• Journal of Korea Society of Digital Industry and Information Management
• /
• v.16 no.2
• /
• pp.53-59
• /
• 2020

Malicious file upload attacks mean that the attacker to upload or transfer files of dangerous types that can be automatically processed within the web server's environment. Uploaded file content can include exploits, malware and malicious scripts. An attacker can user malicious content to manipulate the application behavior. As a method of detecting a malicious file upload attack, it is generally used to find a file type by detecting a file extension or a signature of the file. However, this type of file type detection has the disadvantage that it can not detect files that are not encoded with a specific program, such as PHP files. Therefore, in this paper, research was conducted on how to detect and block any program by using essential commands or variable names used in the corresponding program when writing a specific program. The performance evaluation results show that it detected specific files effectively using the suggested method.

• Journal of Information Processing Systems
• /
• v.11 no.2
• /
• pp.229-238
• /
• 2015

Web shells are programs that are written for a specific purpose in Web scripting languages, such as PHP, ASP, ASP.NET, JSP, PERL-CGI, etc. Web shells provide a means to communicate with the server's operating system via the interpreter of the web scripting languages. Hence, web shells can execute OS specific commands over HTTP. Usually, web attacks by malicious users are made by uploading one of these web shells to compromise the target web servers. Though there have been several approaches to detect such malicious web shells, no standard dataset has been built to compare various web shell detection techniques. In this paper, we present a collection of web shell files, WebSHArk 1.0, as a standard dataset for current and future studies in malicious web shell detection. To provide baseline results for future studies and for the improvement of current tools, we also present some benchmark results by scanning the WebSHArk dataset directory with three web shell scanning tools that are publicly available on the Internet. The WebSHArk 1.0 dataset is only available upon request via email to one of the authors, due to security and legal issues.

• International Journal of Computer Science & Network Security
• /
• v.21 no.12
• /
• pp.207-212
• /
• 2021

A buffer overflow attack is carried out to subvert privileged program functions to gain control of the program and thus control the host. Buffer overflow attacks should be prevented by risk managers by eradicating and detecting them before the software is utilized. While calculating the size, correct variables should be chosen by risk managers in situations where fixed-length buffers are being used to avoid placing excess data that leads to the creation of an overflow. Metamorphism can also be used as it is capable of protecting data by attaining a reasonable resistance level [1]. In addition, risk management teams should ensure they access the latest updates for their application server products that support the internet infrastructure and the recent bug reports [2]. Scanners that can detect buffer overflows' flaws in their custom web applications and server products should be used by risk management teams to scan their websites. This paper presents an experiment of buffer overflow vulnerability and attack. The aims to study of a buffer overflow mechanism, types, and countermeasures. In addition, to comprehend the current detection plus prevention approaches that can be executed to prevent future attacks or mitigate the impacts of similar attacks.

• Journal of KIISE
• /
• v.44 no.1
• /
• pp.1-12
• /
• 2017

The continuously growing internet service requirements has resulted in a multitier system structure consisting of web server and database (DB) server. In this multitier structure, the existing intrusion detection system (IDS) detects known attacks by matching misused traffic patterns or signatures. However, malicious change to the contents at DB server through hypertext transfer protocol (HTTP) requests at the DB server cannot be detected by the IDS at the DB server's end, since the DB server processes structured query language (SQL) without knowing the associated HTTP, while the web server cannot identify the response associated with the attacker's SQL query. To detect these types of attacks, the malicious user is tracked using knowledge on interaction between HTTP request and SQL query. However, this is a practical challenge because system's source code analysis and its application logic needs to be understood completely. In this study, we proposed a scheme to find the HTTP request associated with a given SQL query using only system log files. We first generated an HTTP request-SQL query map from system log files alone. Subsequently, the HTTP request associated with a given SQL query was identified among a set of HTTP requests using this map. Computer simulations indicated that the proposed scheme finds the HTTP request associated with a given SQL query with 94% accuracy.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.26 no.10
• /
• pp.1525-1530
• /
• 2022

BGP(Border Gateway Protocol) is a routing protocol that is actively used in inter-AS routing on the Internet. However, BGP routing protocol is vulnerable to BGP hijacking attacks that hijack the network by impersonating normal BGP sessions. BGP Hijacking attacks can lead to causing intercept IP traffic or interference with the normal service operation. Recently, BGP hijacking attacks, which have often occurred overseas, have also occurred in Korea. It means threatening the security of the Internet. In this paper, we analyze the overall process of attack through representative attack cases and virtual scenarios of BGP hijacking and based on the results of analyzing the application status of security technology to prevent BGP hijacking attacks by Korea and global major ISPs. It covers the technical proposal of ISPs and autonomous system operators should take to defend against BGP hijacking attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.175-185
• /
• 2019

The security control is to protect IT system from cyber infringement by deriving valid result values in the process of gathering and analyzing various information. Currently, security control is very effective by using SIEM equipment which enables analysis of systematic and comprehensive viewpoint based on a lot of data, away from analyzing cyber threat information with only fragmentary information. However, It can also be said that cyber attacks are analyzed and coped with the manual work of security personnel. This means that even if there is excellent security equipment, the results will vary depending on the user using. In case of operating a characteristic web service including information provision, This study suggests the basic point of security control through characteristics information analysis, and proposes a model for intensive security control through the type discovery and application which enable a step-wise analysis and an effective filtering. Using this model would effectively detect, analyze and block attacks.

• Convergence Security Journal
• /
• v.23 no.5
• /
• pp.101-106
• /
• 2023

Recently, cyberattacks are increasing in social engineering attacks using intelligent and continuous phishing sites and hacking techniques using malicious code. As personal security becomes important, there is a need for a method and a solution for determining whether a malicious URL exists using a web application. In this paper, we would like to find out each feature and limitation by comparing highly accurate techniques for detecting malicious URLs. Compared to classification algorithm models using features such as web flat panel DB and based URL detection sites, we propose an efficient URL anomaly detection technique.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.12 no.12
• /
• pp.2171-2178
• /
• 2008

Recently, Network companies have introduced security solutions to protect the network from intrusions, attacks and viruses but the network has still weakness and vulnerability. It is time to bring more stable and reliable authentication system that would meet the Internet user's need. In this study, Current broadband networks don't have hierarchic and stable authentication solutions. And so, an integrated and hierarchic system is needed to provide a various kinds of application services. I'd like to present a new authentication system which is based on unified web authentication design. It will unit various authentication systems that have been deployed in various network environment and reinforce network security to provice a various kinds of application services in a stable and safe environment. that is a simple and more secure method for fighting a rise in card-not-present fraud.

• International Journal of Computer Science & Network Security
• /
• v.23 no.2
• /
• pp.199-202
• /
• 2023

Carriage return (CR) and line feed (LF), also known as CRLF injection is a type of vulnerability that allows a hacker to enter special characters into a web application, altering its operation or confusing the administrator. Log poisoning and HTTP response splitting are two prominent harmful uses of this technique. Additionally, CRLF injection can be used by an attacker to exploit other vulnerabilities, such as cross-site scripting (XSS). Email injection, also known as email header injection, is another way that can be used to modify the behavior of emails. The Open Web Application Security Project (OWASP) is an organization that studies vulnerabilities and ranks them based on their level of risk. According to OWASP, CRLF vulnerabilities are among the top 10 vulnerabilities and are a type of injection attack. Automated testing can help to quickly identify CRLF vulnerabilities, and is particularly useful for companies to test their applications before releasing them. However, CRLF vulnerabilities can also lead to the discovery of other high-risk vulnerabilities, and it fosters a better approach to mitigate CRLF vulnerabilities in the early stage and help secure applications against known vulnerabilities. Although there has been a significant amount of research on other types of injection attacks, such as Structure Query Language Injection (SQL Injection). There has been less research on CRLF vulnerabilities and how to detect them with automated testing. There is room for further research to be done on this subject matter in order to develop creative solutions to problems. It will also help to reduce false positive alerts by checking the header response of each request. Security automation is an important issue for companies trying to protect themselves against security threats. Automated alerts from security systems can provide a quicker and more accurate understanding of potential vulnerabilities and can help to reduce false positive alerts. Despite the extensive research on various types of vulnerabilities in web applications, CRLF vulnerabilities have only recently been included in the research. Utilizing automated testing as a recurring task can assist companies in receiving consistent updates about their systems and enhance their security.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.885-895
• /
• 2017

Security issues arise due to various types of external intrusions as much as the rapidly changing IT environment. Attacks using vulnerabilities in web applications are increasing, and companies are trying to find the cause of the vulnerability, prevent external intrusion, and protect their systems and important information. Especially, according to the Supervision Regulation, each financial institution and electronic financial service provider shall perform vulnerability analysis evaluation for the website for disclosure once every six months and report the result to the Financial Services Commission. In this study, based on the Web vulnerability items defined in the Supervision Regulation, based on the inspection cases of actual financial institution, we analyze the most frequently occurring items and propose effective countermeasures against them and ways to prevent them from occurring in advance.