scholarly journals A SURVEY OF E-COMMERCE SECURITY THREATS AND SOLUTIONS

2021 ◽  
Vol 2 ◽  
pp. 1-9
Author(s):  
Stanislav Dakov ◽  
Anna Malinova
Keyword(s):  
Denial Of Service ◽  
Web Security ◽  
Third Party ◽  
Security Threats ◽  
Business Information Systems ◽  
Security Issues ◽  
Network Connection ◽  
Client Data ◽  
Cross Site ◽  
The Web

E-commerce security is part of the Web security problems that arise in all business information systems that operate over the Internet. However, in e-commerce security, the dimensions of web security – secrecy, integrity, and availability-are focused on protecting the consumer’s and e-store site’s assets from unauthorized access, use, alteration, or destruction. The paper presents an overview of the recent security issues in e-commerce applications and the usual points the attacker can target, such as the client (data, session, identity); the client computer; the network connection between the client and the webserver; the web server; third party software vendors. Discussed are effective approaches and tools used to address different e-commerce security threats. Special attention is paid to Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), phishing attacks, SQL injection, Man-in-the-middle, bots, denial-of-service, encryption, firewalls, SSL digital signatures, security certificates, PCI compliance. The research outlines and suggests many security solutions and best practices.

Secure Data Dissemination

2008 ◽  
pp. 1839-1864
Author(s):  
Elisa Bertino ◽  
Barbara Carminati ◽  
Elena Ferrari
Keyword(s):  
Digital Signature ◽  
Data Exchange ◽  
Data Dissemination ◽  
Third Party ◽  
New Paradigm ◽  
Security Issues ◽  
Security Properties ◽  
Verification Process ◽  
The Web ◽  
User Queries

In this chapter, we present the main security issues related to the selective dissemination of information (SDI system). More precisely, after provided an overview of the work carried out in this field, we have focused on the security properties that a secure SDI system (SSDI system) must satisfy and on some of the strategies and mechanisms that can be used to ensure them.  Indeed, since XML is the today emerging standard for data exchange over the Web, we have casted our attention on Secure and Selective XML data dissemination (SSXD).  As a result, we have presented a SSXD system providing a comprehensive solution to XML documents. In the proposed chapter, we also consider innovative architecture for the data dissemination, by suggesting a SSXD system exploiting the third-party architecture, since this architecture is receiving growing attention as a new paradigm for data dissemination over the web. In a third-party architecture, there is a distinction between the  Owner  and the Publisher of information. The Owner is the producer of the information, whereas Publishers are responsible for managing (a portion of) the Owner information and for answering user queries. A relevant issue in this architecture is how the Owner can ensure a secure dissemination of its data, even if the data are managed by a third-party. Such scenario requires a redefinition of dissemination mechanisms developed for the traditional SSXD system. Indeed, the traditional techniques cannot be exploited in a third party scenario. For instance, let us consider the traditional digital signature techniques, used to ensure data integrity and authenticity. In a third party scenario, that is, a scenario where a third party may prune some of the nodes of the original document based on user queries, the traditional digital signature is not applicable, since its correctness is based on the requirement that the signing and verification process are performed on exactly the same bits.

Secure Data Dissemination

2004 ◽  
pp. 198-229
Author(s):  
Elisa Berino ◽  
Barbara Carminati ◽  
Elena Ferrari
Keyword(s):  
Digital Signature ◽  
Data Exchange ◽  
Data Dissemination ◽  
Third Party ◽  
New Paradigm ◽  
Security Issues ◽  
Security Properties ◽  
Verification Process ◽  
The Web ◽  
User Queries

In this chapter, we present the main security issues related to the selective dissemination of information (SDI system). More precisely, after provided an overview of the work carried out in this field, we have focused on the security properties that a secure SDI system (SSDI system) must satisfy and on some of the strategies and mechanisms that can be used to ensure them.  Indeed, since XML is the today emerging standard for data exchange over the Web, we have casted our attention on Secure and Selective XML data dissemination (SSXD).  As a result, we have presented a SSXD system providing a comprehensive solution to XML documents. In the proposed chapter, we also consider innovative architecture for the data dissemination, by suggesting a SSXD system exploiting the third-party architecture, since this architecture is receiving growing attention as a new paradigm for data dissemination over the web. In a third-party architecture, there is a distinction between the  Owner  and the Publisher of information. The Owner is the producer of the information, whereas Publishers are responsible for managing (a portion of) the Owner information and for answering user queries. A relevant issue in this architecture is how the Owner can ensure a secure dissemination of its data, even if the data are managed by a third-party. Such scenario requires a redefinition of dissemination mechanisms developed for the traditional SSXD system. Indeed, the traditional techniques cannot be exploited in a third party scenario. For instance, let us consider the traditional digital signature techniques, used to ensure data integrity and authenticity. In a third party scenario, that is, a scenario where a third party may prune some of the nodes of the original document based on user queries, the traditional digital signature is not applicable, since its correctness is based on the requirement that the signing and verification process are performed on exactly the same bits.

Security evaluation of the OAuth 2.0 framework

2015 ◽  
Vol 23 (1) ◽  
pp. 73-101 ◽  
Author(s):  
Eugene Ferry ◽  
John O Raw ◽  
Kevin Curran
Keyword(s):  
Web Application ◽  
Third Party ◽  
Security Evaluation ◽  
Client Application ◽  
Content Type ◽  
Threat Model ◽  
Cloud Data ◽  
Security Issues ◽  
Authentication Mechanism ◽  
The Web

Purpose – The interoperability of cloud data between web applications and mobile devices has vastly improved over recent years. The popularity of social media, smartphones and cloud-based web services have contributed to the level of integration that can be achieved between applications. This paper investigates the potential security issues of OAuth, an authorisation framework for granting third-party applications revocable access to user data. OAuth has rapidly become an interim de facto standard for protecting access to web API data. Vendors have implemented OAuth before the open standard was officially published. To evaluate whether the OAuth 2.0 specification is truly ready for industry application, an entire OAuth client server environment was developed and validated against the speciation threat model. The research also included the analysis of the security features of several popular OAuth integrated websites and comparing those to the threat model. High-impacting exploits leading to account hijacking were identified with a number of major online publications. It is hypothesised that the OAuth 2.0 specification can be a secure authorisation mechanism when implemented correctly. Design/methodology/approach – To analyse the security of OAuth implementations in industry a list of the 50 most popular websites in Ireland was retrieved from the statistical website Alexa (Noureddine and Bashroush, 2011). Each site was analysed to identify if it utilised OAuth. Out of the 50 sites, 21 were identified with OAuth support. Each vulnerability in the threat model was then tested against each OAuth-enabled site. To test the robustness of the OAuth framework, an entire OAuth environment was required. The proposed solution would compose of three parts: a client application, an authorisation server and a resource server. The client application needed to consume OAuth-enabled services. The authorisation server had to manage access to the resource server. The resource server had to expose data from the database based on the authorisation the user would be given from the authorisation server. It was decided that the client application would consume emails from Google’s Gmail API. The authorisation and resource server were modelled around a basic task-tracking web application. The client application would also consume task data from the developed resource server. The client application would also support Single Sign On for Google and Facebook, as well as a developed identity provider “MyTasks”. The authorisation server delegated authorisation to the client application and stored cryptography information for each access grant. The resource server validated the supplied access token via public cryptography and returned the requested data. Findings – Two sites out of the 21 were found to be susceptible to some form of attack, meaning that 10.5 per cent were vulnerable. In total, 18 per cent of the world’s 50 most popular sites were in the list of 21 OAuth-enabled sites. The OAuth 2.0 specification is still very much in its infancy, but when implemented correctly, it can provide a relatively secure and interoperable authentication delegation mechanism. The IETF are currently addressing issues and expansions in their working drafts. Once a strict level of conformity is achieved between vendors and vulnerabilities are mitigated, it is likely that the framework will change the way we access data on the web and other devices. Originality/value – OAuth is flexible, in that it offers extensions to support varying situations and existing technologies. A disadvantage of this flexibility is that new extensions typically bring new security exploits. Members of the IETF OAuth Working Group are constantly refining the draft specifications and are identifying new threats to the expanding functionality. OAuth provides a flexible authentication mechanism to protect and delegate access to APIs. It solves the password re-use across multiple accounts problem and stops the user from having to disclose their credentials to third parties. Filtering access to information by scope and giving the user the option to revoke access at any point gives the user control of their data. OAuth does raise security concerns, such as defying phishing education, but there are always going to be security issues with any authentication technology. Although several high impacting vulnerabilities were identified in industry, the developed solution proves the predicted hypothesis that a secure OAuth environment can be built when implemented correctly. Developers must conform to the defined specification and are responsible for validating their implementation against the given threat model. OAuth is an evolving authorisation framework. It is still in its infancy, and much work needs to be done in the specification to achieve stricter validation and vendor conformity. Vendor implementations need to become better aligned in order to provider a rich and truly interoperable authorisation mechanism. Once these issues are resolved, OAuth will be on track for becoming the definitive authentication standard on the web.

scholarly journals High Accuracy Phishing Detection Based on Convolutional Neural Network

2021 ◽  
pp. 454-457
Author(s):  
AjithKumar Reddy K ◽  
Darshith M P ◽  
Divya Megha H S ◽  
Omshree V ◽  
Sudhakara Reddy M
Keyword(s):  
Neural Network ◽  
World Wide ◽  
Source Code ◽  
Web Security ◽  
High Accuracy ◽  
Security Issues ◽  
Long Run ◽  
The World ◽  
Phishing Detection ◽  
The Web

There are numerous web security dangers yet one of the significant web security issues is Phishing sites that focus on the human weaknesses instead of programming weaknesses. It tends to be depicted as the way toward acquiring the online clients to get their touchy data, for example, usernames and passwords. These days, phishing is one of the greatest regular web dangers as for the critical increase of the World Wide Web in volume over the long run. Phishing aggressors consistently utilize new (multi day) and complex procedures to beguile online clients. Thus, it is important that the counter phishing framework is ongoing and quick and furthermore influences from a shrewd phishing recognition arrangement. Here, we build up a very much established location framework which can adaptively coordinate with the changing climate and phishing sites. Our strategy is an on the web and highlight rich AI procedure to separate the phishing and real sites. Since the proposed approach removes various sorts of various highlights from URLs and pages source code, it is a totally customer side arrangement and doesn't need any assistance from the outsider. In this task, we offer a clever framework for finding phishing sites. The framework depends on an AI technique, explicitly managed learning. We have chosen the Logistic Regression strategy because of its great presentation in grouping. Our point is to acquire a better classifier by considering the attributes of phishing site and pick the better mix of them to prepare the grouped.

Penetration Testing and Security Assessment of Healthcare Records on Hospital Websites

2020 ◽  
Vol 10 (9) ◽  
pp. 2242-2246
Author(s):  
Tian Tang ◽  
Mu-Chuan Zhou ◽  
Yi Quan ◽  
Jun-Liang Guo ◽  
V. S. Balaji ◽  
...  
Keyword(s):  
Network Security ◽  
Computer Security ◽  
Denial Of Service ◽  
Critical Issue ◽  
Security Threats ◽  
Security Assessment ◽  
It Industry ◽  
Penetration Testing ◽  
Industry Sector ◽  
The Web

At present, computer security is the flourishing field in the IT industry. Nowadays, the usage of computers and the Internet grows drastically, and hence, computers become vehicles for the attackers to spread viruses and worms, to distribute spam and spyware, and to perform denial-of-service attacks, etc. The IT engineers (even users) should know about network security threats, and at the same time, to some extent, they should know techniques to overcome the issues. The reliability and privacy of healthcare records of the patients are the most critical issue in the healthcare business industry sector. The security safeguards, such as physical, technical, and administrative safeguards, are crucial in protecting the information in all aspects. This article deals with the forty popular hospital portals in India related to the professional and network security related issues such as operating system guesses, number of open/closed/filtered ports, the name of the Web server, etc. The Nmap (network mapper) tool is used to analyze the results belong to the security perspective.

scholarly journals Penerapan Sistem Keamanan Web Menggunakan Metode Web Aplication Firewall

2021 ◽  
Vol 11 (1) ◽  
pp. 37-42
Author(s):  
Riska Riska ◽  
Hendri Alamsyah
Keyword(s):  
Web Application ◽  
Web Security ◽  
Security System ◽  
Error Message ◽  
Sql Injection ◽  
Rule Based ◽  
Public Network ◽  
The Right ◽  
Cross Site ◽  
The Web

The application of a security system on the web needs to be done considering that the web itself can be accessed through a public network. In this study, a Web Application Firewall (WAF)-based security system will be implemented using modsecurity, in which the purpose of implementing this web security system is to understand the concept of a security system on the web and pay attention to the results before the application of the firewall and after the application of the firewall on the web. This research uses experimental research methods, in this study the implementation of a web application firewall (WAF) using modsecurity as a web security system is carried out, then an analysis is carried out to get the right recommendations for a firewall as a web security system. The results of this study indicate that a firewall using the modSecurity module and rule based on the Web Application Firewall (WAF) on a web security system can block SQL Injection, Cross Site Scripting (XSS), and Command Execution by displaying an error message to the user who performs the command.

scholarly journals Juice Jacking: Security Issues and Improvements in USB Technology

2022 ◽  
Vol 14 (2) ◽  
pp. 939
Author(s):  
Debabrata Singh ◽  
Anil Kumar Biswal ◽  
Debabrata Samanta ◽  
Dilbag Singh ◽  
Heung-No Lee 
Keyword(s):  
Machine Learning ◽  
Deep Learning ◽  
Security Threats ◽  
Cyber Attack ◽  
Learning Models ◽  
Universal Serial Bus ◽  
Security Issues ◽  
Generation Computer ◽  
Deep Learning Model ◽  
The Web

For a reliable and convenient system, it is essential to build a secure system that will be protected from outer attacks and also serve the purpose of keeping the inner data safe from intruders. A juice jacking is a popular and spreading cyber-attack that allows intruders to get inside the system through the web and theive potential data from the system. For peripheral communications, Universal Serial Bus (USB) is the most commonly used standard in 5G generation computer systems. USB is not only used for communication, but also to charge gadgets. However, the transferal of data between devices using USB is prone to various security threats. It is necessary to maintain the confidentiality and sensitivity of data on the bus line to maintain integrity. Therefore, in this paper, a juice jacking attack is analyzed, using the maximum possible means through which a system can be affected using USB. Ten different malware attacks are used for experimental purposes. Various machine learning and deep learning models are used to predict malware attacks. An extensive experimental analysis reveals that the deep learning model can efficiently recognize the juice jacking attack. Finally, various techniques are discussed that can either prevent or avoid juice jacking attacks.

scholarly journals Reviewing effectivity in security approaches towards strengthening internet architecture

2019 ◽  
Vol 9 (5) ◽  
pp. 3862
Author(s):  
Vidya M. S. ◽  
Mala C. Patil
Keyword(s):  
Denial Of Service ◽  
Future Internet ◽  
Web Security ◽  
Distributed Denial Of Service ◽  
Internet Architecture ◽  
Future Internet Architecture ◽  
Research Problems ◽  
Research Contribution ◽  
Cross Site

<span>The usage of existing Internet architecture is shrouded by various security loopholes and hence is highly ineffective towards resisting potential threats over internet. Hence, it is claimed that future internet architecture has been evolved as a solution to address this security gaps of existing internet architecture. Therefore, this paper initiates its discussion by reviewing the existing practices of web security in conventional internet architecture and has also discussed about some recent solutions towards mitigating potentially reported threats e.g. cross-site scripting, SQL inject, and distributed denial-of-service. The paper has also discussed some of the recent research contribution towards security solution considering future internet architecture. The proposed manuscripts contributes to showcase the true effectiveness of existing approaches with respect to advantages and limitation of existing approaches along with explicit highlights of existing research problems that requires immediate attention.</span>

scholarly journals Security issues and framework of electronic medical record: A review

2020 ◽  
Vol 9 (2) ◽  
Author(s):  
Jibril Adamu ◽  
Raseeda Hamzah ◽  
Marshima Mohd Rosli
Keyword(s):  
Medical Record ◽  
Electronic Medical Record ◽  
Security And Privacy ◽  
Security Threats ◽  
Security Vulnerabilities ◽  
Sql Injection ◽  
Security Issues ◽  
Electronic Medical Record Systems ◽  
Cross Site ◽  
Common Security

The electronic medical record has been more widely accepted due to its unarguable benefits when compared to a paper-based system. As electronic medical record becomes more popular, this raises many security threats against the systems. Common security vulnerabilities, such as weak authentication, cross-site scripting, SQL injection, and cross-site request forgery had been identified in the electronic medical record systems. To achieve the goals of using EMR, attaining security and privacy is extremely important. This study aims to propose a web framework with inbuilt security features that will prevent the common security vulnerabilities in the electronic medical record. The security features of the three most popular and powerful PHP frameworks Laravel, CodeIgniter, and Symfony were reviewed and compared. Based on the results, Laravel is equipped with the security features that electronic medical record currently required. This paper provides descriptions of the proposed conceptual framework that can be adapted to implement secure EMR systems.

Sign in / Sign up

Export Citation Format

Share Document