• 제목/요약/키워드: Web vulnerability

검색결과 150건 처리시간 0.025초

Vulnerability of Directory List and Countermeasures (디렉토리 리스팅 취약점 및 대응책)

  • Hong, Sunghyuck
    • Journal of Digital Convergence
    • /
    • 제12권10호
    • /
    • pp.259-264
    • /
    • 2014
  • The web server is configured to display the list of files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site. The directory list have some serious vulnerability to show internal files and directory to outsider attackers. Therefore, the proposed countermeasure of directory list is presented to prevent unnecessary valuable information from outsider attackers.

Deduplication and Exploitability Determination of UAF Vulnerability Samples by Fast Clustering

  • Peng, Jianshan;Zhang, Mi;Wang, Qingxian
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • 제10권10호
    • /
    • pp.4933-4956
    • /
    • 2016
  • Use-After-Free (UAF) is a common lethal form of software vulnerability. By using tools such as Web Browser Fuzzing, a large amount of samples containing UAF vulnerabilities can be generated. To evaluate the threat level of vulnerability or to patch the vulnerabilities, automatic deduplication and exploitability determination should be carried out for these samples. There are some problems existing in current methods, including inadequate pertinence, lack of depth and precision of analysis, high time cost, and low accuracy. In this paper, in terms of key dangling pointer and crash context, we analyze four properties of similar samples of UAF vulnerability, explore the method of extracting and calculate clustering eigenvalues from these samples, perform clustering by fast search and find of density peaks on a large number of vulnerability samples. Samples were divided into different UAF vulnerability categories according to the clustering results, and the exploitability of these UAF vulnerabilities was determined by observing the shape of class cluster. Experimental results showed that the approach was applicable to the deduplication and exploitability determination of a large amount of UAF vulnerability samples, with high accuracy and low performance cost.

Design and Implimentation of Intrusion Detection System on Contents Security (컨텐츠 보안 침입 탐지 시스템 설계 및 구현)

  • Kim, Young Sun;Seo, Choon Weon
    • Journal of the Institute of Electronics and Information Engineers
    • /
    • 제52권11호
    • /
    • pp.164-168
    • /
    • 2015
  • As Internet use is widespread advertising through the Web, shopping, banking, etc. As the various services offered by the network, the need for Web security is increasing. A security system for the protection of information assets and systems against various types of external hacking threats and unlawful intrusion will require. Intrusion Detection Tool of the paper web will have is to increase the security level, to prevent the loss of resources and labor spent by the individual monitoring of the web. Security intrusion detection system analyzes the cause of the problem of the security vulnerability and exposure of the information on the Web. Using a monitor to determine a fast support of security is to design a security system for the purpose of protecting the information security vulnerability and exposure information.

Implementation of a Static Analyzer for Detecting the PHP File Inclusion Vulnerabilities (PHP 파일 삽입 취약성 검사를 위한 정적 분석기의 구현)

  • Ahn, Joon-Seon;Lim, Seong-Chae
    • The KIPS Transactions:PartA
    • /
    • 제18A권5호
    • /
    • pp.193-204
    • /
    • 2011
  • Since web applications are accessed by anonymous users via web, more security risks are imposed on those applications. In particular, because security vulnerabilities caused by insecure source codes cannot be properly handled by the system-level security system such as the intrusion detection system, it is necessary to eliminate such problems in advance. In this paper, to enhance the security of web applications, we develop a static analyzer for detecting the well-known security vulnerability of PHP file inclusion vulnerability. Using a semantic based static analysis, our vulnerability analyzer guarantees the soundness of the vulnerability detection and imposes no runtime overhead, differently from the other approaches such as the penetration test method and the application firewall method. For this end, our analyzer adopts abstract interpretation framework and uses an abstract analysis domain designed for the detection of the target vulnerability in PHP programs. Thus, our analyzer can efficiently analyze complicated data-flow relations in PHP programs caused by extensive usage of string data. The analysis results can be browsed using a JAVA GUI tool and the memory states and variable values at vulnerable program points can also be checked. To show the correctness and practicability of our analyzer, we analyzed the source codes of open PHP applications using the analyzer. Our experimental results show that our analyzer has practical performance in analysis capability and execution time.

A Study of Development of Diagnostic System for Web Application Vulnerabilities focused on Injection Flaws (Injection Flaws를 중심으로 한 웹 애플리케이션 취약점 진단시스템 개발)

  • Kim, Jeom-Goo;Noh, Si-Choon;Lee, Do-Hyeon
    • Convergence Security Journal
    • /
    • 제12권3호
    • /
    • pp.99-106
    • /
    • 2012
  • Today, the typical web hacking attacks are cross-site scripting(XSS) attacks, injection vulnerabilities, malicious file execution and insecure direct object reference included. Web hacking security systems, access control solutions, access only to the web service and flow inside but do not control the packet. So you have been illegally modified to pass the packet even if the packet is considered as a unnormal packet. The defense system is to fail to appropriate controls. Therefore, in order to ensure a successful web services diagnostic system development is necessary. Web application diagnostic system is real and urgent need and alternative. The diagnostic system development process mu st be carried out step of established diagnostic systems, diagnostic scoping web system vulnerabilities, web application, analysis, security vulnerability assessment and selecting items. And diagnostic system as required by the web system environment using tools, programming languages, interfaces, parameters must be set.

Development of Meteorologic Data Retrieval Program for Vulnerability Assessment to Natural Hazards (재해 취약성 평가를 위한 기상자료 처리 프로그램 MetSystem 개발)

  • Jang, Min-Won;Kim, Sang-Min
    • Journal of Korean Society of Rural Planning
    • /
    • 제19권4호
    • /
    • pp.47-54
    • /
    • 2013
  • Climate change is the most direct threatening factors in sustaining agricultural productivity. It is necessary to reduce the damages from the natural hazards such as flood, drought, typhoons, and snowstorms caused by climate change. Through the vulnerability assessment to adapt the climate change, it is possible to analyze the priority, feasibility, effect of the reduction policy. For the vulnerability assessment, broad amount of weather data for each meterological station are required. Making the database management system for the meteorologic data could troubleshoot of the difficulties lie in handling and processing the weather data. In this study, we generated the meteorologic data retrieval system (MetSystem) for climate change vulnerability assessment. The user interface of MetSystem was implemented in the web-browser so as to access to a database server at any time and place, and it provides different query executions according to the criteria of meteorologic stations, temporal range, meteorologic items, statistics, and range of values, as well as the function of exporting to Excel format (*.xls). The developed system is expected that it will make it easier to try different analyses of vulnerability to natural hazards by the simple access to meteorologic database and the extensive search functions.

Intercepting Filter Approach to Injection Flaws

  • Salem, Ahmed
    • Journal of Information Processing Systems
    • /
    • 제6권4호
    • /
    • pp.563-574
    • /
    • 2010
  • The growing number of web applications in the global economy has made it critically important to develop secure and reliable software to support the economy's increasing dependence on web-based systems. We propose an intercepting filter approach to mitigate the risk of injection flaw exploitation- one of the most dangerous methods of attacking web applications. The proposed approach can be implemented in Java or .NET environments following the intercepting filter design pattern. This paper provides examples to illustrate the proposed approach.

Using SQLMAP to Detect SQLI Vulnerabilities

  • Almadhy, Waad;Alruwaili, Amal;Hendaoui, Saloua
    • International Journal of Computer Science & Network Security
    • /
    • 제22권1호
    • /
    • pp.234-240
    • /
    • 2022
  • One of the most discussed topics is cyber security when it comes to web application and how to protect it and protect databases. One of the most widely used and widespread techniques is SQLI, and it is used by hackers and hackers. In this research, we touched on the concept of SQLI and what are its different types, and then we detected a SQLI vulnerability in a website using SQLMAP. Finally, we mentioned different ways to avoid and protect against SQLI.

Browser fuzzing and analysis using known vulnerability (파이썬 모듈과 정규표현식을 활용한 웹 취약점 탐색 자동화 봇)

  • Kim, Nam-gue;Kim, Ki Hwan;Lee, Hoon-Jae
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 한국정보통신학회 2016년도 춘계학술대회
    • /
    • pp.749-751
    • /
    • 2016
  • Internet technology is universal, news from the Web browser, shopping, search, etc., various activities have been carried out. Its size becomes large, increasing the scale of information security incidents, as damage to this increases the safety for the use of the Internet is emphasized. IE browser is ASLR, such as Isolated Heap, but has been continually patch a number of vulnerabilities, such as various protection measures, this vulnerability, have come up constantly. And, therefore, in order to prevent security incidents, it is necessary to be removed to find before that is used to exploit this vulnerability. Therefore, in this paper, we introduce the purge is a technique that is used in the discovery of the vulnerability, we describe the automation technology related thereto. And utilizing the known vulnerabilities, and try to show any of the typical procedures for the analysis of the vulnerability.

  • PDF

A Source Code Cross-site Scripting Vulnerability Detection Method

  • Mu Chen;Lu Chen;Zhipeng Shao;Zaojian Dai;Nige Li;Xingjie Huang;Qian Dang;Xinjian Zhao
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • 제17권6호
    • /
    • pp.1689-1705
    • /
    • 2023
  • To deal with the potential XSS vulnerabilities in the source code of the power communication network, an XSS vulnerability detection method combining the static analysis method with the dynamic testing method is proposed. The static analysis method aims to analyze the structure and content of the source code. We construct a set of feature expressions to match malignant content and set a "variable conversion" method to analyze the data flow of the code that implements interactive functions. The static analysis method explores the vulnerabilities existing in the source code structure and code content. Dynamic testing aims to simulate network attacks to reflect whether there are vulnerabilities in web pages. We construct many attack vectors and implemented the test in the Selenium tool. Due to the combination of the two analysis methods, XSS vulnerability discovery research could be conducted from two aspects: "white-box testing" and "black-box testing". Tests show that this method can effectively detect XSS vulnerabilities in the source code of the power communication network.