• Title/Summary/Keyword: Web vulnerability

Search Result 150, Processing Time 0.02 seconds

Event and Command based Fuzzing Method for Verification of Web Browser Vulnerabilities (웹 브라우저 취약성 검증을 위한 이벤트 및 커맨드 기반 퍼징 방법)

  • Park, Seongbin;Kim, Minsoo;Noh, Bong-Nam
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.3
    • /
    • pp.535-545
    • /
    • 2014
  • As the software industry has developed, the attacks making use of software vulnerability has become a big issue in society. In particular, because the attacks using the vulnerability of web browsers bypass Windows protection mechanism, web browsers can readily be attacked. To protect web browsers against security threat, research on fuzzing has constantly been conducted. However, most existing web browser fuzzing tools use a simple fuzzing technique which randomly mutates DOM tree. Therefore, this paper analyzed existing web browser fuzzing tools and the patterns of their already-known vulnerability to propose an event and command based fuzzing tool which can detect the latest web browser vulnerability more effectively. Three kinds of existing fuzzing tools were compared with the proposed tool. As a result, it was found that the event and command based fuzzing tool proposed was more effective.

Structural Dashboard Design for Monitoring Job Performance of Internet Web Security Diagnosis Team: An Empirical Study of an IT Security Service Provider

  • Lee, Jung-Gyu;Jeong, Seung-Ryul
    • Journal of Internet Computing and Services
    • /
    • v.18 no.5
    • /
    • pp.113-121
    • /
    • 2017
  • Company A's core competency is IT internet security services. The Web diagnosis team analyzes the vulnerability of customer's internet web servers and provides remedy reports. Traditionally, Company A management has utilized a simple table format report for resource planning. But these reports do not notify the timing of human resource commitment. So, upper management asked its team leader to organize a task team and design a visual dashboard for decision making with the help of outside professional. The Task team selected the web security diagnosis practice process as a pilot and designed a dashboard for performance evaluation. A structural design process was implemented during the heuristic working process. Some KPI (key performance indicators) for checking the productivity of internet web security vulnerability reporting are recommended with the calculation logics. This paper will contribute for security service management to plan and address KPI design policy, target process selection, and KPI calculation logics with actual sample data.

A Study on Real-Time Web-Server Intrusion Detection using Web-Server Agent (웹 서버 전용 에이전트를 이용한 실시간 웹 서버 침입탐지에 관한 연구)

  • 진홍태;박종서
    • Convergence Security Journal
    • /
    • v.4 no.2
    • /
    • pp.17-25
    • /
    • 2004
  • As Internet and Internet users are rapidly increasing and getting popularized in the world the existing firewall has limitations to detect attacks which exploit vulnerability of web server. And these attacks are increasing. Most of all, intrusions using web application's programming error are occupying for the most part. In this paper, we introduced real-time web-server agent which analyze web-server based log and detect web-based attacks after the analysis of the web-application's vulnerability. We propose the method using real-time agent which remove Process ID(pid) and block out attacker's If if it detects the intrusion through the decision stage after judging attack types and patterns.

  • PDF

Improvement Mechanism for Automatic Web Vulnerability Diagnosis (웹취약점 자동진단 개선방안)

  • Kim, Tae-Seop;Jo, In-June
    • The Journal of the Korea Contents Association
    • /
    • v.22 no.2
    • /
    • pp.125-134
    • /
    • 2022
  • Due to the development of smartphone technology, as of 2020, 91.9% of people use the Internet[1] to frequently acquire information through websites and mobile apps. As the number of homepages in charge of providing information is increasing every year, the number of applications for web vulnerability diagnosis, which diagnoses the safety of homepages, is also increasing. In the existing web vulnerability check, the number of diagnostic personnel should increase in proportion to the number of homepages that need diagnosis because the diagnosticians manually test the homepages for vulnerabilities. In reality, however, there is a limit to securing a web vulnerability diagnosis manpower, and if the number of diagnosis manpower is increased, a lot of costs are incurred. To solve these problems, an automatic diagnosis tool is used to replace a part of the manual diagnosis. This paper explores a new method to expand the current automatic diagnosis range. In other words, automatic diagnosis possible items were derived by analyzing the impact of web vulnerability diagnosis items. Furthermore, automatic diagnosis identified possible items through comparative analysis of diagnosis results by performing manual and automatic diagnosis on the website in operation. In addition, it is possible to replace manual diagnosis for possible items, but not all vulnerability items, through the improvement of automatic diagnosis tools. This paper will explore some suggestions that can help improve plans to support and implement automatic diagnosis. Through this, it will be possible to contribute to the creation of a safe website operating environment by focusing on the parts that require precise diagnosis.

Cost-Effective, Real-Time Web Application Software Security Vulnerability Test Based on Risk Management (위험관리 기반의 비용 효율적인 실시간 웹 애플리케이션 소프트웨어 보안취약점 테스팅)

  • Kumi, Sandra;Lim, ChaeHo;Lee, SangGon
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.30 no.1
    • /
    • pp.59-74
    • /
    • 2020
  • The web space where web applications run is the cyber information warfare of attackers and defenders due to the open HTML. In the cyber attack space, about 84% of worldwide attacks exploit vulnerabilities in web applications and software. It is very difficult to detect web vulnerability attacks with security products such as web firewalls, and high labor costs are required for security verification and assurance of web applications. Therefore, rapid vulnerability detection and response in web space by automated software is a key and effective cyber attack defense strategy. In this paper, we establish a security risk management model by intensively analyzing security threats against web applications and software, and propose a method to effectively diagnose web and application vulnerabilities. The testing results on the commercial service are analyzed to prove that our approach is more effective than the other existing methods.

A Web application vulnerability scoring framework by categorizing vulnerabilities according to privilege acquisition (취약점의 권한 획득 정도에 따른 웹 애플리케이션 취약성 수치화 프레임워크)

  • Cho, Sung-Young;Yoo, Su-Yeon;Jeon, Sang-Hun;Lim, Chae-Ho;Kim, Se-Hun
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.3
    • /
    • pp.601-613
    • /
    • 2012
  • It is required to design and implement secure web applications to provide safe web services. For this reason, there are several scoring frameworks to measure vulnerabilities in web applications. However, these frameworks do not classify according to seriousness of vulnerability because these frameworks simply accumulate score of individual factors in a vulnerability. We rate and score vulnerabilities according to probability of privilege acquisition so that we can prioritize vulnerabilities found in web applications. Also, our proposed framework provides a method to score all web applications provided by an organization so that which web applications is the worst secure and should be treated first. Our scoring framework is applied to the data which lists vulnerabilities in web applications found by a web scanner based on crawling, and we show the importance of categorizing vulnerabilities according to privilege acquisition.

The Plan and Tools for Vulnerability Testing in Information Software-Based System

  • Kim, In-Jung;Lee, Young-Gyo;Won, Dong-Ho
    • Journal of Information Processing Systems
    • /
    • v.1 no.1 s.1
    • /
    • pp.75-78
    • /
    • 2005
  • Although many tests for stabilization of the software have been done, vulnerability test for a system run by combination of the software of various products has not been conducted enough. This has led to increased threats and vulnerability of system. Especially, web-based software system, which is public, has inherent possibility of exposure to attacks and is likely to be seriously damaged by an accident. Consequently, comprehensive and systematic test plans and techniques are required. Moreover, it is necessary to establish a procedure for managing and handling the results of vulnerability test. This paper proposes vulnerability test plans and designs for implementing automated tools, both of which can be complied with on web-based software systems.

Evaluating the web-application resiliency to business-layer DoS attacks

  • Alidoosti, Mitra;Nowroozi, Alireza;Nickabadi, Ahmad
    • ETRI Journal
    • /
    • v.42 no.3
    • /
    • pp.433-445
    • /
    • 2020
  • A denial-of-service (DoS) attack is a serious attack that targets web applications. According to Imperva, DoS attacks in the application layer comprise 60% of all the DoS attacks. Nowadays, attacks have grown into application- and business-layer attacks, and vulnerability-analysis tools are unable to detect business-layer vulnerabilities (logic-related vulnerabilities). This paper presents the business-layer dynamic application security tester (BLDAST) as a dynamic, black-box vulnerability-analysis approach to identify the business-logic vulnerabilities of a web application against DoS attacks. BLDAST evaluates the resiliency of web applications by detecting vulnerable business processes. The evaluation of six widely used web applications shows that BLDAST can detect the vulnerabilities with 100% accuracy. BLDAST detected 30 vulnerabilities in the selected web applications; more than half of the detected vulnerabilities were new and unknown. Furthermore, the precision of BLDAST for detecting the business processes is shown to be 94%, while the generated user navigation graph is improved by 62.8% because of the detection of similar web pages.

A Study on ICS/SCADA System Web Vulnerability (제어시스템의 웹 취약점에 대한 현황과 연구)

  • Kim, Hee-Hyun;Yoo, Jinho
    • The Journal of Society for e-Business Studies
    • /
    • v.24 no.2
    • /
    • pp.15-27
    • /
    • 2019
  • In the past, the control system was a closed network that was not connected to the external network. However, in recent years, many cases have been opened to the outside for the convenience of management. Are connected to the Internet, and the number of operating control systems is increasing. As a result, it is obvious that hackers are able to make various attack attempts targeting the control system due to external open, and they are exposed to various security threats and are targeted for attack. Industrial control systems that are open to the outside have most of the remote management ports for web services or remote management, and the expansion of web services through web programs inherits the common web vulnerability as the control system is no exception. In this study, we classify and compare existing web vulnerability items in order to derive the most commonly tried web hacking attacks against control system from the attacker's point of view. I tried to confirm.

Effective Countermeasures against Vulnerability Assessment for the Public Website of Financial Institution (금융기관 공개용 홈페이지 취약점 분석평가에 대한 효율적인 대처방안)

  • Park, Hyun-jin;Kim, In-seok
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.4
    • /
    • pp.885-895
    • /
    • 2017
  • Security issues arise due to various types of external intrusions as much as the rapidly changing IT environment. Attacks using vulnerabilities in web applications are increasing, and companies are trying to find the cause of the vulnerability, prevent external intrusion, and protect their systems and important information. Especially, according to the Supervision Regulation, each financial institution and electronic financial service provider shall perform vulnerability analysis evaluation for the website for disclosure once every six months and report the result to the Financial Services Commission. In this study, based on the Web vulnerability items defined in the Supervision Regulation, based on the inspection cases of actual financial institution, we analyze the most frequently occurring items and propose effective countermeasures against them and ways to prevent them from occurring in advance.