• Title/Summary/Keyword: web vulnerability

Search Result 146, Processing Time 0.027 seconds

Study on Suitability for Web Service of River Geospatial Information (하천공간정보 웹 서비스의 적합성에 관한 연구)

  • HONG, Sung-Soo;SHIN, Hyung-Jin;HWANG, Eui-Ho;CHAE, Hyo-Suk
    • Journal of the Korean Association of Geographic Information Studies
    • /
    • v.22 no.2
    • /
    • pp.121-132
    • /
    • 2019
  • Recently as development of internet, Service based on World Wide Web is rapidly growing. According to this, Importance for suitability of web service is emphasized by increased user with development of technique of web service. Geospatial information field included with River Geospatial information(HydroG-OneFlow) has been doing that many study about web service which center of IT, However study about test of web service is lacking of situation. Accordingly, verification should be carried out to determine the performance of Web services with the Web services implementation HydroG-OneFlow. Performance & stability test are verified that HydroG-OneFlow for Apache Jmeter of open source and conformability & interoperability test are verified for StyleCop. Result of performance is that if users are increase the number of 500, average responses time is about two seconds. and Result of reliability is that if users are increase the number of 500, decrease about 0.2%. it is verified that conformability and interoperability test to swelled about reliability of HydroG-OneFlow. Through that It will be compensate for the implementation of seb service and vulnerability of HydroG-OneFlow.

Web application firewall technology trends and testing methodology (웹방화벽 기술동향 파악 및 시험방법론)

  • Jo, In-june;Kim, Sun-young;Kim, Chan-joong
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2012.10a
    • /
    • pp.132-138
    • /
    • 2012
  • Existing network layer firewall security support is one that does not support the higher layer, the application layer of a vulnerable web application security. Under these circumstances, the vulnerability of web applications to be able to defend a Web Application Firewall is positioned as a solver to solve the important security issues of businesses spotlighted in the next generation of security systems, and a very active market in the market other than domestic is expected to be formed. However, Firewall Web has not yet proposed a standard which can be used to test the performance of the Web Application Firewall Web Application Firewall and select the products of trust hardly Companies in BMT conduct their own individual problems and the cost of performance testing technologies, there is a limit. In this study, practically usable BMT model was developed to evaluate the firewall vendor. Product ratings ISO / IEC 9126, eight product characteristics meet the performance and characteristics of a web application firewall entries are derived. This can relieve the burden on the need to be evaluated in its performance testing of Web firewall, and can enhance the competitiveness of domestic-related sectors, by restoring confidence in the product can reduce the dependence on foreign products.

  • PDF

A Study of Step-by-step Countermeasures Model through Analysis of SQL Injection Attacks Code (공격코드 사례분석을 기반으로 한 SQL Injection에 대한 단계적 대응모델 연구)

  • Kim, Jeom-Goo;Noh, Si-Choon
    • Convergence Security Journal
    • /
    • v.12 no.1
    • /
    • pp.17-25
    • /
    • 2012
  • SQL Injection techniques disclosed web hacking years passed, but these are classified the most dangerous attac ks. Recent web programming data for efficient storage and retrieval using a DBMS is essential. Mainly PHP, JSP, A SP, and scripting language used to interact with the DBMS. In this web environments application does not validate the client's invalid entry may cause abnormal SQL query. These unusual queries to bypass user authentication or da ta that is stored in the database can be exposed. SQL Injection vulnerability environment, an attacker can pass the web-based authentication using username and password and data stored in the database. Measures against SQL Inj ection on has been announced as a number of methods. But if you rely on any one method of many security hole ca n occur. The proposal of four levels leverage is composed with the source code, operational phases, database, server management side and the user input validation. This is a way to apply the measures in terms of why the accident preventive steps for creating a phased step-by-step response nodel, through the process of management measures, if applied, there is the possibility of SQL Injection attacks can be.

Execution-based System and Its Performance Analysis for Detecting Malicious Web Pages using High Interaction Client Honeypot (고 상호작용 클라이언트 허니팟을 이용한 실행 기반의 악성 웹 페이지 탐지 시스템 및 성능 분석)

  • Kim, Min-Jae;Chang, Hye-Young;Cho, Seong-Je
    • Journal of KIISE:Computing Practices and Letters
    • /
    • v.15 no.12
    • /
    • pp.1003-1007
    • /
    • 2009
  • Client-side attacks including drive-by download target vulnerabilities in client applications that interact with a malicious server or process malicious data. A typical client-side attack is web-based one related to a malicious web page exploiting specific browser vulnerability that can execute mal ware on the client system (PC) or give complete control of it to the malicious server. To defend those attacks, this paper has constructed high interaction client honeypot system using Capture-HPC that adopts execution-based detection in virtual machine. We have detected and classified malicious web pages using the system. We have also analyzed the system's performance in terms of the number of virtual machine images and the number of browsers executed simultaneously in each virtual machine. Experimental results show that the system with one virtual machine image obtains better performance with less reverting overhead. The system also shows good performance when the number of browsers executed simultaneously in a virtual machine is 50.

OTACUS: Parameter-Tampering Prevention Techniques using Clean URL (OTACUS: 간편URL기법을 이용한 파라미터변조 공격 방지기법)

  • Kim, Guiseok;Kim, Seungjoo
    • Journal of Internet Computing and Services
    • /
    • v.15 no.6
    • /
    • pp.55-64
    • /
    • 2014
  • In a Web application, you can pass without restrictions special network security devices such as IPS and F/W, URL parameter, which is an important element of communication between the client and the server, is forwarded to the Web server. Parameters are modulated by an attacker requests a URL, disclose confidential information or through e-commerce, can take financial gain. Vulnerability parameter manipulation thereof cannot be able to determine whether to operate in only determined logical application, blocked with Web Application Firewall. In this paper, I will present a technique OTACUS(One-Time Access Control URL System) to complement the shortcomings of the measures existing approaches. OTACUS can be effectively blocked the modulation of the POST or GET method parameters passed to the server by preventing the exposure of the URL to the attacker by using clean URL technique simplifies complex URL that contains the parameter. Performance test results of the actual implementation OTACUS proves that it is possible to show a stable operation of less than 3% increase in the load.

Minimize Web Applications Vulnerabilities through the Early Detection of CRLF Injection

  • Md. Mijanur Rahman;Md. Asibul Hasan
    • International Journal of Computer Science & Network Security
    • /
    • v.23 no.2
    • /
    • pp.199-202
    • /
    • 2023
  • Carriage return (CR) and line feed (LF), also known as CRLF injection is a type of vulnerability that allows a hacker to enter special characters into a web application, altering its operation or confusing the administrator. Log poisoning and HTTP response splitting are two prominent harmful uses of this technique. Additionally, CRLF injection can be used by an attacker to exploit other vulnerabilities, such as cross-site scripting (XSS). Email injection, also known as email header injection, is another way that can be used to modify the behavior of emails. The Open Web Application Security Project (OWASP) is an organization that studies vulnerabilities and ranks them based on their level of risk. According to OWASP, CRLF vulnerabilities are among the top 10 vulnerabilities and are a type of injection attack. Automated testing can help to quickly identify CRLF vulnerabilities, and is particularly useful for companies to test their applications before releasing them. However, CRLF vulnerabilities can also lead to the discovery of other high-risk vulnerabilities, and it fosters a better approach to mitigate CRLF vulnerabilities in the early stage and help secure applications against known vulnerabilities. Although there has been a significant amount of research on other types of injection attacks, such as Structure Query Language Injection (SQL Injection). There has been less research on CRLF vulnerabilities and how to detect them with automated testing. There is room for further research to be done on this subject matter in order to develop creative solutions to problems. It will also help to reduce false positive alerts by checking the header response of each request. Security automation is an important issue for companies trying to protect themselves against security threats. Automated alerts from security systems can provide a quicker and more accurate understanding of potential vulnerabilities and can help to reduce false positive alerts. Despite the extensive research on various types of vulnerabilities in web applications, CRLF vulnerabilities have only recently been included in the research. Utilizing automated testing as a recurring task can assist companies in receiving consistent updates about their systems and enhance their security.

Rights to Control Information and Related Security Technologies on the CyberSpace (사이버공간에서 자기 결정권과 보안 기술)

  • Min, Kyung-Bae;Kang, Jang-Mook
    • The Journal of the Institute of Internet, Broadcasting and Communication
    • /
    • v.10 no.2
    • /
    • pp.135-141
    • /
    • 2010
  • This research examines technologies and systems regarding right to control information in the network era. For this purpose, It attempts an integrated analysis of technologies and systems on the basis of the tree components of cyberspace. And it examines the prior researches and cases on privacy, personal information, and right to control information with emphasis on technologies and systems of the cyberspace. To protect privacy information, it analyses vulnerability of element technology, platform service technology, and individual technology. In particular, it describes, from the perspective of right to control information, the risk and security measures for personal information to be used as relation-context in the Web 2.0 environment. The research result will assist the methodology of future researches for grand theory on privacy information and help understanding the interaction between technology and society.

Designing on Security zone to improve Cookie File Security level (쿠키파일의 보안성을 향상하기 위한 보안영역 설계)

  • Seo, Hee-Suk;Choi, Yo-Han
    • The Journal of Korean Association of Computer Education
    • /
    • v.14 no.6
    • /
    • pp.75-81
    • /
    • 2011
  • Cookie is simple text file, which contains records of web service which provided to user. some of data included in Cookie has user's private information. When attacker has Cookie which included user's private information, will causing financial losses. In this paper we designed security section which can improve vulnerable Cookie's security level. Through research and vulnerability analysis of Cookie file, we find out how to implement security area to offer efficient security area and design security area for cookie file. Also we checked security level to performance evaluation. Through this security level, we can keep user's private information secure using Cookie's improve security level which stored in user's personal computer.

  • PDF

A Design for Unified Web Authentication at Network Service Foundation (네트워크 서비스 기반의 단일 웹 인증설계)

  • Ban, Kyung-Sig;Lee, Jae-Wan;Kim, Hyoung-Jin
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.12 no.12
    • /
    • pp.2171-2178
    • /
    • 2008
  • Recently, Network companies have introduced security solutions to protect the network from intrusions, attacks and viruses but the network has still weakness and vulnerability. It is time to bring more stable and reliable authentication system that would meet the Internet user's need. In this study, Current broadband networks don't have hierarchic and stable authentication solutions. And so, an integrated and hierarchic system is needed to provide a various kinds of application services. I'd like to present a new authentication system which is based on unified web authentication design. It will unit various authentication systems that have been deployed in various network environment and reinforce network security to provice a various kinds of application services in a stable and safe environment. that is a simple and more secure method for fighting a rise in card-not-present fraud.

An Analysis of Replay Attack Vulnerability on Single Sign-On Solutions (Single Sign-On 솔루션의 재전송 공격 취약점 분석)

  • Maeng, Young-Jae;Nyang, Dae-Hun
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.18 no.1
    • /
    • pp.103-114
    • /
    • 2008
  • Single Sign-On is an authentication scheme that enables a user to authenticate once and then to access to the resources of multiple software systems without re-authentication. As web services are being integrated into a single groupware, more web sites are adopting for user convenience. However, these Single Sign-On services are very dependent upon the cookies and thus, simple eavesdropping enables attackers to hiject the user's session. Even worse, the attacker who hijacked one session can move to another site through the Single Sign-On. In this paper, we show the vulnerabilities of the top ranked sites regarding this point of view and also propose a way to protect a user's session.