Skip to main content

A Survey on Conducting Vulnerability Assessment in Web-Based Application

  • Conference paper
Advanced Machine Learning Technologies and Applications (AMLTA 2014)

Abstract

Many organizations have changed their traditional systems to web-based applications to make more profit and at the same time to increase the efficiency of their activities such as customer support services and data transactions. However web-based applications have become a major target for attackers due to some common vulnerability exists in the application. Assessing the level of information security in a web-based application is a serious challenge for many organizations. One of the important steps to ensure the security of web application is conducting vulnerability assessment periodically. Vulnerability assessment is a process to search for any potential loopholes or vulnerability contain in a system. Most of the current efforts in assessments are involve searching for known vulnerabilities that commonly exist in web-based application. The process of conducting vulnerability assessment can be improved by understanding the functionality of the application and characteristics of the nature vulnerabilities. In this paper, we perform an empirical study on how to do vulnerability assessment with the aim of understanding how the functionality, vulnerabilities and activities that would benefit for the assessment processes from the perspective of application security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Andoh-Baidoo, F.K., Osei-Bryson, K.-M.: Exploring the characteristics of Internet security breaches that impact the market value of breached firms. Expert Systems with Applications 32(3), 703–725 (2007) ISSN 0957-4174

    Google Scholar 

  2. Anastacio, M., Blanco, J.A., Villalba, L., Dahoud, A.: E-Government: Benefits, Risks and A Proposal to Assessment including Cloud Computing and Critical Infrastructure. In: International Conference on Information Technology (2013)

    Google Scholar 

  3. Abusaimah, H., Shkaukani, M.: Survey of Web Application and Internet Security Threats. IJCSNS International Journal of Computer Science and Network Security 12(12) (2012)

    Google Scholar 

  4. Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, G.: Toward automated detection of logic vulnerabilities in web applications (2013), http://static.usenix.org/event/sec10/tech/full_papers/Felmetsger.pdf

  5. Meier, J.D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Improving Web Application Security: Threats and Countermeasures. Microsoft Corporation (2003), http://msdn.microsoft.com/en-us/library/aa302420.aspx

  6. Carlin, A., Gallegos, F.: IT audit: A critical business process. IEEE Computer, 47–49 (2007)

    Google Scholar 

  7. Balwin, A., Shiu, S.: Enabling shared audit data. International Journal of Information Security, 263–276 (2005)

    Google Scholar 

  8. Peisert, S., Bishop, M., Marzullo, K.: Computer forensics in forensis. ACM SIGOPS Operating Systems Review 42(3), 112–122 (2008)

    Article  Google Scholar 

  9. Goan, T.: A cop on the beat: Collecting and appraising intrusion evidence. Communications of the ACM 42(7), 46–52 (1999)

    Article  Google Scholar 

  10. Ramim, M., Levy, Y.: Securing e-learning systems: A case of insider cyber attacks and novice it management in a small university. Journal of Cases on Information Technology 8(4), 24–34 (2006)

    Article  Google Scholar 

  11. Chuvakin, A., Peterson, G.: Logging in the age of web services. IEEE Security and Privacy 7(3), 82–85 (2009)

    Article  Google Scholar 

  12. Cross, M., Kapinos, S., Meer, H.: Web applications vulnerabilities, Detect, Exploit, Prevent. Syngress (2007)

    Google Scholar 

  13. Wang, J.A., Guo, M., Wang, H., Xia, M., Zhou, L.: Environmental metrics for software security based on a vulnerability ontology. In: Third IEEE International Conference on Secure Software Integration and Reliability Improvement, pp. 159–168 (2009)

    Google Scholar 

  14. Stuttard, D., Pinto, M.: The web application hacker’s handbook: discovering and exploiting security flaws. Wiley Publishing, Inc. (2007)

    Google Scholar 

  15. Category Vulnerability (2013), https://www.owasp.org/index.php/Category:Vulnerability

  16. Curphey, M., Araujo, R.: Web Application Security Assessment Tools. IEEE Security & Privacy (2006)

    Google Scholar 

  17. Ezumalai, R., Aghila, G.: Combinatorial Approach for Preventing SQL Injection Attacks. In: IEEE International Advance Computing Conference, IACC 2009 (2009)

    Google Scholar 

  18. Claarke, J., et al.: SQL Injection Attacks and Defense. Syngress Publishing (2009) ISBN 13: 978-1-59749-424-3

    Google Scholar 

  19. Huang, Y., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing Web Application Code by Static Analysis and Runtime Protection. In: Proceedings of the 12th International World Wide Web Conference (WWW 2004) (May 2004)

    Google Scholar 

  20. Asagba, P.O., Ogheneovo, E.E.: A Proposed Architecture for Defending Against Command Injection Attacks in a Distributed Network Environment. In: Information Technology for People-Centred Development, pp. 134–142 (2011)

    Google Scholar 

  21. Bisht, P., Madhusudan, P., Venkatarishnan, V.N.: CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Transactions on Information and System Security 13(2), Article 14 (2010)

    Google Scholar 

  22. Shahriar, H., Zulkernine, M.: Taxonomy and classification of automatic monitoring of program security vulnerability exploitations. Journal of Systems and Software 84, 250–269 (2011), doi:10.1016/j.jss.2010.09.020, ISSN 0164-1212

    Google Scholar 

  23. Avancini, A.: Security testing of web applications: A research plan. In: 2012 34th International Conference on Software Engineering (ICSE), June 2-9, pp. 1491–1494 (2012)

    Google Scholar 

  24. Scambray, J., Shema, M., Sima, C.: Hacking Exposed: Web Applications, 2nd edn. McGraw-Hill, San Francisco (2006)

    Google Scholar 

  25. Popa, M.: Detection of the security vulnerabilities in web applications. Informatica Economica 13(1), 127–136 (2009)

    Google Scholar 

  26. Wang, W., Pan, C., Liu, P., Zhu, S.: SigFree: A signature-free buffer overflow attack blocker. IEEE Transactions on Dependable and Secure Computing 7(1), 65–79 (2010)

    Article  Google Scholar 

  27. Park, J.S., Sandhu, R.: Secure cookies on the web. IEEE Internet Computing 4(4), 36–44 (2000)

    Article  Google Scholar 

  28. Badishi, G., Keidar, I., Sasson, A.: Exposing and eliminating vulnerabilities to denial of service attacks in secure gossip-based multicast. IEEE Transactions on Dependable and Secure Computing 3(1), 45–61 (2006)

    Article  Google Scholar 

  29. Hahn, R.W., Layne-Farrar, A.: The law and economics of software security. Harvard Journal of Law and Public Policy 30(1), 283–353 (2006)

    Google Scholar 

  30. Huang, Y., Tsai, C., Lin, T., Huang, S., Lee, D.T., Kuo, S.: A testing framework for web application security assessment. Computer Networks 48(5), 739–761 (2005)

    Article  Google Scholar 

  31. Smith, R.: Information security-a critical business function. Journal of GXP Compliance 13(4), 62–68 (2009)

    Google Scholar 

  32. Garrison, C.P.: An evaluation of passwords. The CPA Journal 78(5), 70–71 (2009)

    Google Scholar 

  33. OWASP Top 10 2013-Top 10, https://www.owasp.org/index.php/Top_10_2013-Top_10 (retrieved May 5, 2014)

  34. Zhao, J.J., Zhao, S.Y., Zhao, S.Y.: Opportunities and threats: A security assessment of state e-government websites. Government Information Quarterly 27(1), 49–56 (2010), doi:10.1016/j.giq.2009.07.004, ISSN 0740-624X

    Google Scholar 

  35. Alghathbar, K.S., Mahmud, M., Ullah, H.: Most known vulnerabilities in Saudi Arabian web servers. In: 4th IEEE/IFIP International Conference on Internet, ICI 2008, pp. 1–5 (2008)

    Google Scholar 

  36. Thompson, H.H.: Application penetration testing. IEEE Security and Privacy 3(1), 66–69 (2005)

    Article  Google Scholar 

  37. Mao, C.: Experiences in Security Testing for Web-based Applications. In: ICIS 2009, Seoul, Korea (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Awang, N.F., Manaf, A.A., Zainudin, W.S. (2014). A Survey on Conducting Vulnerability Assessment in Web-Based Application. In: Hassanien, A.E., Tolba, M.F., Taher Azar, A. (eds) Advanced Machine Learning Technologies and Applications. AMLTA 2014. Communications in Computer and Information Science, vol 488. Springer, Cham. https://doi.org/10.1007/978-3-319-13461-1_43

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-13461-1_43

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-13460-4

  • Online ISBN: 978-3-319-13461-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics