• International journal of advanced smart convergence
• /
• v.10 no.4
• /
• pp.22-29
• /
• 2021

For web application vulnerability diagnosis, from the development stage to the operation stage, it is possible to stably operate the web only when there is a policy that is commonly applied to each task through diagnosis of vulnerabilities, removal of vulnerabilities, and rapid recovery from web page damage. KISA presents 28 evaluation items for technical vulnerability analysis of major information and communication infrastructure. In this paper, we diagnose the vulnerabilities in the automobile goods shopping mall website and suggest security measures according to the vulnerabilities. As a result of diagnosing 28 items, major vulnerabilities were found in three items: cross-site scripting, cross-site request tampering, and insufficient session expiration. Cookie values were exposed on the bulletin board, and personal information was exposed in the parameter values related to passwords when personal information was edited. Also, since the session end time is not set, it was confirmed that session reuse is always possible. By suggesting security measures according to these vulnerabilities, the discovered security threats were eliminated, and it was possible to prevent breaches in web applications and secure the stability of web services.

• Convergence Security Journal
• /
• v.12 no.4
• /
• pp.71-76
• /
• 2012

As the use of Mashups, web3.0, JavaScript and AJAX(Asynchronous JavaScript XML) widely increases, the new security threats for web vulnerability also increases when the web application services are provided. In order to previously diagnose the vulnerability and prepare the threats, in this paper, the classification of security threats and requirements are presented, and the web vulnerability is analyzed for the domestic web sites using WVS(Web Vulnerability Scanner) automatic evaluation tool. From the results of vulnerability such as XSS(Cross Site Scripting) and SQL Injection, the total alerts are distributed from 0 to 31,177, mean of 411, and standard deviation of 2,563. The results also show that the web sites of 22.5% for total web sites has web vulnerability, and the previous defenses for the security threats are required.

• Journal of Software Assessment and Valuation
• /
• v.17 no.2
• /
• pp.125-142
• /
• 2021

Reports of rampant cross-site scripting (XSS) vulnerabilities raise growing concerns on the effectiveness of current Static Analysis Security Testing (SAST) tools as an internet security device. Attentive to these concerns, this study aims to examine seven open-source SAST tools in order to account for their capabilities in detecting XSS vulnerabilities in PHP applications and to determine their performance in terms of effectiveness and analysis runtime. The representative tools - categorized as either text-based or graph-based analysis tools - were all test-run using real-world PHP applications with known XSS vulnerabilities. The collected vulnerability detection reports of each tool were analyzed with the aid of PhpStorm's data flow analyzer. It is observed that the detection rates of the tools calculated from the total vulnerabilities in the applications can be as high as 0.968 and as low as 0.006. Furthermore, the tools took an average of less than a minute to complete an analysis. Notably, their runtime is independent of their analysis type.

• Journal of Digital Convergence
• /
• v.13 no.2
• /
• pp.177-183
• /
• 2015

Cross Site Scripting enables hackers to steal other user's information (such as cookie, session etc.) or to do abnormal functions automatically using vulnerability of web application. This attack patterns of Cross Site Scripting(XSS) can be divided into two types. One is Reflect XSS which can be executed in one request for HTTP and its reply, and the other is Stored XSS which attacks those many victim users whoever access to the page which accepted the payload transmitted. To correspond to these XSS attacks, some measures have been suggested. They are data validation for user input, output validation during HTML encoding procedures, and removal of possible risk injection point to prevent from trying to insert malicious code into web application. In this paper, the methods and procedures for these two types are explained and a penetration testing is done. With these suggestions, the attack by XSS could be understood and prepared by its countermeasures.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.17 no.6
• /
• pp.1689-1705
• /
• 2023

To deal with the potential XSS vulnerabilities in the source code of the power communication network, an XSS vulnerability detection method combining the static analysis method with the dynamic testing method is proposed. The static analysis method aims to analyze the structure and content of the source code. We construct a set of feature expressions to match malignant content and set a "variable conversion" method to analyze the data flow of the code that implements interactive functions. The static analysis method explores the vulnerabilities existing in the source code structure and code content. Dynamic testing aims to simulate network attacks to reflect whether there are vulnerabilities in web pages. We construct many attack vectors and implemented the test in the Selenium tool. Due to the combination of the two analysis methods, XSS vulnerability discovery research could be conducted from two aspects: "white-box testing" and "black-box testing". Tests show that this method can effectively detect XSS vulnerabilities in the source code of the power communication network.

• The KIPS Transactions:PartA
• /
• v.15A no.3
• /
• pp.181-188
• /
• 2008

Nowadays, most web sites are developed using dynamic web pages where web pages are generated and transmitted by web application programs. Therefore, the ratio of attacks injecting malevolent strings to vulnerable web applications is increasing. In this paper, we present a static program analyzer which analyzes whether a web application program has vulnerabilities to the SQL injection attack and the cross site scripting(XSS) attack. To analyze programs using abstract interpretation framework, we designed an abstract domain which models potential string set along with excluded strings and developed an abstract interpreter for the PHP language. Also, based on them, we implemented a static analyzer. According to our experiments, our analyzer has competitive analysis speed and accuracy compared with related research results.

• Journal of Information Processing Systems
• /
• v.6 no.4
• /
• pp.563-574
• /
• 2010

The growing number of web applications in the global economy has made it critically important to develop secure and reliable software to support the economy's increasing dependence on web-based systems. We propose an intercepting filter approach to mitigate the risk of injection flaw exploitation- one of the most dangerous methods of attacking web applications. The proposed approach can be implemented in Java or .NET environments following the intercepting filter design pattern. This paper provides examples to illustrate the proposed approach.

• Convergence Security Journal
• /
• v.18 no.3
• /
• pp.37-44
• /
• 2018

Today we live in a flood of web sites and access numerous websites through the Internet to obtain various information. However, unless the security of the Web site is secured, Web site security can not be secured from various malicious attacks. Hacking attacks, which exploit Web site security vulnerabilities for various reasons, such as financial and political purposes, are increasing. Various attack techniques such as SQL-injection, Cross-Site Scripting(XSS), and Drive-By-Download are being used, and the technology is also evolving. In order to defend against these various hacking attacks, it is necessary to remove the vulnerabilities from the development stage of the website, but it is not possible due to various problems such as time and cost. In order to compensate for this, it is important to identify vulnerabilities in Web sites through web vulnerability checking and take action. In this paper, we investigate web vulnerabilities and diagnostic techniques and try to understand the priorities of vulnerabilities in the development stage according to the actual status of each case through cases of actual web vulnerability diagnosis.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.14 no.4
• /
• pp.57-61
• /
• 2014

Zeroboard is a public bulletin board that can support PHP and MySQL. It has been used by many people because it is easy to use, but there is no more updates after Zeroboard4. So, there is a problem that its administrator will have nothing to do about it if zeroboard has a vulnerability. In this paper, we will discuss about CSRF(Cross Site request Forgery) which is developed and expanded by XSS(Cross Site Scripting). Also, we will find CSRF attacks and suggest an alternative method using VM-ware. The main features and contributions of the proposed method are as follows. First, make an environment construction using VM-ware and other tools. Second, analyze and prepare vulnerabilities using Proxy server. Performance evaluation will be conducted by applying possible countermeasure.

• Convergence Security Journal
• /
• v.12 no.3
• /
• pp.85-92
• /
• 2012

Today, the typical web hacking attacks are cross-site scripting(XSS) attacks, injection vulnerabilities, malicious file execution and insecure direct object reference included. Web hacking security systems, access control solutions, access only to the web service and flow inside but do not control the packet. So you have been illegally modified to pass the packet even if the packet is considered as a unnormal packet. The defense system is to fail to appropriate controls. Therefore, in order to ensure a successful web services diagnostic system development is necessary. Web application diagnostic system is real and urgent need and alternative. The diagnostic system development process mu st be carried out step of established diagnostic systems, diagnostic scoping web system vulnerabilities, web application, analysis, security vulnerability assessment and selecting items. And diagnostic system as required by the web system environment using tools, programming languages, interfaces, parameters must be set.