JIANG Kai-da,LI Xiao,SHEN Hai-yun,BAI Wei

DOI: https://doi.org/10.3969/j.issn.1671-1122.2012.12.025

2012-01-01

Abstract:The university's website has been one of the most popular attack targets by hackers for a long time,facing various types of rampant scan and attacks,as well as the threat of information leakage of sensitive data.A complete security protection system can discover vulnerability and help find the site which was already hacked.Information security staff in university need to adopt new security strategy and methods,facing the rapid changing security situation.This paper introduces a number of depth exploration and practice in the security protection system of the university's website in Shanghai Jiao Tong University recently years.

Lwin Khin Shar,Christopher M. Poskitt,Kyong Jin Shim,Li Ying Leonard Wong

DOI: https://doi.org/10.48550/arXiv.2204.12416

2022-04-26

Cryptography and Security

Abstract:Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top 10 vulnerabilities by example, and demonstrated how to identify them using out-of-the-box security scanner tools (e.g. ZAP). Furthermore, we incentivised students to utilise these tools in their own course projects by offering bonus marks. To assess the impact of this intervention, we scanned students' project code over the last three years, finding a reduction in the number of vulnerabilities. Finally, in focus groups and a survey, students shared that our intervention helped to raise awareness, but they also highlighted the importance of grading incentives and the need to teach security content earlier.

Qiang Liu,Wentao Zhao,Minghui Wu,Chengzhang Zhu

DOI: https://doi.org/10.1145/3393527.3393528

2020-01-01

Abstract:Web security research and education are attracting much more attentions from industry and academia. In this paper, we report our teaching and learning experiences of a course entitled Web Security and Countermeasures (WebSC) in a multidisciplinary learning context. To achieve the learning outcome of practical skills improvement, we design a rounded teaching contents by jointly considering basic concepts, high-risk threats in OWASP TOP 10-2017 and emerging confrontation tools like PowerShell. Then, we coordinately adopt apprenticeship, interactive, problem-based and collaborative learning methods to improve the performance of all students. Finally, we integrate formative and summative assessment methods to conduct quantitative evaluation on students' learning performance and the instructor's teaching performance. Statistical results demonstrate the effectiveness of our course design and reveal some unforeseen findings that are very valuable for continuous improvement in near future.

Yongzhen Li,Gaolong Wang

DOI: https://doi.org/10.1109/ISAIEE57420.2022.00089

2022-12-01

Abstract:With the rapid development of the internet in China, we are dealing with web sites all the time, but with this comes the increasing vulnerability of various web applications. The vulnerability of web applications can be used to steal information, account theft and fraud, threatening the security of web applications. Therefore, the security detection of web applications is particularly important. This paper introduces the background of today's web application scanning technology, analyses the importance of securing web sites, and focuses on the history and future development trends of web application vulnerability scanning at home and abroad. The system is based on the OWASP Top 10 vulnerabilities of SQL injection and XSS, which have a large impact. By analysing the risks and principles of these two vulnerabilities, a scanning system is designed to run on the Windows platform.

Computer Science

Cheng Huang,JiaYong Liu,Yong Fang,Zheng Zuo

DOI: https://doi.org/10.1016/j.cose.2015.11.006

IF: 5.105

2016-01-01

Computers & Security

Abstract:Understanding the nature of a country's World Wide Web security can allow analysts to evaluate the security awareness of local organizations, the technology employed by researchers, and the defense capabilities of the whole country. In this paper, we put forward a new framework to evaluate the security situation in China with real vulnerability disclosure platforms. The focus of this research is to analyze the current situation of Chinese websites using 57,112 Web vulnerability incidents submitted by 5371 researchers from 2012 to 2015. The dataset is distributed into four types of organizations, including listed companies, government institutions, educational institutions, and startups. We present an approach, based on machine learning and natural language processing technologies, to classify the vulnerability type for each incident. Furthermore, our experimental results show that the vulnerability distribution and response speed toward important issues are so different among the four types of organizations that researchers at various levels of experience begin to take part in submitting vulnerabilities to public disclosure platforms. Based on the results, we propose security some best-practices for organizations and show that the security situation of Chinese websites has changed quickly in the last three years but is still facing several big problems.

Wenbin Jiang,Hao Dong,Hai Jin,Hui Xu,Xiaofei Liao

DOI: https://doi.org/10.1007/978-3-642-37015-1_23

2013-01-01

Abstract:Web service technologies have been widely used in diverse applications. However, there are still many security challenges in reliability, confidentiality and data nonrepudiation, which are prominent especially in some Web service systems that have massive resources in diverse forms. An enhanced mechanism for secure accesses of Web resources is presented and implemented based on the combination of modules of identity authentication, authorized access, and secure transmission to improve the security level of these systems. In the identity authentication, the highly safe and recognized authentication method U-Key is used. For the aspect of authorized access, the integration of an improved Spring Security framework and J2EE architecture is applied to ensure authorized access to Web resources, while the security interceptor of Spring Security is extended and a series of security filters are added to keep web attacks away. Moreover, some improvements of the XML encryption and XML decryption algorithm are made to enhance the security and speed of data transmission, by means of mixing RSA and DES algorithm. The above security mechanism has been applied to an online virtual experiment platform based on Web services named VeePalms. The experimental results show that most security problems with high severity in the system have been solved and medium-low severe problems degreased dramatically.

WU Zhen,CUI Jian,ZHOU Chang-ling,ZHANG Bei

DOI: https://doi.org/10.3969/j.issn.1001-7445.2011.z1.030

2011-01-01

Abstract:By means of researching and analyzing the reports of multiple security organizations,consortiums and corporations,we discover that web application security is becoming more vital in campus network.Based on the OWASP and the WASC,we designed a multidimension web application security architecture,and used the firewall,web application firewall,intrusion detection system,intrusion prevention system,vulnerability scan system,bastion host and auditing system to implement the architecture.We chose 50 representative web applications from Peking University campus network to study and analyze the logs from these web applications and security devices,and the results prove the validity of the multidimension web application security architecture.

高国柱,吴海燕

2010-01-01

Abstract:Attacks towards web applications evolve rapidly,traditional web protecting system based on static rules is difficult adapt to the new situation of web application security.A new idea and method are proposed to protecting web application security,which uses unsupervised learning algorithm and legal rule detecting model.Web application security detecting algorithm based on the structure and progress analysis of web application is designed and implemented.The system has been used on detecting of Tsinghua web learning system,done well on filtering the abnormal web accesses out.

Wenbin Jiang,Hui Xu,Hao Dong,Hai Jin,Xiaofei Liao

DOI: https://doi.org/10.3906/elk-1303-12

2016-01-01

TURKISH JOURNAL OF ELECTRICAL ENGINEERING & COMPUTER SCIENCES

Abstract:Web service-based application has become one of the dominative ones of the Internet. This trend brings more and more security challenges in reliability, confidentiality, and data nonrepudiation, especially in some systems that have massive diversified resources. An improved framework for secure accesses of Web resources is presented and implemented by extending and enhancing the Spring Security framework. It improves the security level of systems for identity authentication, authorized access, and secure transmission. The highly safe authentication is based on the integration of an improved authentication module of Spring Security with a U-key method and a RSA algorithm. For authorized access, the Spring Security's ACL (access control list) mechanism is improved by optimizing the domain object-level access control. For secure transmission, a compromising method is presented to take both the security level and the speed of data transmission into account by means of mixing the RSA and DES algorithms. In addition, the security interceptor of Spring Security is extended and a series of security filters are added to keep Web attacks away. The above improved security framework has been applied to an online virtual experiment platform named VeePalms. The experimental results show that most security problems with high severity in the system have been solved and medium-low severe problems decreased dramatically. Moreover, VeePalms has been used in practice for about 2 years, which has proved the effectiveness of the security framework.

TIAN Zhen,YOU Zhi,LI Zhan-huai

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.18.046

2006-01-01

Abstract:An online system auxiliary for education is implemented based on.NET,which uses 3-level architecture and the technique of ASP.NET and ADO.NET.The architecture model and database model are designed,the implementation is presented.The characteristic of the whole system is analyzed and the strategy of improving the system security and performance are put forward.The system based on the architecture of.NET is more efficient,more extendible and more maintainable.

叶升路,徐波,栾国森

DOI: https://doi.org/10.3969/j.issn.1671-0428.2010.06.013

2010-01-01

Abstract:With the application in Web progressively,there has been increasing attention to the security of web application.Started off mechanism,this paper has analysed the leading security problem of web application and the common ways which hacker using to attack.At last,this paper has given some feasible countermeasures.

Ying-Chiang Cho,Jen-Yi Pan

DOI: https://doi.org/10.1371/journal.pone.0117180

IF: 3.7

2015-03-13

PLoS ONE

Abstract:Internet application technologies, such as cloud computing and cloud storage, have increasingly changed people's lives. Websites contain vast amounts of personal privacy information. In order to protect this information, network security technologies, such as database protection and data encryption, attract many researchers. The most serious problems concerning web vulnerability are e-mail address and network database leakages. These leakages have many causes. For example, malicious users can steal database contents, taking advantage of mistakes made by programmers and administrators. In order to mitigate this type of abuse, a website information disclosure assessment system is proposed in this study. This system utilizes a series of technologies, such as web crawler algorithms, SQL injection attack detection, and web vulnerability mining, to assess a website's information disclosure. Thirty websites, randomly sampled from the top 50 world colleges, were used to collect leakage information. This testing showed the importance of increasing the security and privacy of website information for academic websites.

multidisciplinary sciences

ZHANG Fei,ZHU Zhi-xiang,WANG Xiong

DOI: https://doi.org/10.3969/j.issn.1008-5564.2013.04.014

2013-01-01

Abstract:As network security problems increase,network attacks by using the XSS(cross site scripting)have become prominent.The vulnerability of XSS is introduced.Examples are cited to illustrate some common XSS vulnerability detection methods.Some prevention methods concerning common network users and the network management terminal are introduced.

江济,申瑞民,申丽萍

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.076

2002-01-01

Abstract:According to modern mature network security technology ,the paper constructs a security network mode of an e-educational administration network . In addition, the paper provides a detail description of implementation of the key network technologies applied in the mode.

Hossain Shahriar,Kai Qian,Atef Shalan,Fan Wu

DOI: https://doi.org/10.1109/COMPSAC48688.2020.0-123

2020-01-01

Abstract:While the number of mobile and web applications is growing exponentially, the mobile and web security threat landscape is growing explosively. Malicious malware may attack vulnerable applications and obtain personal or enterprise confidential data anywhere and anytime. Most vulnerabilities should be addressed and fixed during the early stages of software development. However, many software development professionals lack the awareness of the importance of security vulnerabilities and the necessary knowledge and skills at the software development stage. This paper addresses the needs and challenges of the lack of pedagogical materials and real-world learning environment in ProActive Control for Software Security (PASS) through effective, engaging, and investigative authentic learning approaches.

Hui Yuan,Lei Zheng,Liang Dong,Xiangli Peng,Yan Zhuang,Guoru Deng

DOI: https://doi.org/10.1007/978-3-030-15235-2_66

2019-04-25

Abstract:With the rapid development of Internet technology, Web applications are widely used in all walks of life, and their security requirements are increasing. Unfortunately, at present, the development of Web security technology still lags behind the development of Web application technology itself. The Web application itself and its operating environment are still relatively fragile, and its operating environment is easily forged or modified, making Web applications gradually become malicious. The object of the attack is frequently attacked. This paper investigates and analyzes the common vulnerabilities in web applications, deeply studies the basic characteristics of these vulnerabilities, and understands the principles and solutions of vulnerabilities. The static analysis method is used to analyze the vulnerabilities, and the static analysis methods are used to solve the security vulnerabilities in the Java web project.

WANG Hui,LUO Jun-zhou

DOI: https://doi.org/10.3969/j.issn.1007-130x.2006.01.010

2006-01-01

Abstract:Based on the application background of the E-Learning integration system,the paper gives the design method,system structure and functional modules of an XML-based security system to be implemented in the E-learning integration platform.The system provides a good security platform with interoperability,portability,extensibility and maintainability for the development of application systems.

Muhammed Sabo,,Zake Muwanga,Manjula V.S.,Saleh Auwal,,,

DOI: https://doi.org/10.59568/jasic-2023-4-1-06

2023-07-10

Abstract:The security of information technology, specifically web applications, has become an area of concern today. Computer cybercrime is now a significant problem that affects more than just businesses and organizations. Higher education institutions also began to experience computer threats that revealed their information assets. Universities, polytechnics, colleges of education, research centers, and other postsecondary institutions are probably the most vulnerable because they house sensitive data on their faculty, staff, and students, as well as academic records of scientific and technological advancements and research. The first step in an information system security strategy is risk analysis management It helps in assessing the risk of information assets to know their security level or status, and assist in define a security control measures and implementation of technical plan to avoid threats that exploit some vulnerability that could cause severe damage to an asset or infrastructure of institutions higher education (IHEs). This article presents some recommendations to perform a risk analysis management in IHEs to accessed threats and vulnerability that helps to lower the risk of their information assets. This article presents existing educational threat and vulnerability on their web applications. Ensuring security is a goal of every organization regardless of its size or purpose and also proposed a risk management model. With the information technology, an organization may be considered secure when it ensures the confidentiality, integrity, and availability of information and IT assets. Confidentiality may be broken due to theft of sensitive information such as trade secrets, clients’ personal information.

Liao Rongzhou,Xiao Nanfeng

DOI: https://doi.org/10.1109/icbda49040.2020.9101215

2020-01-01

Abstract:The management of the cloud computing platform adopts web interface, the web is open and easy to use, which makes the security problems of the cloud computing platform be increased prominently. The web security problems have a variety of attack forms, the main-stream attack methods include SQL injection, cross-site scripting (XSS), and HTTP header injection attacks, and so on. For solving these security problems, this paper designs a reason-able security protection scheme based on some defense methods. For SQL injection attack and XSS attack, the web protection scheme based on the cloud computing platform is designed and implemented in this paper, and proposes a typical defense method for the SQL injection attacks, designs the SQL injection filters and conducts the verification. For the XSS attacks, design a reasonable and feasible defense scheme to achieve the main defense functions, and study the characteristics of other web attacks, and briefly give the corresponding defense methods. This paper also designs the experimental environments, the experimental results show that the proposed protection schemes are effective to the corresponding attack methods.

李钢,张仁斌

DOI: https://doi.org/10.3969/j.issn.1003-5060.2003.z1.016

2003-01-01

Abstract:Distributed multilayer computing architecture has gradually become the main mode of computing,and the security of this mode is usually confined to the protection at systematic level, which depends on inbreak test, firewall, etc .Some issues on the security of Web application program, the important element of the multilayer architecture, are discussed. It is pointed out that the lack of security measures means “opening the door” for hackers' attacks. The security measures for the Web application program should be carried on at the levels of program and code. And practical plans and strategies for composing safe code are put forward, and the safety evaluation is also discussed.