• The KIPS Transactions:PartA
• /
• v.15A no.3
• /
• pp.181-188
• /
• 2008

Nowadays, most web sites are developed using dynamic web pages where web pages are generated and transmitted by web application programs. Therefore, the ratio of attacks injecting malevolent strings to vulnerable web applications is increasing. In this paper, we present a static program analyzer which analyzes whether a web application program has vulnerabilities to the SQL injection attack and the cross site scripting(XSS) attack. To analyze programs using abstract interpretation framework, we designed an abstract domain which models potential string set along with excluded strings and developed an abstract interpreter for the PHP language. Also, based on them, we implemented a static analyzer. According to our experiments, our analyzer has competitive analysis speed and accuracy compared with related research results.

• Convergence Security Journal
• /
• v.13 no.2
• /
• pp.95-100
• /
• 2013

As the near field communication technology's application scope tends to expand gradually in the various fields, application of mobile-based NFC(Near Field Communication) is increasing in the various types of technologies. The method which reads the URL address and supports access to the web site of the address if you touch the NFC device in the tag(RFID) that the URL address is stored was applied to the unmanned security system. It proposed the effective plan to manage mobilization security business in the aspects of Integrity, Damage, Real-Time, and Speed through comparison and verification of the method with the existing unmanned security system.

• Journal of the Korea Society of Computer and Information
• /
• v.15 no.12
• /
• pp.217-225
• /
• 2010

Among web-based systems being widely used now, there are so many systems which are still using an user-level access control method. By successfully applying role-based access control(RBAC) to web-based application systems, we can expect to have an effective means with reinforced security for Internet-based systems. In order to apply RBAC to web-based application systems, we should come up with a system architecture for it. I proposed a system architecture which is needed to apply RBAC to web-based application systems. The proposed system architecture is largely composed of system composition and system functioning. For details, firstly, a certificate used by RBAC is specified. Secondly, a system architecture using a user-pull method is proposed and overall system components are mentioned with a role server being centered. Then, I showed how the system architecture can work to carry out RBAC on web-based application systems. Lastly, the analyses on the proposed system architecture are described for the purpose of proving its feasibility.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.885-895
• /
• 2017

Security issues arise due to various types of external intrusions as much as the rapidly changing IT environment. Attacks using vulnerabilities in web applications are increasing, and companies are trying to find the cause of the vulnerability, prevent external intrusion, and protect their systems and important information. Especially, according to the Supervision Regulation, each financial institution and electronic financial service provider shall perform vulnerability analysis evaluation for the website for disclosure once every six months and report the result to the Financial Services Commission. In this study, based on the Web vulnerability items defined in the Supervision Regulation, based on the inspection cases of actual financial institution, we analyze the most frequently occurring items and propose effective countermeasures against them and ways to prevent them from occurring in advance.

• Journal of Sasang Constitutional Medicine
• /
• v.29 no.3
• /
• pp.224-231
• /
• 2017

Objectives Several researches have been done to develop instruments or questionnaire for diagnosis of sasang constitution. In this study, we developed a user-friendly web system to enhance the utilization of KS-15. Methods The KS-15 Web application was constructed by considering the responsive web design and easy survey answer. This system is designed only to authorized users for security purposes, and provides two modes, simple mode and expert mode, depending on the purpose of using the system. A simple mode do not keep user information and survey answer in the database. An expert mode support management of patients, diagnosis of sasang constitution and statistical functions. Results & Conclusions The developed KS-15 system can be operated from any smart device's web browser. In order to use information in clinic field, it was developed so that it can be accessed only by authorized users. It can be divided into an account which can use only simple mode and an account which can use expert mode by using a difference in access authority. These functions can enhance the applicability of sasang constitution in real life such as clinical or education.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.23 no.9
• /
• pp.1160-1172
• /
• 2019

Federated authentication is a user authentication and authorization infrastructure that spans multiple security domains. Many overseas Web applications have been adopting SAML-based federated authentication. However, in Korea, it is difficult to apply the authentication because of the high market share of a specific Web (application) server, which is hard to use open-source SAML software and the high adoption of Java-based standard framework which is not easy to integrate with SAML library. This paper proposes the SAML4J, which is developed in order to have Web applications easily and safely integrated with the Java-based framework. SAML4J has a developer-friendly advantage of using a session storage independent of the framework and processing Web SSO flows through simple API. We evaluate the functionality, performance, and security of the SAML4J to demonstrate the high feasibility of it.

• Proceedings of the Korea Contents Association Conference
• /
• 2003.11a
• /
• pp.161-166
• /
• 2003

In this paper, we propose a novel method of design and implementation for the multimedia monitoring system using Web Camera. Recently WebCam is variously applied to many different areas and implemented as an improved performance using convenient functions of Web in this Internet era. Multimedia moving pictures has been popularly used in a variety of ways in different areas of monitoring systems in order to enhance the performance and the service with their data compression capability and the speed of the communication network these days. The design method of WebCam system presented in this paper might offer not only a convenient function of the monitoring system but great application capabilities. It can be used for a real time application of the multimedia picture and audio transmission so that the monitoring system can manage the security information in the sense for the reality. Tn addition, the monitoring system may be used as an inreal-time application using data storage and retrieval features of the Web. We offer both functions of monitoring in this structured form of implemented system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.2
• /
• pp.263-277
• /
• 2021

Taint analysis techniques are popularly used to detect web vulnerabilities originating from unverified user input data, such as Cross-Site Scripting (XSS) and SQL Injection, in web applications written in JavaScript. To detect such vulnerabilities, it would be necessary to trace variables affected by user-submitted inputs. However, because of the dynamic nature of JavaScript, it has been a challenging issue to identify those variables without running the web application code. Therefore, most existing taint analysis tools have been developed based on dynamic taint analysis, which requires the overhead of running the target application. In this paper, we propose a novel static taint analysis technique using symbol information obtained from the TypeScript (a superset of JavaScript) compiler to accurately track data flow and detect security vulnerabilities in TypeScript code. Our proposed technique allows developers to annotate variables that can contain unverified user input data, and uses the annotation information to trace variables and data affected by user input data. Since our proposed technique can seamlessly be incorporated into the TypeScript compiler, developers can find vulnerabilities during the development process, unlike existing analysis tools performed as a separate tool. To show the feasibility of the proposed method, we implemented a prototype and evaluated its performance with 8 web applications with known security vulnerabilities. We found that our prototype implementation could detect all known security vulnerabilities correctly.

• Journal of Internet Computing and Services
• /
• v.7 no.6
• /
• pp.157-174
• /
• 2006

Ajax interaction model changes the posture of web application to become a stateful over HTTP. Ajax applications are long-lived inthe browser. XMLHTTPRequest (XHR) is used to facilitate the data exchange. Using HTTPS over this interaction is not viable because of the frequency of data exchange. Moreover, switching of protocols form HTTP to HTTPS for sensitive information is prohibited because of server-of-origin policy. The longevity, constraint, and asynchronous features of Ajax application need to hove a different authentication and session fondling mechanism that invoke re-authentication. This paper presents an authentication and session management scheme using Ajax. The scheme is design lo invoke periodic and event based re-authentication in the background using digest authentication with auto-generated password similar to OTP (One Time Password). The authentication and session management are wrapped into a framework called AWASec (Ajax Web Application Security) for coupling to avoid broken authentication and session management.

• Journal of Information Technology Services
• /
• v.13 no.1
• /
• pp.209-220
• /
• 2014

Most of monitoring systems in logistics industry have limitations on monitoring container information in real-time. And customers only could check information gathered from certain points through web browser. That is why it is very hard to take actions in advance when emergency situation has happened. But if customers could check information such as position and status of freight in real-time through their mobile devices, they could take prompt actions. So, in this study, mobile application based on mobile devices is developed to monitor position and status information of the container in real-time. Entire devices monitoring container in aspect of logistics security are handled by workers in the field. So it is strongly required to develop monitoring system operated in mobile devices. For that reason this study aims to develop mobile application in order to monitor information related to container security and safety in real-time.