• Journal of Korea Multimedia Society
• /
• v.7 no.6
• /
• pp.851-857
• /
• 2004

Server-side scripting languages for web applications have a different environment from general programming languages. The reason is that some data in web applications should be transferred to a distinct file of a page or should be maintained for a physical time, that is for session time. SO JSP has four kinds of new scopes such as page, request, session, application. And every identifiers in JSP are classified and processed as one of the four scopes. This seems unavoidable to a scripting language because of the web environment. So when a JSP page using these new scope concepts is interpreted the procedure would be different from that of the general programming language's scopes. This thesis has studied the processing of the scopes which are considered in interpreting a script language code. This processing method of the scopes in this article can be applied not only to JSP interpreting but also to a data processing of similar ranges in web.

• The Transactions of the Korea Information Processing Society
• /
• v.6 no.11S
• /
• pp.3209-3218
• /
• 1999

Currently in the Web(World Wide Web) environment, HTML(Hyper Text Markup Language) is used for information representation and exchange. But it is thought that HTML has some constraints in information representation of various kinds because of its limited tag set. And it is considered that combining the HTML, which is used for static information representation in Web environment, with Scripting language, which is usually used for multimedia information representation in a synchronized framework, can be very useful. Consequently we show the general trend of the Scripting language in Web environment and show the possibility of HTML and Scripting language amalgamation for Web service improvement.

• Convergence Security Journal
• /
• v.13 no.6
• /
• pp.83-89
• /
• 2013

When applying web hacking techniques and methods it needs to configure the integrated step-by-step and run an information security. Web hackings rely upon only one way to respond to any security holes that can cause a lot. In this study the diagnostic process of cross-site scripting attacks and web hacking response procedures are designed. Response system is a framework for configuring and running a step-by-step information security. Step response model of the structure of the system design phase, measures, operational step, the steps in the method used. It is designed to secure efficiency of design phase of the system development life cycle, and combines the way in secure coding. In the use user's step, the security implementation tasks to organize the details. The methodology to be applied to the practice field if necessary, a comprehensive approach in the field can be used as a model methodology.

• International journal of advanced smart convergence
• /
• v.10 no.4
• /
• pp.22-29
• /
• 2021

For web application vulnerability diagnosis, from the development stage to the operation stage, it is possible to stably operate the web only when there is a policy that is commonly applied to each task through diagnosis of vulnerabilities, removal of vulnerabilities, and rapid recovery from web page damage. KISA presents 28 evaluation items for technical vulnerability analysis of major information and communication infrastructure. In this paper, we diagnose the vulnerabilities in the automobile goods shopping mall website and suggest security measures according to the vulnerabilities. As a result of diagnosing 28 items, major vulnerabilities were found in three items: cross-site scripting, cross-site request tampering, and insufficient session expiration. Cookie values were exposed on the bulletin board, and personal information was exposed in the parameter values related to passwords when personal information was edited. Also, since the session end time is not set, it was confirmed that session reuse is always possible. By suggesting security measures according to these vulnerabilities, the discovered security threats were eliminated, and it was possible to prevent breaches in web applications and secure the stability of web services.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.6
• /
• pp.2463-2482
• /
• 2016

Cloud services are often provisioned to their customers using user-friendly web browsers with flexible and rich plug-in environments. Delay is one of the fundamental performance metrics of these web-based services. Commonly-used network measurement tools usually only measure network delay and it may be difficult to infer the web-delay performance using only network layer measurement approaches. In this paper, we propose to evaluate the application layer delay in a browser-based network measurement platform using engineered scripts. We conducted a delay measurement study using instrumented scripts in the proposed browser-based measurement platform. Our investigation included a comparison study of three browser-scripting delay measurement methods, including Java applet, JSP and Flash ActionScript. We developed a browser-based delay measurement testbed over the Internet so that different delay measurement tools could be evaluated in the same real network environment including typical Internet paths and the Baidu cloud. We also decomposed the components of the end-to-end delay process of the above measurements to reveal the difference and relationship between the network-layer delay and the application-layer delay. Our measurement results characterize the stochastic properties of the application-layer delay over real Internet paths, and how these properties vary from the underlying network layer delay. This browser-scripting measurement approach can be easily deployed on different cloud service platforms to inspect their application-layer delay performance between end clients and the cloud platforms. Our measurement results may provide insights into designing new cloud services with enhanced quality-of-experience perceived by cloud users.

• ETRI Journal
• /
• v.38 no.2
• /
• pp.376-386
• /
• 2016

Currently, web applications are gaining in prevalence. In a web application, an input may not be appropriately validated, making the web application susceptible to cross-site scripting (XSS), which poses serious security problems for Internet users and websites to whom such trusted web pages belong. A taint inference is a type of information flow analysis technique that is useful in detecting XSS on the client side. However, in existing techniques, two current practical issues have yet to be handled properly. One is URL rewriting, which transforms a standard URL into a clearer and more manageable form. Another is HTML sanitization, which filters an input against blacklists or whitelists of HTML tags or attributes. In this paper, we make an analogy between the taint inference problem and the molecule sequence alignment problem in bioinformatics, and transfer two techniques related to the latter over to the former to solve the aforementioned yet-to-be-handled-properly practical issues. In particular, in our method, URL rewriting is addressed using local sequence alignment and HTML sanitization is modeled by introducing a removal gap penalty. Empirical results demonstrate the effectiveness and efficiency of our method.

• Convergence Security Journal
• /
• v.12 no.4
• /
• pp.71-76
• /
• 2012

As the use of Mashups, web3.0, JavaScript and AJAX(Asynchronous JavaScript XML) widely increases, the new security threats for web vulnerability also increases when the web application services are provided. In order to previously diagnose the vulnerability and prepare the threats, in this paper, the classification of security threats and requirements are presented, and the web vulnerability is analyzed for the domestic web sites using WVS(Web Vulnerability Scanner) automatic evaluation tool. From the results of vulnerability such as XSS(Cross Site Scripting) and SQL Injection, the total alerts are distributed from 0 to 31,177, mean of 411, and standard deviation of 2,563. The results also show that the web sites of 22.5% for total web sites has web vulnerability, and the previous defenses for the security threats are required.

• The KIPS Transactions:PartA
• /
• v.15A no.3
• /
• pp.181-188
• /
• 2008

Nowadays, most web sites are developed using dynamic web pages where web pages are generated and transmitted by web application programs. Therefore, the ratio of attacks injecting malevolent strings to vulnerable web applications is increasing. In this paper, we present a static program analyzer which analyzes whether a web application program has vulnerabilities to the SQL injection attack and the cross site scripting(XSS) attack. To analyze programs using abstract interpretation framework, we designed an abstract domain which models potential string set along with excluded strings and developed an abstract interpreter for the PHP language. Also, based on them, we implemented a static analyzer. According to our experiments, our analyzer has competitive analysis speed and accuracy compared with related research results.

• Journal of Information Processing Systems
• /
• v.11 no.2
• /
• pp.229-238
• /
• 2015

Web shells are programs that are written for a specific purpose in Web scripting languages, such as PHP, ASP, ASP.NET, JSP, PERL-CGI, etc. Web shells provide a means to communicate with the server's operating system via the interpreter of the web scripting languages. Hence, web shells can execute OS specific commands over HTTP. Usually, web attacks by malicious users are made by uploading one of these web shells to compromise the target web servers. Though there have been several approaches to detect such malicious web shells, no standard dataset has been built to compare various web shell detection techniques. In this paper, we present a collection of web shell files, WebSHArk 1.0, as a standard dataset for current and future studies in malicious web shell detection. To provide baseline results for future studies and for the improvement of current tools, we also present some benchmark results by scanning the WebSHArk dataset directory with three web shell scanning tools that are publicly available on the Internet. The WebSHArk 1.0 dataset is only available upon request via email to one of the authors, due to security and legal issues.

• Journal of Software Assessment and Valuation
• /
• v.17 no.2
• /
• pp.125-142
• /
• 2021

Reports of rampant cross-site scripting (XSS) vulnerabilities raise growing concerns on the effectiveness of current Static Analysis Security Testing (SAST) tools as an internet security device. Attentive to these concerns, this study aims to examine seven open-source SAST tools in order to account for their capabilities in detecting XSS vulnerabilities in PHP applications and to determine their performance in terms of effectiveness and analysis runtime. The representative tools - categorized as either text-based or graph-based analysis tools - were all test-run using real-world PHP applications with known XSS vulnerabilities. The collected vulnerability detection reports of each tool were analyzed with the aid of PhpStorm's data flow analyzer. It is observed that the detection rates of the tools calculated from the total vulnerabilities in the applications can be as high as 0.968 and as low as 0.006. Furthermore, the tools took an average of less than a minute to complete an analysis. Notably, their runtime is independent of their analysis type.