• Title/Summary/Keyword: web vulnerability

Search Result 147, Processing Time 0.024 seconds

Systematic and Comprehensive Comparisons of the MOIS Security Vulnerability Inspection Criteria and Open-Source Security Bug Detectors for Java Web Applications (행정안전부 소프트웨어 보안 취약점 진단기준과 Java 웹 어플리케이션 대상 오픈소스 보안 결함 검출기 검출대상의 총체적 비교)

  • Lee, Jaehun;Choe, Hansol;Hong, Shin
    • Journal of Software Engineering Society
    • /
    • v.28 no.1
    • /
    • pp.13-22
    • /
    • 2019
  • To enhance effective and efficient applications of automated security vulnerability checkers in highly competitive and fast-evolving IT industry, this paper studies a comprehensive set of security bug checkers in open-source static analysis frameworks and how they can be utilized for source code inspections according to the security vulnerability inspection guidelines by MOIS. This paper clarifies the relationship be tween all 42 inspection criteria in the MOIS guideline and total 323 security bug checkers in 4 popular open-source static analysis frameworks for Java web applications. Based on the result, this paper also discuss the current challenges and issues in the MOIS guideline, the comparison among the four security bug checker frameworks, and also the ideas to improve the security inspection methodologies using the MOIS guideline and open-source static security bug checkers.

Attack Categorization based on Web Application Analysis (웹 어플리케이션 특성 분석을 통한 공격 분류)

  • 서정석;김한성;조상현;차성덕
    • Journal of KIISE:Information Networking
    • /
    • v.30 no.1
    • /
    • pp.97-116
    • /
    • 2003
  • Frequency of attacks on web services and the resulting damage continue to grow as web services become popular. Techniques used in web service attacks are usually different from traditional network intrusion techniques, and techniques to protect web services are badly needed. Unfortunately, conventional intrusion detection systems (IDS), especially those based on known attack signatures, are inadequate in providing reasonable degree of security to web services. An application-level IDS, tailored to web services, is needed to overcome such limitations. The first step in developing web application IDS is to analyze known attacks on web services and characterize them so that anomaly-based intrusion defection becomes possible. In this paper, we classified known attack techniques to web services by analyzing causes, locations where such attack can be easily detected, and the potential risks.

A Study of Web Application Attack Detection extended ESM Agent (통합보안관리 에이전트를 확장한 웹 어플리케이션 공격 탐지 연구)

  • Kim, Sung-Rak
    • Journal of the Korea Society of Computer and Information
    • /
    • v.12 no.1 s.45
    • /
    • pp.161-168
    • /
    • 2007
  • Web attack uses structural, logical and coding error or web application rather than vulnerability to Web server itself. According to the Open Web Application Security Project (OWASP) published about ten types of the web application vulnerability to show the causes of hacking, the risk of hacking and the severity of damage are well known. The detection ability and response is important to deal with web hacking. Filtering methods like pattern matching and code modification are used for defense but these methods can not detect new types of attacks. Also though the security unit product like IDS or web application firewall can be used, these require a lot of money and efforts to operate and maintain, and security unit product is likely to generate false positive detection. In this research profiling method that attracts the structure of web application and the attributes of input parameters such as types and length is used, and by installing structural database of web application in advance it is possible that the lack of the validation of user input value check and the verification and attack detection is solved through using profiling identifier of database against illegal request. Integral security management system has been used in most institutes. Therefore even if additional unit security product is not applied, attacks against the web application will be able to be detected by showing the model, which the security monitoring log gathering agent of the integral security management system and the function of the detection of web application attack are combined.

  • PDF

A Design of Inter-Working System between Secure Coding Tools and Web Shell Detection Tools for Secure Web Server Environments (안전한 웹 서버 환경을 위한 시큐어코딩 도구, 웹쉘 탐지도구 간의 상호연동 시스템 설계)

  • Kim, Bumryong;Choi, Keunchang;Kim, Joonho;Suk, Sangkee
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.11 no.4
    • /
    • pp.81-87
    • /
    • 2015
  • Recently, with the development of the ICT environment, the use of the software is growing rapidly. And the number of the web server software used with a variety of users is also growing. However, There are also various damage cases increased due to a software security vulnerability as software usage is increasing. Especially web shell hacking which abuses software vulnerabilities accounts for a very high percentage. These web server environment damage can induce primary damage such like homepage modification for malware spreading and secondary damage such like privacy. Source code weaknesses checking system is needed during software development stage and operation stage in real-time to prevent software vulnerabilities. Also the system which can detect and determine web shell from checked code in real time is needed. Therefore, in this paper, we propose the system improving security for web server by detecting web shell attacks which are invisible to existing detection method such as Firewall, IDS/IPS, Web Firewall, Anti-Virus, etc. while satisfying existing secure coding guidelines from development stage to operation stage.

Study on the OWASP and WASC-oriented Web Application Security (OWASP 및 WASC 중심의 웹 애플리케이션 보안에 관한 고찰)

  • Lee, Jae-Hyun
    • Journal of Advanced Navigation Technology
    • /
    • v.15 no.3
    • /
    • pp.372-377
    • /
    • 2011
  • Until now, the study and research on the projects which have internationally conducted are in poor condition with regard to the security vulnerability analysis of web application. This is due to a lack of precedent study for improving the quality of the web services in order to provide better services for the future. In this paper, I analyze the types of the web application vulnerabilities which have been studied and mapped out a plan for protecting them.

Implementation of Web Searching Robot for Detecting of Phishing and Pharming in Homepage (홈페이지에 삽입된 악성코드 및 피싱과 파밍 탐지를 위한 웹 로봇의 설계 및 구현)

  • Kim, Dae-Yu;Kim, Jung-Tae
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.12 no.11
    • /
    • pp.1993-1998
    • /
    • 2008
  • Web robot engine for searching web sever vulnerability and malicious code is proposed in this paper. The main web robot function is based on searching technology which is derived from analyses of private information threat. We implemented the detecting method for phishing, pharming and malicious code on homepage under vulnerable surroundings. We proposed a novel approachm which is independent of any specific phishing implementation. Our idea is to examine the anomalies in web pages.

A Study on Scenario-based Web Application Security Education Method

  • Gilja So
    • International Journal of Internet, Broadcasting and Communication
    • /
    • v.15 no.3
    • /
    • pp.149-159
    • /
    • 2023
  • Web application security education that can provide practical experience is needed to reduce damage caused by the recent increase in web application vulnerabilities and to strengthen security. In this paper, we proposed a scenario-based web application education method, applied the proposed method to classes, and analyzed the results. In order to increase the effectiveness of scenario-based education, a real-life practice environment to perform scenarios and instructions to be performed by learners are needed. As an example of the proposed method, instructions to be performed by learners from the viewpoint of the attacker and the victim were shown in a practice environment to teach XSS and SQL injection vulnerabilities. After applying the proposed method to the class for students majoring in cyber security, when the lecture evaluation results were analyzed, it was shown that the learner's interest, understanding, and major ability all improved.

Analysis of Security Vulnerability Cases on Chromium WebAssembly: Focus on Cases Related to Overflow and Underflow (Chromium WebAssembly 취약점 사례 분석: Overflow, Underflow 관련 사례를 중점으로)

  • Lee, Jae-Hong;Choi, Hyoung-Kee
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2021.11a
    • /
    • pp.221-224
    • /
    • 2021
  • 본 논문은 WebAssembly 가 도입된 2017 년부터 현재 2021 년까지 발생한 보안 취약점을 분석하고 분류하여, WebAssembly 에 대한 개발자들의 이해도를 높이고 WebAssembly 도입에 생길 수 있는 문제점들을 정리한다. 특히 CVE-2018-6092(Integer Overflow), CVE-2018-6036(Underflow) 사례들을 제공된 PoC 를 통하여 재현하고, PoC 코드, 원인 코드와 대처 코드까지 분석한다.

Web-based server monitoring and vulnerability assessment solution (웹 기반의 서버 모니터링 및 취약점 진단 솔루션)

  • Yong, SeungLim;Yoon, Hyun-Seok;Do, Sang-Won
    • Proceedings of the Korean Society of Computer Information Conference
    • /
    • 2017.07a
    • /
    • pp.263-264
    • /
    • 2017
  • 본 논문에서는 서버의 상태를 지속적으로 모니터링하고 관리할 수 있는 웹 기반의 모니터링 솔루션을 구현하여 제안한다. 관리자가 서버의 취약점 점검을 가능토록 하여 서버에 대한 보안성을 강화하고, 웹을 통하여 서버 정보와 사용량을 실시간으로 확인할 수 있도록 편리성을 제공한다.

  • PDF

A Study on the Design and Implementation of System for Predicting Attack Target Based on Attack Graph (공격 그래프 기반의 공격 대상 예측 시스템 설계 및 구현에 대한 연구)

  • Kauh, Janghyuk;Lee, Dongho
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.16 no.1
    • /
    • pp.79-92
    • /
    • 2020
  • As the number of systems increases and the network size increases, automated attack prediction systems are urgently needed to respond to cyber attacks. In this study, we developed four types of information gathering sensors for collecting asset and vulnerability information, and developed technology to automatically generate attack graphs and predict attack targets. To improve performance, the attack graph generation method is divided into the reachability calculation process and the vulnerability assignment process. It always keeps up to date by starting calculations whenever asset and vulnerability information changes. In order to improve the accuracy of the attack target prediction, the degree of asset risk and the degree of asset reference are reflected. We refer to CVSS(Common Vulnerability Scoring System) for asset risk, and Google's PageRank algorithm for asset reference. The results of attack target prediction is displayed on the web screen and CyCOP(Cyber Common Operation Picture) to help both analysts and decision makers.