International journal of advanced smart convergence

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Security Measures by Diagnosing Vulnerabilities in Web Applications

  • Kim, Hee Wan (Division of Computer Science & Engineering, Sahmyook Univ.)
  • Received : 2021.09.22
  • Accepted : 2021.09.29
  • Published : 2021.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

For web application vulnerability diagnosis, from the development stage to the operation stage, it is possible to stably operate the web only when there is a policy that is commonly applied to each task through diagnosis of vulnerabilities, removal of vulnerabilities, and rapid recovery from web page damage. KISA presents 28 evaluation items for technical vulnerability analysis of major information and communication infrastructure. In this paper, we diagnose the vulnerabilities in the automobile goods shopping mall website and suggest security measures according to the vulnerabilities. As a result of diagnosing 28 items, major vulnerabilities were found in three items: cross-site scripting, cross-site request tampering, and insufficient session expiration. Cookie values were exposed on the bulletin board, and personal information was exposed in the parameter values related to passwords when personal information was edited. Also, since the session end time is not set, it was confirmed that session reuse is always possible. By suggesting security measures according to these vulnerabilities, the discovered security threats were eliminated, and it was possible to prevent breaches in web applications and secure the stability of web services.

Keywords

References

  1. D. S. Jeong, Many security vulnerabilities found in most web applications, Apr, 2017 http://digitalyeogie.com/entry/49451?locPos=25 Q&ts=1487390696&page=4862, Apr. 2017
  2. KISA, Web vulnerability analysis and technical support, Korea Internet Security Agency, 2016
  3. M. S. Kim, "Bombu hacking is attacking web vulnerability DB-the reason for the 2 million personal information was revealed," http://news.kukinews.com/news/article.html?no=317262, May 2017.
  4. J.B. Kim, "A Study on the Successful Implementation about Vulnerability Supplementation and Effective Recovery from Damage related with Web Application," Asia-pacific Journal of Multimedia Services Convergent with Art, Humanities, and Sociology (AJMAHS), Vol.6, No.2, pp.53-60, 2016 doi:10.35873/ajmahs.2016.6.2.007
  5. H.H. Jin, and H.K. Kim, "A Study on Web Vulnerability Risk Assessment Model Based on Attack Results : Focused on Cyber Kill Chain," Journal of The Korea Institute of Information Security & Cryptology, Vol.31, No.4, pp.779-791, 2021 doi:/10.13089/JKIISC.2021.31.4.779
  6. J.H Lee, "Risk Level Assessment Method on Major Information and Communication Infrastructure's Web Vulnerability Check Item using by AHP Technique," Asia-pacific Journal of Multimedia Services Convergent with Art, Humanities, and Sociology (AJMAHS), Vol.9, No.6, pp.719-728, 2019 doi: 10.35873/ajmahs.2019.9.6.070
  7. J.H. Lee and S.J. Lee, "Improvement of Dynamic Web Vulnerability Inspection Method and Procedure by Website Structuring and Calculating Each Page's Action Size," Journal of Knowledge Information Technology and Systems (JKITS), Vol.12, No.5, pp.747-763, 2017 doi:10.34163/jkits.2017.12.5.015
  8. H.W. Kim, "A Study on the Mobile Application Security Threats and Vulnerability Analysis Cases," International Journal of Internet, Broadcasting and Communication (IJIBC), Vol.12 No.4 180-187, 2020 http://dx.doi.org/10.7236/IJIBC.2020.12.4.180
  9. Korea Internet & Security Agency, Detailed guide on how to analyze and evaluate technical vulnerabilities of major information and communication infrastructure, Feb, 2017
  10. Daeil Yang, Information Security Overview, Hanbit Academy Publisher, pp. 235-238, 2013