• ETRI Journal
• /
• v.42 no.3
• /
• pp.433-445
• /
• 2020

A denial-of-service (DoS) attack is a serious attack that targets web applications. According to Imperva, DoS attacks in the application layer comprise 60% of all the DoS attacks. Nowadays, attacks have grown into application- and business-layer attacks, and vulnerability-analysis tools are unable to detect business-layer vulnerabilities (logic-related vulnerabilities). This paper presents the business-layer dynamic application security tester (BLDAST) as a dynamic, black-box vulnerability-analysis approach to identify the business-logic vulnerabilities of a web application against DoS attacks. BLDAST evaluates the resiliency of web applications by detecting vulnerable business processes. The evaluation of six widely used web applications shows that BLDAST can detect the vulnerabilities with 100% accuracy. BLDAST detected 30 vulnerabilities in the selected web applications; more than half of the detected vulnerabilities were new and unknown. Furthermore, the precision of BLDAST for detecting the business processes is shown to be 94%, while the generated user navigation graph is improved by 62.8% because of the detection of similar web pages.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2004.11a
• /
• pp.409-412
• /
• 2004

The technique and process for the acquisition of components by searching and testing the reusable components using Web Service in the CASE tools for component-based application development are proposed. The technique and process for the notice of components using Web Service in order to reuse developed components are also proposed. As using the technique and process, a repository does not need to construct and the reusability of components will rise because components are easily and efficiently searched using Web Service. Furthermore, it is easy to develop application through the plug-and-play of components which are acquired using Web Service, and errors of application by reused components will be minimized because proper components are acquired after pretesting reusable components in the analysis and the architecture phase.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.15 no.10
• /
• pp.3750-3770
• /
• 2021

This study investigates open-source dynamic XSS filters used as security devices in web applications to account for the effectiveness of filters in protecting against XSS attacks. The experiment involves twelve representative filters, which are examined individually by placing them into the final output function of a custom-built single-input-form web application. To assess the effectiveness of the filters in their tasks of sanitizing XSS payloads and in preserving benign payloads, a black-box testing method is applied using an automated XSS testing framework. The result in working with malicious and benign payloads shows an important trade-off in the filters' tasks. Because the filters that only check for dangerous or safe elements, they seem to neglect to validate their values. As some safe values are mistreated as dangerous elements, their benign payload function is lost in the way. For the filters to be more effective, it is suggested that they should be able to validate the respective values of malicious and benign payloads; thus, minimizing the trade-off. This particular assessment of XSS filters provides important insight regarding the filters that can be used to mitigate threats, including the possible configurations to improve them in handling both malicious and benign payloads.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2010.10a
• /
• pp.603-604
• /
• 2010

In this paper, we analyses a testing methodology that allows for harmless auditing, define three testing modes.heavy, relaxed, and safe modes, and report our results from two experiments. In the first, we compared the coverage and side effects of the three scanning modes using Web applications chosen from the different vulnerable in a previous static verification effort.

• Proceedings of the Korea Society of Design Studies Conference
• /
• 2004.10a
• /
• pp.78-79
• /
• 2004

• International Journal of Computer Science & Network Security
• /
• v.23 no.2
• /
• pp.199-202
• /
• 2023

Carriage return (CR) and line feed (LF), also known as CRLF injection is a type of vulnerability that allows a hacker to enter special characters into a web application, altering its operation or confusing the administrator. Log poisoning and HTTP response splitting are two prominent harmful uses of this technique. Additionally, CRLF injection can be used by an attacker to exploit other vulnerabilities, such as cross-site scripting (XSS). Email injection, also known as email header injection, is another way that can be used to modify the behavior of emails. The Open Web Application Security Project (OWASP) is an organization that studies vulnerabilities and ranks them based on their level of risk. According to OWASP, CRLF vulnerabilities are among the top 10 vulnerabilities and are a type of injection attack. Automated testing can help to quickly identify CRLF vulnerabilities, and is particularly useful for companies to test their applications before releasing them. However, CRLF vulnerabilities can also lead to the discovery of other high-risk vulnerabilities, and it fosters a better approach to mitigate CRLF vulnerabilities in the early stage and help secure applications against known vulnerabilities. Although there has been a significant amount of research on other types of injection attacks, such as Structure Query Language Injection (SQL Injection). There has been less research on CRLF vulnerabilities and how to detect them with automated testing. There is room for further research to be done on this subject matter in order to develop creative solutions to problems. It will also help to reduce false positive alerts by checking the header response of each request. Security automation is an important issue for companies trying to protect themselves against security threats. Automated alerts from security systems can provide a quicker and more accurate understanding of potential vulnerabilities and can help to reduce false positive alerts. Despite the extensive research on various types of vulnerabilities in web applications, CRLF vulnerabilities have only recently been included in the research. Utilizing automated testing as a recurring task can assist companies in receiving consistent updates about their systems and enhance their security.

• KIISE Transactions on Computing Practices
• /
• v.21 no.4
• /
• pp.308-314
• /
• 2015

Usability has become an important consideration for product development, and as a result, there is a growing need for systems and tools that can support usability test projects. However, few studies so far have developed such systems and tools. During a usability test project, many participants take up different roles, such as project managers, usability testers, and subjects. We implement a web-based usability test system with which a project manager can manage and control all participants and documents throughout the entire usability test process, from the design of a usability test project to the analysis of the test results. A usability test generates many documents, such as subject agreement forms and before/after questionnaires. Since many different subjects can participate in a usability test, consistency during testing with different participants and efficient document management are the keys to success for a usability test. Since all users that participate in usability test projects can access web-based usability test systems through a web browser, regardless of the place where they are, the reliability of the testing results can improve since the tests are conducted in the locations where the target products are meant to be used. In particular, our system is useful for disabled individuals who cannot move.

• Journal of the military operations research society of Korea
• /
• v.36 no.1
• /
• pp.123-140
• /
• 2010

Interworking Web Application to share the resource between Battlefield Management Systems(BMS) is critical issues for accomplishment of information superior. However, authentication system of BMS differ from each other because of having the independent plan for system build. This problem causes inefficiency such as the information insufficiency owing to not share web application and the need of additional laptops. To solve the problem, in this paper, we propose the improved certificate acquisition and verification algorithm for the user of different BMS. By testing the proposed algorithm appling to the real field, we verify the performance of proposed method.

• The KIPS Transactions:PartD
• /
• v.11D no.4
• /
• pp.855-864
• /
• 2004

Programmers can be got the test-related information for implementation without interference of source code complexity by use of the formal specification. Especially the external inputs and system responses can be represented precisely by formal specification in testing phase of web-based software systems. This paper suggests a method of extracting test cases by use of formal specification. Object-Z formal specification represents various test-related information for complex functions of web-based applications. State Transition Models could be built from the formal specification so that test scenarios were extracted from STDs from the highest level to detail levels. The target system for verification of this method is a web-based banking system which is necessary to be secured and critical on errors. This method would be an important factor in automatizing test procedure for web-based application software systems combining the user-base test technique.

• Korean Journal of Remote Sensing
• /
• v.31 no.3
• /
• pp.245-253
• /
• 2015

According to wide civilian utilization of multi sensor satellite information, practical needs for fusion processing and interoperable operation with multiple remote sensing imageries within distributed remote server are being increased. For this task, OGC standards with respect to satellite images and its derived products are crucial factors. This study is to present an applicability of WPS through testing implementation of image processing algorithm. Open sources such as Geoserver and OTB were used linked to WPS application for implementation. WPS can be solely used for web service supporting geoprocessing algorithm, but technical consideration compromising with other important standard protocols including WMS, WFS, WCS, or WMTS is necessary to build full featured geo web for remote sensing imageries. It is expected that application of these international standards for geo-spatial information is an important approach to produce value-added results by interoperable processing between interorganizations or information dissemination containing practical satellite image processing functionalities.