• Convergence Security Journal
• /
• v.12 no.3
• /
• pp.85-92
• /
• 2012

Today, the typical web hacking attacks are cross-site scripting(XSS) attacks, injection vulnerabilities, malicious file execution and insecure direct object reference included. Web hacking security systems, access control solutions, access only to the web service and flow inside but do not control the packet. So you have been illegally modified to pass the packet even if the packet is considered as a unnormal packet. The defense system is to fail to appropriate controls. Therefore, in order to ensure a successful web services diagnostic system development is necessary. Web application diagnostic system is real and urgent need and alternative. The diagnostic system development process mu st be carried out step of established diagnostic systems, diagnostic scoping web system vulnerabilities, web application, analysis, security vulnerability assessment and selecting items. And diagnostic system as required by the web system environment using tools, programming languages, interfaces, parameters must be set.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.9 no.10
• /
• pp.4191-4203
• /
• 2015

WebView is a vital component in smartphone platforms like Android, Windows and iOS that enables smartphone applications (apps) to embed a simple yet powerful web browser inside them. WebView not only provides the same functionalities as web browser, it, more importantly, enables a rich interaction between apps and webpages loaded inside the WebView. However, the design and the features of WebView lays path to tamper the sandbox protection mechanism implemented by browsers. As a consequence, malicious attacks can be launched either against the apps or by the apps through the exploitation of WebView APIs. This paper presents a critical attack called Supplementary Event-Listener Injection (SEI) attack which adds auxiliary event listeners, for executing malicious activities, on the HTML elements in the webpage loaded by the WebView via JavaScript Injection. This paper also proposes an automated static analysis system for analyzing WebView embedded apps to classify the kind of vulnerability possessed by them and a solution for the mitigation of the attack.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.4
• /
• pp.1025-1036
• /
• 2016

The conversion of the international standard web utilization HTML5 technology is being developed for improvement of the internet environment based on nonstandard technology like ActiveX. Hyper Text Markup Language 5 (HTML5) of basic programming language for creating a web page is designed to consider the security more than HTML4. However, the range of attacks increased and a variety of security threats generated from HTML4 environment inherited by new HTML5 API. In this paper, we focus on the script-based attack such as CSRF (Cross-Site Request Forgery), Cookie Sniffing, and HTML5 API such as CORS (Cross-Origin Resource Sharing), Geolocation API related with the infringement of the personal information. We reproduced the infringement cases actually and embodied a detection module of a Plug-in type diagnosed based on client. The scanner allows it to detect and respond to the vulnerability of HTML5 previously, thereby self-diagnosing the reliability of HTML5-based web applications or web pages. In a case of a new vulnerability, it also easy to enlarge by adding another detection module.

• Proceedings of the Korean Information Science Society Conference
• /
• 2007.10a
• /
• pp.112-113
• /
• 2007

• Proceedings of the Korea Information Processing Society Conference
• /
• 2004.05a
• /
• pp.1023-1026
• /
• 2004

최근 소프트웨어 보안취약성 분석의 일환으로 프로그램 소스가 없고 기계어 프로그램만 제공되는 소프트웨어의 보안 취약점을 분석하는 연구가 많이 수행되고 있다. 본 논문에서는 MS 윈도우 2000 운영체제의 IIS 웹서버를 대상으로, WebDAV의 한 버퍼 오버플로우 취약점을 공격하여 취약성을 재현한 후, 디버거 및 역공학 도구를 사용하여 해당 보안 취약점을 가진 코드를 분석하는 방법을 제시하였다. 본 연구 결과는 취약성분석 절차 방법 및 신뢰성 있는 소프트웨어 개발에 기여할 수 있을 것으로 기대된다.

• Journal of the Korea Society of Computer and Information
• /
• v.19 no.10
• /
• pp.117-124
• /
• 2014

Software Development Security is defined as a sequential procedure such as deleting potential security vulnerability for secure software development, designing or implementing various functions with considering security, and so on. In this paper, we research on domestic or international hacking cases that could damage us mentally or financially. Seventy five percent of Web-site attacks abuses weak points of application programs, or software. We also research on major issues related to software development security with these demerits. And then, we propose public and private laws, regulations, or systems and give some examples with detailed descriptions.

• The Journal of the Korea Contents Association
• /
• v.17 no.11
• /
• pp.312-318
• /
• 2017

In recent years, a high-quality video input device has been generalized, and a central control system capable of simultaneously viewing video input in real time has become an essential element. At this time, there are attempts to access through the web without installing the program separately. However, if multiple high-quality videos are simultaneously viewed through the web browser, the web browser is terminated by force. In this paper, we propose a web-based HLS(HTTP Live Streaming) multi-view system for real-time high-definition video. We have reconstructed the multi-view screen as a screen by transcoding and implemented a system that can monitor multiple video inputs through a web browser on the fly without using security vulnerability ActiveX.

• Journal of Digital Convergence
• /
• v.12 no.8
• /
• pp.289-294
• /
• 2014

Recently, the various web service and applications are provided to the user. As to these service, because of providing the service to the authenticated user, the user undergoes the inconvenience of performing the authentication with the service especially every time. The OAuth(Open Authorization) protocol which acquires the access privilege in which 3rd Party application is limited on the web service in order to resolve this inconvenience appeared. This OAuth protocol provides the service which is convenient and flexible to the user but has the security vulnerability about the authorization acquisition. Therefore, we propose the method that analyze the security vulnerability which it can be generated in the OAuth 2.0 protocol and secure user authority authentication method.

• Journal of the Korea Society for Simulation
• /
• v.19 no.3
• /
• pp.99-108
• /
• 2010

The main contents of this paper is to develope effective measures for Internet Web service attack, classifying vulnerability of Web Service by network layer and host unit and researching classification method by attack range of type of services. Using this paper, we can accumulate analyzed Web service attack information which is key information of promote Web security strengthening business, and basis of relevant security research for detect and response Web site attack which can contribute to activation information security industry.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2015.10a
• /
• pp.753-756
• /
• 2015

Internet technology is universal, news from the Web browser, shopping, search, etc., various activities have been carried out. Its size becomes large, increasing the scale of information security incidents, as damage to this increases the safety for the use of the Internet is emphasized. IE browser is ASLR, such as Isolated Heap, but has been continually patch a number of vulnerabilities, such as various protection measures, this vulnerability, have come up constantly. And, therefore, in order to prevent security incidents, it is necessary to be removed to find before that is used to exploit this vulnerability. Therefore, in this paper, we introduce the purge is a technique that is used in the discovery of the vulnerability, we describe the automation technology related thereto. And utilizing the known vulnerabilities, and try to show any of the typical procedures for the analysis of the vulnerability.