2,664 research outputs found
Survey on detecting and preventing web application broken access control attacks
Web applications are an essential component of the current wide range of digital services proposition including financial and governmental services as well as social networking and communications. Broken access control vulnerabilities pose a huge risk to that echo system because they allow the attacker to circumvent the allocated permissions and rights and perform actions that he is not authorized to perform. This paper gives a broad survey of the current research progress on approaches used to detect access control vulnerabilities exploitations and attacks in web application components. It categorizes these approaches based on their key techniques and compares the different detection methods in addition to evaluating their strengths and weaknesses. We also spotted and elaborated on some exciting research gaps found in the current literature, Finally, the paper summarizes the general detection approaches and suggests potential research directions for the future
Web Application Weakness Ontology Based on Vulnerability Data
Web applications are becoming more ubiquitous. All manner of physical devices
are now connected and often have a variety of web applications and
web-interfaces. This proliferation of web applications has been accompanied by
an increase in reported software vulnerabilities. The objective of this
analysis of vulnerability data is to understand the current landscape of
reported web application flaws. Along those lines, this work reviews ten years
(2011 - 2020) of vulnerability data in the National Vulnerability Database.
Based on this data, most common web application weaknesses are identified and
their profiles presented. A weakness ontology is developed to capture the
attributes of these weaknesses. These include their attack method and attack
vectors. Also described is the impact of the weaknesses to software quality
attributes. Additionally, the technologies that are susceptible to each
weakness are presented, they include programming languages, frameworks,
communication protocols, and data formats
XML Signature Wrapping Still Considered Harmful: A Case Study on the Personal Health Record in Germany
XML Signature Wrapping (XSW) has been a relevant threat to web services for
15 years until today. Using the Personal Health Record (PHR), which is
currently under development in Germany, we investigate a current SOAP-based web
services system as a case study. In doing so, we highlight several deficiencies
in defending against XSW. Using this real-world contemporary example as
motivation, we introduce a guideline for more secure XML signature processing
that provides practitioners with easier access to the effective countermeasures
identified in the current state of research.Comment: Accepted for IFIP SEC 202
Web application penetration testing
Safety of information is needed either in private sector or business for protection from market with competitive secrets or only for privacy. Advantages of internet and web applications is that they are accessible from everyone, but in business word data should be safe, reliable accessible. Although these are not new problems and always had different solutions to these problems, we always need to be on the cutting edge with new attacks that appear every day and to try to achieve a greater security. In this paper we present some of the most dangerous forms of risk which are risking web applications in year 2015/2016.we will demonstrate step by step how to achieve unauthorized access from web application inside server system and we will explain why is happened for our analysis that we have done. In testing stages we used some parts of real tests that we have done on several web applications, with Penetration Testing Methods which is procedure for testing and documentations including infrastructure of Networks, servers, Web applications, Wireless communications and all other technological parts. Penetration Testing is Testing Procedure for Web applications usually made on port 80 and 443.In this paper we will explain the real analyzing of tests with all the procedures for one web applications, including all the attached stages which are used in real life for testing the safety of web applications from safety testers
- …