Browse > Article
http://dx.doi.org/10.13089/JKIISC.2016.26.4.1025

Implementation of the Personal Information Infringement Detection Module in the HTML5 Web Service Environment  

Han, Mee Lan (Graduate School of Information Security, Korea University)
Kwak, Byung Il (Graduate School of Information Security, Korea University)
Kim, Hwan Kuk (Korea Internet & Security Agency)
Kim, Huy Kang (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.26, no.4, 2016 , pp. 1025-1036 More about this Journal
Abstract
The conversion of the international standard web utilization HTML5 technology is being developed for improvement of the internet environment based on nonstandard technology like ActiveX. Hyper Text Markup Language 5 (HTML5) of basic programming language for creating a web page is designed to consider the security more than HTML4. However, the range of attacks increased and a variety of security threats generated from HTML4 environment inherited by new HTML5 API. In this paper, we focus on the script-based attack such as CSRF (Cross-Site Request Forgery), Cookie Sniffing, and HTML5 API such as CORS (Cross-Origin Resource Sharing), Geolocation API related with the infringement of the personal information. We reproduced the infringement cases actually and embodied a detection module of a Plug-in type diagnosed based on client. The scanner allows it to detect and respond to the vulnerability of HTML5 previously, thereby self-diagnosing the reliability of HTML5-based web applications or web pages. In a case of a new vulnerability, it also easy to enlarge by adding another detection module.
Keywords
HTML5; Personal Information Infringement; Weakness; Vulnerability;
Citations & Related Records
연도 인용수 순위
  • Reference
1 "Plans for implementing the dissemination of HTML5," Korea Communications Commission, July. 2012, http://www.kcc.go.kr/user.do?mode=view&page=A05030000&dc=K00000001&boardId=1113&boardSeq=34309
2 "A vocabulary and associated APIs for HTML and XHTML, W3C," W3C Recommendation, October. 2014, http://www.w3.org/TR/html5
3 "Security issues in environment of the New HTML5 Web services," Korea Internet & Security Agency, Internet & Security Focus KISA Report, December. 2013, http://www.kisa.or.kr/public/library/IS_View.jsp?mode=view&p_No=158&b_No=158&d_No=117&cPage=19&ST=T&SV=
4 Ministry of government administration and home affairs, "Exposure Guideline for Web pages personal information," October. 2014, http://www.privacy.go.kr/nns/ntc/selectBoardArticle.do?nttId=5952
5 OWASP Top 10 Privacy Risks Project, " https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf ," April. 2016.
6 "PERSONAL INFORMATION PROTECTION ACT," Korea Ministry of Government Legislation, http://www.law.go.kr/lsIn foP.do?lsiSeq=142563&chrClsCd=0102 03&urlMode=engLsInfoR&viewCls=en gLsInfoR#0000
7 West, William, and S.M. Pulimood, "Analysis of privacy and security in HTML5 web storage," Journal of Computing Sciences in Colleges vol.27, no.3, pp.80-87, 2012.
8 H. Kim, S. Lee and J. Kim, "Exploring and mitigating privacy threats of HTML5 geolocation API," Proceedings of the 30th Annual Computer Security Applications Conference. ACM, pp. 306-315, December. 2014.
9 G. Dong, Y. Zhang, X. Wang, P. Wang and L. Liu, "Detecting cross site scripting vulnerabilities introduced by HTML5," In Computer Science and Software Engineering (JCSSE), 11th International Joint Conference on IEEE, pp. 319-323, May. 2014.
10 D. Bates, A. Barth, and C. Jackson, "Regular expressions considered harmful in client-side XSS filters," In Proceedings of the 19th international conference on World wide web. ACM, pp. 91-100, April. 2010.
11 D. Gol and N. Shah, "Web Application security tool to identify the different Vulnerabilities using RUP model," International Journal of Emerging Trends in Electrical and Electronics (IJETEE), vol.11, no.2, June. 2015.
12 H.L. Choo, S. Oh, J. Jung and H. Kim, "The Behavior-Based Analysis Techniques for HTML5 Malicious features," In Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2015 9th International Conference on. IEEE, pp. 436-440, July. 2015.
13 CAPEC, Common Attack Pattern Enumeration and Classification, http://capec.mitre.org/index.html
14 CWE, Common Weakness Enumeration, https://cwe.mitre.org
15 K. Tsipenyuk, B. Chess and G. McGraw, "Seven pernicious kingdoms: A taxonomy of software security errors," IEEE Security & Privacy, vol.3, no.6, pp.81-84, 2005.   DOI