Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.3.601

A Web application vulnerability scoring framework by categorizing vulnerabilities according to privilege acquisition  

Cho, Sung-Young (KAIST Graduate School of Information Security)
Yoo, Su-Yeon (KAIST Department of Industrial and Systems Engineering)
Jeon, Sang-Hun (KAIST Cyber Security Research Center)
Lim, Chae-Ho (KAIST Graduate School of Information Security)
Kim, Se-Hun (KAIST Graduate School of Information Security)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.22, no.3, 2012 , pp. 601-613 More about this Journal
Abstract
It is required to design and implement secure web applications to provide safe web services. For this reason, there are several scoring frameworks to measure vulnerabilities in web applications. However, these frameworks do not classify according to seriousness of vulnerability because these frameworks simply accumulate score of individual factors in a vulnerability. We rate and score vulnerabilities according to probability of privilege acquisition so that we can prioritize vulnerabilities found in web applications. Also, our proposed framework provides a method to score all web applications provided by an organization so that which web applications is the worst secure and should be treated first. Our scoring framework is applied to the data which lists vulnerabilities in web applications found by a web scanner based on crawling, and we show the importance of categorizing vulnerabilities according to privilege acquisition.
Keywords
web vulnerability; scoring system; privilege acquisition; rating;
Citations & Related Records
연도 인용수 순위
  • Reference
1 한국인터넷진흥원(KISA), 안전한 소프트웨어 개발 도입을 위한 보안 가이드. 2008년 12월. http://www.kisa.kr/jsp/common/libraryDown.jsp?folder=016551
2 한국인터넷진흥원(KISA) 인터넷침해대응센터(krCERT). 인터넷침해사고 동향 및 분석월보. http://www.krcert.or.kr
3 The Web Application Security Consortium, "The Web Hacking Incident Database Semiannual Report July to December 2011", Trustwave Holdings, Inc, March 2011.
4 헤럴드경제, "현대캐피탈 사태 사고 예방 소홀한 '인재', 금감원, 임직원 책임 묻기로," http: //news.khan.co.kr/kh_news/khan_art_v iew.html?artid=201105180000035&code=920301, 2011년 5월.
5 한국일보, "현대캐피탈 해킹, 어떻게 이루어졌을까", http://news.hankooki.com/lpage/ economy/201104/h2011041102403321540.htm, 2011년 4월.
6 Forum of Incident Response and Security Teams (FORUM). Common Vulnerability Scoring System (CVSS). June 2007. http://www.first.org/cvss/
7 Mell, P., Scarfone. K. and Romanosky, S., "Common Vulnera- bility Scoring System," IEEE Security & Privacy, vol. 4, no. 6, pp. 85-89, Nov.-Dec. 2006.   DOI
8 Bob Martin, Common Weakness Scoring System (CWSS). The Mitre Corporation. June 2011. http://cwe.mitre.org/cwss
9 Bob Martin, Mason Brown, Alan Paller, and Dennis Kirby. 2011 CWE/SANS Top 25 Most Dangerous Software Errors. June 2011. http://cwe.mitre.org/top25
10 The Open Web Application Security Project (OWASP) Top 10 - 2010. http://www. owasp.org
11 Bob Martin, Common Weakness Risk Analysis Framework (CWRAF), June 2011, http: //cwe.mitre.org/cwraf
12 United States Computer Emergency Readiness Team (US-CERT). US-CERT Vulnerability Note Field Descriptions. 2006. http://www.kb .cert.org/vuls/html/fieldhelp #metric
13 Microsoft Corporation, Microsoft Security Response Center Security Bulletin everity Rating System, Nov. 2002, http://technet.microsoft.com/en-us/security/bulletin /rating