• Convergence Security Journal
• /
• v.16 no.4
• /
• pp.43-51
• /
• 2016

Nowadays hacked using a security vulnerability in a web application, and the number of security issues on the web site at many sites due to the exposure of personal information is increasing day by day. In this paper, considering the open-source Web Application Security Project at the time of production of the website. Proposed the OWASP TOP 10 vulnerability verification method, by applying the proposed method and then analyzed for improved method and vulnerability to verify the performance of security vulnerability.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.2
• /
• pp.127-137
• /
• 2012

Recently, as modern Internet uses mashups, Web 3.0, JavaScript/AJAX widely, the rate at which new vulnerabilities are being discovered is increasing rapidly. It can subsequently introduce big security threats. In order to efficiently mitigate these web application vulnerabilities and security threats, it is needed to rank vulnerabilities based on severity and consider the severe vulnerabilities during a specific phase of software development lifecycle (SDLC) for web applications. In this paper, we have first verified whether the risk rating methodology of OWASP Top 10 vulnerabilities is a reasonable one or not by analyzing the vulnerability data of web applications in the US National Vulnerability Database (NVD). Then, by inspecting the vulnerability information of web applications based on OWASP Top-10 2010 list and CWE (Common Weakness Enumeration) directory, we have mapped the web-related entries of CWE onto the entries of OWASP Top-10 2010 and prioritized them. We have also presented which phase of SDLC is associated with each vulnerability entry. Using this approach, we can prevent or mitigate web application vulnerabilities and security threats efficiently.

• KIISE Transactions on Computing Practices
• /
• v.21 no.11
• /
• pp.721-726
• /
• 2015

This paper shows secure coding rules for PHP programs. Programmers should comply with these rules during development of their programs. The rules are crafted to restrain 28 weaknesses that are composed of 22 corresponding to reported CVEs of PHP, the children of CWE-661 for PHP, and the top 5 weaknesses according to OWASP. The rule set consists of 28 detailed rules under 14 categories. This paper also demonstrates through examples that programs complying with these rules can curb weaknesses. The rules can also serve as a guideline in developing analysis tools for security purposes.

• International Journal of Computer Science & Network Security
• /
• v.23 no.2
• /
• pp.199-202
• /
• 2023

Carriage return (CR) and line feed (LF), also known as CRLF injection is a type of vulnerability that allows a hacker to enter special characters into a web application, altering its operation or confusing the administrator. Log poisoning and HTTP response splitting are two prominent harmful uses of this technique. Additionally, CRLF injection can be used by an attacker to exploit other vulnerabilities, such as cross-site scripting (XSS). Email injection, also known as email header injection, is another way that can be used to modify the behavior of emails. The Open Web Application Security Project (OWASP) is an organization that studies vulnerabilities and ranks them based on their level of risk. According to OWASP, CRLF vulnerabilities are among the top 10 vulnerabilities and are a type of injection attack. Automated testing can help to quickly identify CRLF vulnerabilities, and is particularly useful for companies to test their applications before releasing them. However, CRLF vulnerabilities can also lead to the discovery of other high-risk vulnerabilities, and it fosters a better approach to mitigate CRLF vulnerabilities in the early stage and help secure applications against known vulnerabilities. Although there has been a significant amount of research on other types of injection attacks, such as Structure Query Language Injection (SQL Injection). There has been less research on CRLF vulnerabilities and how to detect them with automated testing. There is room for further research to be done on this subject matter in order to develop creative solutions to problems. It will also help to reduce false positive alerts by checking the header response of each request. Security automation is an important issue for companies trying to protect themselves against security threats. Automated alerts from security systems can provide a quicker and more accurate understanding of potential vulnerabilities and can help to reduce false positive alerts. Despite the extensive research on various types of vulnerabilities in web applications, CRLF vulnerabilities have only recently been included in the research. Utilizing automated testing as a recurring task can assist companies in receiving consistent updates about their systems and enhance their security.

• Journal of Internet of Things and Convergence
• /
• v.6 no.1
• /
• pp.9-15
• /
• 2020

Recently, interest in blockchain technology has increased. The data industry is increasingly growing around the world. In addition, databases which obtain important information such as personal data are targeted by hackers. Data exposed by attackers happen frequently. In 2017, OWASP announced SQL injection is a top 1 threat to web applications. However, the proportion of data security is the smallest in the data industry. To prevent data exposure, this paper proposes a method that can protect databases by using hybrid blockchain.

• Journal of Information Processing Systems
• /
• v.13 no.4
• /
• pp.689-702
• /
• 2017

The Structured Query Language (SQL) Injection continues to be one of greatest security risks in the world according to the Open Web Application Security Project's (OWASP) [1] Top 10 Security vulnerabilities 2013. The ease of exploitability and severe impact puts this attack at the top. As the countermeasures become more sophisticated, SOL Injection Attacks also continue to evolve, thus thwarting the attempt to eliminate this attack completely. The vulnerable data is a source of worry for government and financial institutions. In this paper, a detailed survey of different types of SQL Injection and proposed methods and theories are presented, along with various tools and their efficiency in intercepting and preventing SQL attacks.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.11a
• /
• pp.220-223
• /
• 2017

세계적인 웹 어플리케이션 취약점을 다루는 OWASP(The Open Wed Application Security Project) TOP 10 [1]에 따르면 빈도가 높고 영향이 큰 취약점들은 모두 철저한 웹 보안 코드를 작성하면 어느 정도 예방할 수 있다는 결론이 나왔다. 이에 따라 최근 국내에서 일어난 웹 사이트의 취약점 사례를 알아보고 그 대응법에 대하여 분석한 후, 직접 개발한 웹 사이트에 웹 보안 코드를 적용할 수 있도록 하였다. 또한, 소프트웨어 공학자를 위한 java 시큐어코딩 가이드를 숙지하여 웹 개발 시 보안 유지를 강화하였다.

• Proceedings of the Korean Information Science Society Conference
• /
• 2012.06b
• /
• pp.226-228
• /
• 2012

최근 HTML5, AJAX(Asynchronous JavaScript XML) 등으로 구현된 웹 애플리케이션이 널리 이용됨에 따라 웹 애플리케이션에 존재하는 취약점을 악용하는 공격 사례가 증가하고 있다. 웹 애플리케이션의 안전한 개발과 유지보수를 위해, 설계/구현 단계에서의 취약점 완화를 통한 예방, 그리고 운영 단계에서의 공격 탐지 및 대응이 필요하다. 더불어, 위험한 취약점들 및 공격 패턴들을 분석하고 우선순위를 부여하여, 웹 애플리케이션 개발 단계 및 운영 단계에서 심각한 취약점과 공격들을 우선 고려해야 한다. 본 논문에서는 OWASP Top 10과 CWE(Common Weakness Enumeration)를 연동시켜 CAPEC(Common Attack Pattern Enumeration and Classification)에서 웹 관련 주요 공격 패턴을 선별하고 순위화하였다. CWE는 취약점 예방에 도움을 주며, 순위화된 공격 패턴은 웹 애플리케이션에서 주요 공격들을 효율적으로 방어할 수 있게 하여 준다.

• The Korean Journal of Health Service Management
• /
• v.9 no.2
• /
• pp.23-32
• /
• 2015

In this paper, we evaluated web security vulnerability and privacy information management of hospital web sites which are registered at the Korea Hospital Association. Vulnerability Scanner (WVS) based on the OWASP Top 10 was used to evaluate the web security vulnerability of the web sites. And to evaluate the privacy information management, we used ten rules which were based on guidelines for protecting privacy information on web sites. From the results of the evaluation, we discovered tertiary hospitals had relatively excellent web security compared to other type of hospitals. But all the hospital types had not only high level vulnerabilities but also the other level of vulnerabilities. Additionally, 97% of the hospital web sites had a certain level of vulnerability, so a security inspection is needed to secure the web sites. We discovered a few SQL Injection and XSS vulnerabilities in the web sites of tertiary hospitals. However, these are very critical vulnerabilities, so all hospital types have to be inspected to protect their web sites against attacks from hacker. On the other hand, the inspection results of the tertiary hospitals for privacy information management had a better compliance rate than that of the other hospital types.

• Convergence Security Journal
• /
• v.12 no.4
• /
• pp.71-76
• /
• 2012

As the use of Mashups, web3.0, JavaScript and AJAX(Asynchronous JavaScript XML) widely increases, the new security threats for web vulnerability also increases when the web application services are provided. In order to previously diagnose the vulnerability and prepare the threats, in this paper, the classification of security threats and requirements are presented, and the web vulnerability is analyzed for the domestic web sites using WVS(Web Vulnerability Scanner) automatic evaluation tool. From the results of vulnerability such as XSS(Cross Site Scripting) and SQL Injection, the total alerts are distributed from 0 to 31,177, mean of 411, and standard deviation of 2,563. The results also show that the web sites of 22.5% for total web sites has web vulnerability, and the previous defenses for the security threats are required.