Abstract
Many organizations have changed their traditional systems to web-based applications to make more profit and at the same time to increase the efficiency of their activities such as customer support services and data transactions. However web-based applications have become a major target for attackers due to some common vulnerability exists in the application. Assessing the level of information security in a web-based application is a serious challenge for many organizations. One of the important steps to ensure the security of web application is conducting vulnerability assessment periodically. Vulnerability assessment is a process to search for any potential loopholes or vulnerability contain in a system. Most of the current efforts in assessments are involve searching for known vulnerabilities that commonly exist in web-based application. The process of conducting vulnerability assessment can be improved by understanding the functionality of the application and characteristics of the nature vulnerabilities. In this paper, we perform an empirical study on how to do vulnerability assessment with the aim of understanding how the functionality, vulnerabilities and activities that would benefit for the assessment processes from the perspective of application security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Andoh-Baidoo, F.K., Osei-Bryson, K.-M.: Exploring the characteristics of Internet security breaches that impact the market value of breached firms. Expert Systems with Applications 32(3), 703–725 (2007) ISSN 0957-4174
Anastacio, M., Blanco, J.A., Villalba, L., Dahoud, A.: E-Government: Benefits, Risks and A Proposal to Assessment including Cloud Computing and Critical Infrastructure. In: International Conference on Information Technology (2013)
Abusaimah, H., Shkaukani, M.: Survey of Web Application and Internet Security Threats. IJCSNS International Journal of Computer Science and Network Security 12(12) (2012)
Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, G.: Toward automated detection of logic vulnerabilities in web applications (2013), http://static.usenix.org/event/sec10/tech/full_papers/Felmetsger.pdf
Meier, J.D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Improving Web Application Security: Threats and Countermeasures. Microsoft Corporation (2003), http://msdn.microsoft.com/en-us/library/aa302420.aspx
Carlin, A., Gallegos, F.: IT audit: A critical business process. IEEE Computer, 47–49 (2007)
Balwin, A., Shiu, S.: Enabling shared audit data. International Journal of Information Security, 263–276 (2005)
Peisert, S., Bishop, M., Marzullo, K.: Computer forensics in forensis. ACM SIGOPS Operating Systems Review 42(3), 112–122 (2008)
Goan, T.: A cop on the beat: Collecting and appraising intrusion evidence. Communications of the ACM 42(7), 46–52 (1999)
Ramim, M., Levy, Y.: Securing e-learning systems: A case of insider cyber attacks and novice it management in a small university. Journal of Cases on Information Technology 8(4), 24–34 (2006)
Chuvakin, A., Peterson, G.: Logging in the age of web services. IEEE Security and Privacy 7(3), 82–85 (2009)
Cross, M., Kapinos, S., Meer, H.: Web applications vulnerabilities, Detect, Exploit, Prevent. Syngress (2007)
Wang, J.A., Guo, M., Wang, H., Xia, M., Zhou, L.: Environmental metrics for software security based on a vulnerability ontology. In: Third IEEE International Conference on Secure Software Integration and Reliability Improvement, pp. 159–168 (2009)
Stuttard, D., Pinto, M.: The web application hacker’s handbook: discovering and exploiting security flaws. Wiley Publishing, Inc. (2007)
Category Vulnerability (2013), https://www.owasp.org/index.php/Category:Vulnerability
Curphey, M., Araujo, R.: Web Application Security Assessment Tools. IEEE Security & Privacy (2006)
Ezumalai, R., Aghila, G.: Combinatorial Approach for Preventing SQL Injection Attacks. In: IEEE International Advance Computing Conference, IACC 2009 (2009)
Claarke, J., et al.: SQL Injection Attacks and Defense. Syngress Publishing (2009) ISBN 13: 978-1-59749-424-3
Huang, Y., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing Web Application Code by Static Analysis and Runtime Protection. In: Proceedings of the 12th International World Wide Web Conference (WWW 2004) (May 2004)
Asagba, P.O., Ogheneovo, E.E.: A Proposed Architecture for Defending Against Command Injection Attacks in a Distributed Network Environment. In: Information Technology for People-Centred Development, pp. 134–142 (2011)
Bisht, P., Madhusudan, P., Venkatarishnan, V.N.: CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Transactions on Information and System Security 13(2), Article 14 (2010)
Shahriar, H., Zulkernine, M.: Taxonomy and classification of automatic monitoring of program security vulnerability exploitations. Journal of Systems and Software 84, 250–269 (2011), doi:10.1016/j.jss.2010.09.020, ISSN 0164-1212
Avancini, A.: Security testing of web applications: A research plan. In: 2012 34th International Conference on Software Engineering (ICSE), June 2-9, pp. 1491–1494 (2012)
Scambray, J., Shema, M., Sima, C.: Hacking Exposed: Web Applications, 2nd edn. McGraw-Hill, San Francisco (2006)
Popa, M.: Detection of the security vulnerabilities in web applications. Informatica Economica 13(1), 127–136 (2009)
Wang, W., Pan, C., Liu, P., Zhu, S.: SigFree: A signature-free buffer overflow attack blocker. IEEE Transactions on Dependable and Secure Computing 7(1), 65–79 (2010)
Park, J.S., Sandhu, R.: Secure cookies on the web. IEEE Internet Computing 4(4), 36–44 (2000)
Badishi, G., Keidar, I., Sasson, A.: Exposing and eliminating vulnerabilities to denial of service attacks in secure gossip-based multicast. IEEE Transactions on Dependable and Secure Computing 3(1), 45–61 (2006)
Hahn, R.W., Layne-Farrar, A.: The law and economics of software security. Harvard Journal of Law and Public Policy 30(1), 283–353 (2006)
Huang, Y., Tsai, C., Lin, T., Huang, S., Lee, D.T., Kuo, S.: A testing framework for web application security assessment. Computer Networks 48(5), 739–761 (2005)
Smith, R.: Information security-a critical business function. Journal of GXP Compliance 13(4), 62–68 (2009)
Garrison, C.P.: An evaluation of passwords. The CPA Journal 78(5), 70–71 (2009)
OWASP Top 10 2013-Top 10, https://www.owasp.org/index.php/Top_10_2013-Top_10 (retrieved May 5, 2014)
Zhao, J.J., Zhao, S.Y., Zhao, S.Y.: Opportunities and threats: A security assessment of state e-government websites. Government Information Quarterly 27(1), 49–56 (2010), doi:10.1016/j.giq.2009.07.004, ISSN 0740-624X
Alghathbar, K.S., Mahmud, M., Ullah, H.: Most known vulnerabilities in Saudi Arabian web servers. In: 4th IEEE/IFIP International Conference on Internet, ICI 2008, pp. 1–5 (2008)
Thompson, H.H.: Application penetration testing. IEEE Security and Privacy 3(1), 66–69 (2005)
Mao, C.: Experiences in Security Testing for Web-based Applications. In: ICIS 2009, Seoul, Korea (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Awang, N.F., Manaf, A.A., Zainudin, W.S. (2014). A Survey on Conducting Vulnerability Assessment in Web-Based Application. In: Hassanien, A.E., Tolba, M.F., Taher Azar, A. (eds) Advanced Machine Learning Technologies and Applications. AMLTA 2014. Communications in Computer and Information Science, vol 488. Springer, Cham. https://doi.org/10.1007/978-3-319-13461-1_43
Download citation
DOI: https://doi.org/10.1007/978-3-319-13461-1_43
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13460-4
Online ISBN: 978-3-319-13461-1
eBook Packages: Computer ScienceComputer Science (R0)