scholarly journals Detection and Mitigation of Web Application Vulnerabilities Based on Security Testing

2012 ◽  
pp. 138-144 ◽  
Author(s):  
Taeseung Lee ◽  
Giyoun Won ◽  
Seongje Cho ◽  
Namje Park ◽  
Dongho Won
Keyword(s):  
Web Application ◽  
Security Testing

Method Using Command Abstraction Library for Iterative Testing Security of Web Applications

2018 ◽  
pp. 192-215
Author(s):  
Seiji Munetoh ◽  
Nobukazu Yoshioka
Keyword(s):  
Web Application ◽  
Agile Development ◽  
Application Framework ◽  
Security Testing ◽  
Application Development ◽  
Security Assurance ◽  
Security Issues ◽  
Application Logic ◽  
Granularity Level ◽  
Scripting Language

A framework based on a scripting language is commonly used in Web application development, and high development efficiency is often achieved by applying several Agile development techniques. However, the adaptation of security assurance techniques to support Agile development is still underway, particularly from the developer's perspective. The authors have addressed this problem by developing an iterative security testing method that splits the security test target application into two parts on the basis of the code lifecycle, application logic (“active development code”) and framework (“used code”). For the former, detailed security testing is conducted using static analysis since it contains code that is changed during the iterative development process. For the latter, an abstraction library at the command granularity level is created and maintained. The library identifies the behavior of an application from the security assurance standpoint. This separation reduces the amount of code to be statically inspected and provides a mechanism for sharing security issues among application developers using the same Web application framework. Evaluation demonstrated that this method can detect various types of Web application vulnerabilities.

Automated security testing for web applications on industrial automation and control systems

2019 ◽  
Vol 67 (5) ◽  
pp. 383-401
Author(s):  
Steffen Pfrang ◽  
Anne Borcherding ◽  
David Meier ◽  
Jürgen Beyerer
Keyword(s):  
Control Systems ◽  
Cyber Security ◽  
Web Application ◽  
Web Applications ◽  
Security Testing ◽  
Industrial Automation ◽  
Local Networks ◽  
Automation And Control ◽  
And Control ◽  
The Web

Abstract Industrial automation and control systems (IACS) play a key role in modern production facilities. On the one hand, they provide real-time functionality to the connected field devices. On the other hand, they get more and more connected to local networks and the internet in order to facilitate use cases promoted by “Industrie 4.0”. A lot of IACS are equipped with web servers that provide web applications for configuration and management purposes. If an attacker gains access to such a web application operated on an IACS, he can exploit vulnerabilities and possibly interrupt the critical automation process. Cyber security research for web applications is well-known in the office IT. There exist a lot of best practices and tools for testing web applications for different kinds of vulnerabilities. Security testing targets at discovering those vulnerabilities before they can get exploited. In order to enable IACS manufacturers and integrators to perform security tests for their devices, ISuTest was developed, a modular security testing framework for IACS. This paper provides a classification of known types of web application vulnerabilities. Therefore, it makes use of the worst direct impact of a vulnerability. Based on this analysis, a subset of open-source vulnerability scanners to detect such vulnerabilities is selected to be integrated into ISuTest. Subsequently, the integration is evaluated. This evaluation is twofold: At first, willful vulnerable web applications are used. In a second step, seven real IACS, like a programmable logic controller, industrial switches and cloud gateways, are used. Both evaluation steps start with the manual examination of the web applications for vulnerabilities. They conclude with an automated test of the web applications using the vulnerability scanners automated by ISuTest. The results show that the vulnerability scanners detected 53 % of the existing vulnerabilities. In a former study using commercial vulnerability scanners, 54 % of the security flaws could be found. While performing the analysis, 45 new vulnerabilities were detected. Some of them did not only break the web server but crashed the whole IACS, stopping the critical automation process. This shows that security testing is crucial in the industrial domain and needs to cover all services provided by the devices.

scholarly journals AndroShield: Automated Android Applications Vulnerability Detection, a Hybrid Static and Dynamic Analysis Approach

Information ◽  
2019 ◽  
Vol 10 (10) ◽  
pp. 326 ◽  
Author(s):  
Amr Amin ◽  
Amgad Eldessouki ◽  
Menna Tullah Magdy ◽  
Nouran Abdeen ◽  
Hanan Hindy ◽  
...  
Keyword(s):  
Dynamic Analysis ◽  
Static Analysis ◽  
Mobile Applications ◽  
Web Application ◽  
Hybrid Approach ◽  
High Rate ◽  
Vulnerability Detection ◽  
Security Testing ◽  
Static And Dynamic Analysis ◽  
Android Applications

The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution.

An Alternative Threat Model-based Approach for Security Testing

2015 ◽  
Vol 6 (3) ◽  
pp. 50-64 ◽  
Author(s):  
Bouchaib Falah ◽  
Mohammed Akour ◽  
Samia Oukemeni
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Security Attacks ◽  
Security Testing ◽  
Security Risks ◽  
Web Application Security ◽  
Application Security ◽  
Malicious Codes ◽  
Testing Approach ◽  
Interaction Web

In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer from bad reputation. One of the effective mitigation practices is to perform security testing against the application before release it to the market. This solution won't protect web application 100% but it will test the application against malicious codes and reduce the high number of potential attacks on web application. One of known security testing approach is threat modeling, which provides an efficient technique to identify threats that can compromise system security. The authors proposed method, in this paper, focuses on improving the effectiveness of the categorization of threats by using Open 10 Web Application Security Project's (OWASP) that are the most critical web application security risks in generating threat trees in order to cover widely known security attacks.

An Alternative Threat Model-Based Approach for Security Testing

2018 ◽  
pp. 441-454
Author(s):  
Bouchaib Falah ◽  
Mohammed Akour ◽  
Samia Oukemeni
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Security Testing ◽  
Security Risks ◽  
Web Application Security ◽  
Threat Model ◽  
Application Security ◽  
Malicious Codes ◽  
Testing Approach ◽  
Interaction Web

In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer from bad reputation. One of the effective mitigation practices is to perform security testing against the application before release it to the market. This solution won't protect web application 100% but it will test the application against malicious codes and reduce the high number of potential attacks on web application. One of known security testing approach is threat modeling, which provides an efficient technique to identify threats that can compromise system security. The authors proposed method, in this paper, focuses on improving the effectiveness of the categorization of threats by using Open 10 Web Application Security Project's (OWASP) that are the most critical web application security risks in generating threat trees in order to cover widely known security attacks.

DETECTING SERVER-SIDE ENDPOINTS IN WEB APPLICATIONS BASED ON STATIC ANALYSIS OF CLIENT-SIDE JavaScript CODE

2021 ◽  
pp. 32-54
Author(s):  
D. A. Sigalov ◽  
◽  
A. A. Khashaev ◽  
D. Yu. Gamayunov ◽  
◽  
...  
Keyword(s):  
Static Analysis ◽  
Web Application ◽  
Web Applications ◽  
Security Analysis ◽  
Endpoint Detection ◽  
Security Testing ◽  
Application Security ◽  
Server Side ◽  
Dynamic Web ◽  
Client Side

The problem of server-side endpoint detection in the context of blackbox security analysis of dynamic web applications is considered. We propose a method to increase coverage of server-side endpoint detection using static analysis of client-side JavaScript code to find functions which generate HTTP requests to the server-side of the application and reconstruct parameters for those functions. In the context of application security testing, static analysis allows to find such functions even in dead or unreachable JavaScript code, which cannot be achieved by dynamic crawling or dynamic code analysis. Evaluation of the proposed method and its implementation has been done using synthetic web application with endpoints vulnerable to SQL injections, and the same application was used to compare the proposed method with existing solutions. Evaluation results show that adding JavaScript static analysis to traditional dynamic crawling of web applications may significantly improve server-side endpoint coverage in blackbox application security analysis.

Sign in / Sign up

Export Citation Format

Share Document