Ying-Chiang Cho,Jen-Yi Pan

DOI: https://doi.org/10.1371/journal.pone.0117180

IF: 3.7

2015-03-13

PLoS ONE

Abstract:Internet application technologies, such as cloud computing and cloud storage, have increasingly changed people's lives. Websites contain vast amounts of personal privacy information. In order to protect this information, network security technologies, such as database protection and data encryption, attract many researchers. The most serious problems concerning web vulnerability are e-mail address and network database leakages. These leakages have many causes. For example, malicious users can steal database contents, taking advantage of mistakes made by programmers and administrators. In order to mitigate this type of abuse, a website information disclosure assessment system is proposed in this study. This system utilizes a series of technologies, such as web crawler algorithms, SQL injection attack detection, and web vulnerability mining, to assess a website's information disclosure. Thirty websites, randomly sampled from the top 50 world colleges, were used to collect leakage information. This testing showed the importance of increasing the security and privacy of website information for academic websites.

multidisciplinary sciences

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Yanmiao Zhang,Xiaoyu Ji,Yushi Cheng,Wenyuan Xu

DOI: https://doi.org/10.23919/ChiCC.2019.8866144

2019-01-01

Abstract:As a modern power transmission network, smart grid connects abundant terminal devices and plays an important role in our daily life. However, along with its growth are the security threats. Different from the separated environment previously, an adversary nowadays can destroy the power system by attacking its terminal devices. As a result, it's critical to ensure the security and safety of terminal devices. To achieve it, detecting the pre-existing vulnerabilities in the terminal program and enhancing its security, are of great importance and necessity. In this paper. we introduce Cker, a novel vulnerability detection tool for smart grid devices, which generates an program model based on device sources and sets rules to perform model checking. We utilize the static analysis to extract necessary information and build corresponding program models. By further checking the model with pre-defined vulnerability patterns, we achieve security detection and error reporting. The evaluation results demonstrate that our method can effectively detect vulnerabilities in smart devices with an acceptable accuracy and false positive rate. In addition, as Cker is realized by pure python. it can be easily scaled to other platforms.

Seil Kim,Jae Ik Cho,Hee Won Myeong,Dong Hoon Lee

DOI: https://doi.org/10.1007/978-94-007-2792-2_50

2011-12-10

Abstract:Since mobile application market drastically extended, there have been many problems related to proliferative malicious applications that leak user’s private information stored in own smart device. In Korea, government strives to protect smart device users from these problems and to establish legal basis through ‘Privacy Act’ as a preceding step but studies on analysis models and verification tools for mobile application have not yet much developed. The purpose of this research is to suggest an analysis system to prevent propagation of harmful applications, which compromise the user’s personal information, by extracting signatures from malicious code samples detected in Android. Maliciousness of the applications has determined by learning their parsing information on the components such as DEX, Manifest, SO etc.

Nate Haris,Kendree Chen,Ann Song,Benjamin Pou

DOI: https://doi.org/10.48550/arXiv.2310.14137

2023-10-22

Abstract:Currently, Application Programming Interfaces (APIs) are becoming increasingly popular to facilitate data transfer in a variety of mobile applications. These APIs often process sensitive user information through their endpoints, which are potentially exploitable due to developer misimplementation. In this paper, a custom, modular endpoint vulnerability detection tool was created and implemented to present current statistics on the degree of information leakage in various mobile Android applications. Our endpoint vulnerability detection tool provided an automated approach to API testing, programmatically modifying requests multiple times using specific information attack methods (IAMs) and heuristically analyzing responses for potentially vulnerable endpoints (PVEs). After analysis of API requests in an encompassing range of applications, findings showed that easily exploitable Broken Access Control (BAC) vulnerabilities of varying severity were common in over 50% of applications. These vulnerabilities ranged from small data leakages due to unintended API use, to full disclosure of sensitive user data, including passwords, names, addresses, and SSNs. This investigation aims to demonstrate the necessity of complete API endpoint security within Android applications, as well as provide an open source example of a modular program which developers could use to test for endpoint vulnerabilities.

Cryptography and Security

Muhammed Sabo,,Zake Muwanga,Manjula V.S.,Saleh Auwal,,,

DOI: https://doi.org/10.59568/jasic-2023-4-1-06

2023-07-10

Abstract:The security of information technology, specifically web applications, has become an area of concern today. Computer cybercrime is now a significant problem that affects more than just businesses and organizations. Higher education institutions also began to experience computer threats that revealed their information assets. Universities, polytechnics, colleges of education, research centers, and other postsecondary institutions are probably the most vulnerable because they house sensitive data on their faculty, staff, and students, as well as academic records of scientific and technological advancements and research. The first step in an information system security strategy is risk analysis management It helps in assessing the risk of information assets to know their security level or status, and assist in define a security control measures and implementation of technical plan to avoid threats that exploit some vulnerability that could cause severe damage to an asset or infrastructure of institutions higher education (IHEs). This article presents some recommendations to perform a risk analysis management in IHEs to accessed threats and vulnerability that helps to lower the risk of their information assets. This article presents existing educational threat and vulnerability on their web applications. Ensuring security is a goal of every organization regardless of its size or purpose and also proposed a risk management model. With the information technology, an organization may be considered secure when it ensures the confidentiality, integrity, and availability of information and IT assets. Confidentiality may be broken due to theft of sensitive information such as trade secrets, clients’ personal information.

Changsok Yoo,Byung-Tak Kang,Huy Kang Kim

DOI: https://doi.org/10.1007/s11042-014-1888-3

IF: 2.577

2014-02-14

Multimedia Tools and Applications

Abstract:The security risk of internet banking has increased rapidly as internet banking services have become commonly used by the public. Among the various security methods, OTP (one time password) is known as one of the strongest methods for enforcing security, and it is now widely used in internet banking services. However, attack methods which can detour OTP have been developed that additional security for OTP is now needed. In this study, we discovered that a new kind of attack through OTP is theoretically possible through an analysis of the currently implemented OTP system and known attack methods. Based on our theory, we tested the new attack method on Korean internet banking services, and empirically proved that it could effectively detour around all of the currently implemented OTP security systems in Korea. To prevent this, we also suggested solutions based on the root cause analysis of the OTP vulnerabilities.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Yongzhen Li,Gaolong Wang

DOI: https://doi.org/10.1109/ISAIEE57420.2022.00089

2022-12-01

Abstract:With the rapid development of the internet in China, we are dealing with web sites all the time, but with this comes the increasing vulnerability of various web applications. The vulnerability of web applications can be used to steal information, account theft and fraud, threatening the security of web applications. Therefore, the security detection of web applications is particularly important. This paper introduces the background of today's web application scanning technology, analyses the importance of securing web sites, and focuses on the history and future development trends of web application vulnerability scanning at home and abroad. The system is based on the OWASP Top 10 vulnerabilities of SQL injection and XSS, which have a large impact. By analysing the risks and principles of these two vulnerabilities, a scanning system is designed to run on the Windows platform.

Computer Science

Jun Zhu,Bill Chu,Heather Richter Lipford

DOI: https://doi.org/10.1145/2914642.2914661

2016-01-01

Abstract:ABSTRACTPrivilege Escalation is a common and serious type of security attack. Although experience shows that many applications are vulnerable to such attacks, attackers rarely succeed upon first trial. Their initial probing attempts often fail before a successful breach of access control is achieved. This paper presents an approach to automatically instrument application source code to report events of failed access attempts that may indicate privilege escalation attacks to a run time application protection mechanism. The focus of this paper is primarily on the problem of instrumenting web application source code to detect access control attack events. We evaluated false positives and negatives of our approach using two open source web applications.

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Hui Yuan,Lei Zheng,Liang Dong,Xiangli Peng,Yan Zhuang,Guoru Deng

DOI: https://doi.org/10.1007/978-3-030-15235-2_66

2019-04-25

Abstract:With the rapid development of Internet technology, Web applications are widely used in all walks of life, and their security requirements are increasing. Unfortunately, at present, the development of Web security technology still lags behind the development of Web application technology itself. The Web application itself and its operating environment are still relatively fragile, and its operating environment is easily forged or modified, making Web applications gradually become malicious. The object of the attack is frequently attacked. This paper investigates and analyzes the common vulnerabilities in web applications, deeply studies the basic characteristics of these vulnerabilities, and understands the principles and solutions of vulnerabilities. The static analysis method is used to analyze the vulnerabilities, and the static analysis methods are used to solve the security vulnerabilities in the Java web project.

Dahyeon Kim,Namgi Kim,Junho Ahn

DOI: https://doi.org/10.32604/cmc.2024.046871

2024-01-01

Abstract:This research aims to propose a practical framework designed for the automatic analysis of a product’s comprehensive functionality and security vulnerabilities, generating applicable guidelines based on real-world software. The existing analysis of software security vulnerabilities often focuses on specific features or modules. This partial and arbitrary analysis of the security vulnerabilities makes it challenging to comprehend the overall security vulnerabilities of the software. The key novelty lies in overcoming the constraints of partial approaches. The proposed framework utilizes data from various sources to create a comprehensive functionality profile, facilitating the derivation of real-world security guidelines. Security guidelines are dynamically generated by associating functional security vulnerabilities with the latest Common Vulnerabilities and Exposure (CVE) and Common Vulnerability Scoring System (CVSS) scores, resulting in automated guidelines tailored to each product. These guidelines are not only practical but also applicable in real-world software, allowing for prioritized security responses. The proposed framework is applied to virtual private network (VPN) software, wherein a validated Level 2 data flow diagram is generated using the Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of privilege (STRIDE) technique with references to various papers and examples from related software. The analysis resulted in the identification of a total of 121 vulnerabilities. The successful implementation and validation demonstrate the framework’s efficacy in generating customized guidelines for entire systems, subsystems, and selected modules.

computer science, information systems,materials science, multidisciplinary

Saleh M. Alnaeli,Melissa Sarnowski,Md Sayedul Aman,Kumar Yelamarthi,Ahmed Abdelgawad,Haowen Jiang

DOI: https://doi.org/10.1109/uemcon.2016.7777883

2016-01-01

Abstract:A study is presented that examines the distribution and the usage of some unsafe functions that are known to cause security vulnerabilities in 15 software systems, written in C/C++. The systems are commonly used for mobile computing, and they comprise almost six million lines of code. A tool that uses a static analysis approach is applied to each system, and the number of calls to unsafe functions is determined and tabulated. The results show that vulnerable functions such as strcmp, strlen, and memcpy represent the vast majority of used unsafe functions that are banned by many companies (e.g., Microsoft) in the studied systems. This fact can help software trainers better design and plan training courses and materials on secure coding practices for software developers. Additionally, findings can help software engineers to conduct more effective refactoring processes that help to clean software systems from vulnerable code, and focus primarily on the removal of vulnerable code with higher usage for better outcomes. The historical data for a number of systems, subset, is presented over a five-year period. The data shows that few of the systems examined are increasing the number of unsafe function calls over time. This is somewhat contradictory to the literature, which claims that the use of vulnerable functions is decreasing in software systems. This fact demands that more attention and effort from software engineering and mobile computing communities be put towards addressing this phenomenon.

Ying-Chiang Cho,Jen-Yi Pan

DOI: https://doi.org/10.1155/2013/704865

2013-12-17

Abstract:Over the years, human dependence on the Internet has increased dramatically. A large amount of information is placed on the Internet and retrieved from it daily, which makes web security in terms of online information a major concern. In recent years, the most problematic issues in web security have been e-mail address leakage and SQL injection attacks. There are many possible causes of information leakage, such as inadequate precautions during the programming process, which lead to the leakage of e-mail addresses entered online or insufficient protection of database information, a loophole that enables malicious users to steal online content. In this paper, we implement a crawler mining system that is equipped with SQL injection vulnerability detection, by means of an algorithm developed for the web crawler. In addition, we analyze portal sites of the governments of various countries or regions in order to investigate the information leaking status of each site. Subsequently, we analyze the database structure and content of each site, using the data collected. Thus, we make use of practical verification in order to focus on information security and privacy through black-box testing.

Junaid Akram,Luo Ping

DOI: https://doi.org/10.1049/iet-ifs.2018.5647

2020-01-01

IET Information Security

Abstract:Cybercrimes are on a dramatic rise worldwide. The crime rate is growing day by day in every field or department which is directly or indirectly connected to the internet including Government, business or any individual. The main objective of this study is to evaluate the vulnerabilities in different software systems at the source code level by tracing their patch files. The authors have collected the source code of different types of vulnerabilities at a different level of granularities. They have proposed different ways to collect or trace the vulnerability code, which can be very helpful for security experts, organisations and software developers to maintain security measures. By following their proposed method, you can build your own vulnerability data-set and can detect vulnerabilities in any system by using suitable code clone detection technique. The study also includes a discussion of reasons for the rise in cybercrimes including zero-day exploits. A case study has been discussed with results and research questions to show the effectiveness of this study. This study concludes with the effective key findings of published and non-published vulnerabilities and the ways to prevent from different security attacks to overcome cybercrimes.

Shahriar Hasan Mickey,Muhammad Nur Yanhaona

2024-07-10

Abstract:Presently, Bangladesh is expending substantial efforts to digitize its national infrastructure, with a significant emphasis on achieving this goal through mobile applications that facilitate online payments and banking system advancements. Despite the lack of knowledge about the security level of these systems, they are currently in frequent use without much consideration. To observe whether they follow the minimum global set standards, we choose to conduct static and dynamic analysis of the applications using available open-source analyzers and open-source tools. This allows us to attempt to extract sensitive information, if possible, and determine whether the applications adhere to the standards of MASVS set by OWASP. We show how we analyzed 17 .apks and a SDK using open source scanner and discover security flaws to the applications, such as weaknesses related to data storage, vulnerable cryptographic elements, insecure network communications, and unsafe utilization of WebViews, detected by the scanner. These outputs demonstrate the need for extensive manual analysis of the application through source code review and dynamic analysis. We further implement reverse engineering and dynamic approach to verify the outputs and expose some applications do not comply with the standard method of network communication. Moreover, we attempt to verify the rest of the potential vulnerabilities in the next phase of our ongoing investigation.

Cryptography and Security,Hardware Architecture,Software Engineering

Kexu Wu,Chaolin Li

DOI: https://doi.org/10.1155/2022/3323547

IF: 2.336

2022-07-08

Journal of Sensors

Abstract:In order to solve the problem of information leakage in the process of college students' information security management, this paper proposes a design of college students' security management system based on a symmetric encryption algorithm. The system is based on the principle of the symmetric encryption algorithm and follows the principle of encryption independence to ensure the security and reliability of the system. The general framework of the system is analyzed in detail. Secondly, the security and database of system function modules are designed, and finally, the performance of the system is tested. The results are as follows: the safety management system designed in this paper has obtained satisfactory evaluation in the trial universities, accounting for 93% of the trial population. It is proved that this system has clear authority design, high efficiency, and security. Managers can query students' basic information, students' real-time location, alarm data information, and so on in real time, which can ensure students' safety to the greatest extent.

engineering, electrical & electronic,instruments & instrumentation

高国柱,吴海燕

2010-01-01

Abstract:Attacks towards web applications evolve rapidly,traditional web protecting system based on static rules is difficult adapt to the new situation of web application security.A new idea and method are proposed to protecting web application security,which uses unsupervised learning algorithm and legal rule detecting model.Web application security detecting algorithm based on the structure and progress analysis of web application is designed and implemented.The system has been used on detecting of Tsinghua web learning system,done well on filtering the abnormal web accesses out.

Muhammad Idris,Iwan Syarif,Idris Winarno

DOI: https://doi.org/10.24003/emitter.v10i2.705

2022-12-16

EMITTER International Journal of Engineering Technology

Abstract:The trend of API-based systems in web applications in the last few years keeps steadily growing. API allows web applications to interact with external systems to enable business-to-business or system-to-system integration which leads to multiple application innovations. However, this trend also comes with a different surface of security problems that can harm not only web applications, but also mobile and IoT applications. This research proposed a web application security education platform which is focused on the OWASP API security project. This platform provides different security risks such as excessive data exposure, lack of resources and rate-limiting, mass assignment, and improper asset management which cannot be found in monolithic security learning application like DVWA, WebGoat, and Multillidae II. The development also applies several methodologies such as Capture-The-Flag (CTF) learning model, vulnerability assessment, and container virtualization. Based on our experiment, we are successfully providing 10 API vulnerability challenges to the platform with 3 different levels of severity risk rating which can be exploited using tools like Burp Suite, SQLMap, and JWTCat. In the end, based on our performance experiment, all of the containers on the platform can be deployed in approximately 16 seconds with minimum storage resource and able to serve up to 1000 concurrent users with the average throughput of 50.58 requests per second, 96.35% successful requests, and 15.94s response time.

Na Meng,Stefan Nagy,Daphne Yao,Wenjie Zhuang,Gustavo Arango Argoty

DOI: https://doi.org/10.48550/arXiv.1709.09970

2017-09-28

Abstract:Java platform and third-party libraries provide various security features to facilitate secure coding. However, misusing these features can cost tremendous time and effort of developers or cause security vulnerabilities in software. Prior research was focused on the misuse of cryptography and SSL APIs, but did not explore the key fundamental research question: what are the biggest challenges and vulnerabilities in secure coding practices? In this paper, we conducted a comprehensive empirical study on StackOverflow posts to understand developers' concerns on Java secure coding, their programming obstacles, and potential vulnerabilities in their code. We observed that developers have shifted their effort to the usage of authentication and authorization features provided by Spring security--a third-party framework designed to secure enterprise applications. Multiple programming challenges are related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring security. More interestingly, we identified security vulnerabilities in the suggested code of accepted answers. The vulnerabilities included using insecure hash functions such as MD5, breaking SSL/TLS security through bypassing certificate validation, and insecurely disabling the default protection against Cross Site Request Forgery (CSRF) attacks. Our findings reveal the insufficiency of secure coding assistance and education, and the gap between security theory and coding practices.

Cryptography and Security