim, Hee Wan
    • International journal of advanced smart convergence
    • /
    • v.10 no.4
    • /
    • pp.22-29
    • /
    • 2021
  • For web application vulnerability diagnosis, from the development stage to the operation stage, it is possible to stably operate the web only when there is a policy that is commonly applied to each task through diagnosis of vulnerabilities, removal of vulnerabilities, and rapid recovery from web page damage. KISA presents 28 evaluation items for technical vulnerability analysis of major information and communication infrastructure. In this paper, we diagnose the vulnerabilities in the automobile goods shopping mall website and suggest security measures according to the vulnerabilities. As a result of diagnosing 28 items, major vulnerabilities were found in three items: cross-site scripting, cross-site request tampering, and insufficient session expiration. Cookie values were exposed on the bulletin board, and personal information was exposed in the parameter values related to passwords when personal information was edited. Also, since the session end time is not set, it was confirmed that session reuse is always possible. By suggesting security measures according to these vulnerabilities, the discovered security threats were eliminated, and it was possible to prevent breaches in web applications and secure the stability of web services.

A Study on Real-Time Web-Server Intrusion Detection using Web-Server Agent (웹 서버 전용 에이전트를 이용한 실시간 웹 서버 침입탐지에 관한 연구)

  • 진홍태;박종서
    • Convergence Security Journal
    • /
    • v.4 no.2
    • /
    • pp.17-25
    • /
    • 2004
  • As Internet and Internet users are rapidly increasing and getting popularized in the world the existing firewall has limitations to detect attacks which exploit vulnerability of web server. And these attacks are increasing. Most of all, intrusions using web application's programming error are occupying for the most part. In this paper, we introduced real-time web-server agent which analyze web-server based log and detect web-based attacks after the analysis of the web-application's vulnerability. We propose the method using real-time agent which remove Process ID(pid) and block out attacker's If if it detects the intrusion through the decision stage after judging attack types and patterns.

  • PDF

Cost-Effective, Real-Time Web Application Software Security Vulnerability Test Based on Risk Management (위험관리 기반의 비용 효율적인 실시간 웹 애플리케이션 소프트웨어 보안취약점 테스팅)

  • Kumi, Sandra;Lim, ChaeHo;Lee, SangGon
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.30 no.1
    • /
    • pp.59-74
    • /
    • 2020
  • The web space where web applications run is the cyber information warfare of attackers and defenders due to the open HTML. In the cyber attack space, about 84% of worldwide attacks exploit vulnerabilities in web applications and software. It is very difficult to detect web vulnerability attacks with security products such as web firewalls, and high labor costs are required for security verification and assurance of web applications. Therefore, rapid vulnerability detection and response in web space by automated software is a key and effective cyber attack defense strategy. In this paper, we establish a security risk management model by intensively analyzing security threats against web applications and software, and propose a method to effectively diagnose web and application vulnerabilities. The testing results on the commercial service are analyzed to prove that our approach is more effective than the other existing methods.