Abstract
With the rapid growth of web applications, web application security (WAS) has become an important cybersecurity issue. For effective WAS protection, it is necessary to cultivate and train personnel, especially beginners, to develop correct concepts and practical hands-on abilities through cybersecurity education. At present, many methods offer vulnerable web environments to support practical hands-on training, including large-scale “Capture the Flag” mode (e.g., Cyber Range), pre-configured virtual machine images (e.g., Mutillidae), pre-built stand-alone applications (e.g., WebGoat), and web-based system (e.g., Damn Vulnerable Web Application). However, beginners need not only hands-on training tools and systems but also assistance to support effective learning. Moreover, pre-built training content and exercises are usually not easy to modify and thus lack the flexibility to meet specific teaching needs. Therefore, this study proposed and developed the Web-based Hands-On Learning Environment (WebHOLE) to efficiently assist beginners in learning WAS. To improve the flexibility of the training content, a web-based authoring tool was developed in WebHOLE to create customized hands-on learning exercises. Accordingly, learners can learn and practice the WAS training content online with learning assistance provided by the hands-on learning system. The hands-on abilities of the learners can be efficiently assessed by the hands-on testing system using online exams with progressive hints and automatic grading. Furthermore, to improve the effectiveness of teaching and testing, a portfolio analysis scheme using a data mining technique was developed to identify learning barriers and problematic test items. WebHOLE was applied to an actual beginner-level WAS course for undergraduate students. The experimental results showed the benefits of WebHOLE on WAS learning, with a significant improvement in learning outcomes. Students expressed high satisfaction with WebHOLE's learning assistance, rating it with average satisfaction scores above 4.0 out of 5.0. The portfolio analysis scheme also showed the effectiveness of WebHOLE in identifying learning problems and refining test items.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Data availability
The data in this study cannot be publicly available due to the personal privacy, but can be discussed with the corresponding author upon reasonable request.
References
Alzouebi, K. (2020). Electronic portfolio development and narrative reflections in higher education: Part and parcel of the culture? Education and Information Technologies, 25, 997–1011. https://doi.org/10.1007/s10639-019-09992-2
Beuran, R., Tang, D., Pham, C., Chinen, K. I., Tan, Y., & Shinoda, Y. (2018). Integrated framework for hands-on cybersecurity training: CyTrONE. Computers & Security, 78, 43–59. https://doi.org/10.1016/j.cose.2018.06.001
Beuran, R., Tang, D., Tan, Z., et al. (2019). Supporting cybersecurity education and training via LMS integration: CyLMS. Education and Information Technologies, 24, 3619–3643. https://doi.org/10.1007/s10639-019-09942-y
Burket. J., Chapman, P., Becker, T., et al. (2015). Automatic problem generation for Capture-the-Flag competitions. In: Proceedings of 2015 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 15); 2015, August.
Cabaj, K., Domingos, D., Kotulski, Z., & Respício, A. (2018). Cybersecurity education: Evolution of the discipline and analysis of master programs. Computers & Security, 75, 24–35. https://doi.org/10.1016/j.cose.2018.01.015
Chen, P., Zhao, M., Wang, J. H., et al. (2019). Exploration and practice of the experiment teaching of web application security course. In: Proceedings of the 2019 10th International Conference on Information Technology in Medicine and Education (ITME), 2019, 381–384. https://doi.org/10.1109/ITME.2019.00092
Chowdhury, N., & Gkioulos, V. (2021). Cyber security training for critical infrastructure protection: A literature review. Computer Science Review, 40, 100361. https://doi.org/10.1016/j.cosrev.2021.100361
Chowdhury, N., Katsikas, S., & Gkioulos, V. (2022). Modeling effective cybersecurity training frameworks: A delphi method-based study. Computers & Security, 113, 102551. https://doi.org/10.1016/j.cose.2021.102551
Conte de Leon, D., Goes, C. E., Haney, M. A., & Krings, A. W. (2018). ADLES: Specifying, deploying, and sharing hands-on cyber-exercises. Computers & Security, 74, 12–40. https://doi.org/10.1016/j.cose.2017.12.007
Deljkic, Z., Pale, P., & Petrovic, J. (2019). Computer-based methods for assessing information security competencies. In: Proceedings of 42nd International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO 2019); 2019, 1457–1462. https://doi.org/10.23919/MIPRO.2019.8757201
Demertzi, V., Demertzis, S., & Demertzis, K. (2022). An overview of cyber threats, attacks, and countermeasures on the primary domains of smart cities. arXiv:2207.04424 . Retrieved October 15, 2022, from https://doi.org/10.48550/arXiv.2207.04424
Diogenes Y, & Ozkaya E. (2018). Cybersecurity–Attack and Defense Strategies: Infrastructure security with Red Team and Blue Team tactics. Packt, 2018.
Du, W. (2010). SEED: Hands-on lab exercises for computer security education. IEEE Security & Privacy, 09, 70–73.
DVWA. (2022). Damn Vulnerable Web Application. Retrieved October 15, 2022, from https://www.vulnhub.com/entry/damn-vulnerable-web-application-dvwa-107,43/
EduRange. (2022). Retrieved October 15, 2022, from http://www.edurange.org/
Han, S., & Bhattacharya, K. (2001). Constructionism, Learning by design, and project based learning. In M. Orey (Ed.), Emerging perspectives on learning, teaching, and technology. Retrieved October 15, 2022, from https://pirun.ku.ac.th/~btun/papert/design.pdf
Kim, B. H., Kim, K. C., Hong, S. E., et al. (2017). Development of cyber information security education and training system. Multimedia Tools and Applications, 76, 6051–6064. https://doi.org/10.1007/s11042-016-3495-y
Koehler, M. J., Mishra, P., Kereluik, K., Shin, T.S., & Graham, C. R. (2014). The Technological Pedagogical Content Knowledge Framework. In: J. Spector, M. Merrill, J. Elen, & M. Bishop (Eds.), Handbook of Research on Educational Communications and Technology. Springer. https://doi.org/10.1007/978-1-4614-3185-5_9
Koivisto, J. M., Niemi, H., Multisilta, J., et al. (2017). Nursing students’ experiential learning processes using an online 3D simulation game. Education and Information Technologies, 22, 383–398. https://doi.org/10.1007/s10639-015-9453-x
Kolb, D. A. (1984). Experiential learning. Experience as the source of learning and development. Prentice-Hall.
Konak, A., Clark, T. K., & Nasereddin, M. (2014). Using Kolb’s experiential learning cycle to improve student learning in virtual computer laboratories. Computers & Education, 72, 11–22.
Korucu-Kış, S. (2021). Preparing student teachers for real classrooms through virtual vicarious experiences of critical incidents during remote practicum: A meaningful-experiential learning perspective. Education and Information Technologies, 26, 6949–6971. https://doi.org/10.1007/s10639-021-10555-7
Kwon, M. J., Kwak, G., Jun, S., Kim, H. J., & Lee, H. Y. (2017). Enriching Security Education Hands-on Labs with Practical Exercises. In: Proceedings of 2017 International Conference on Software Security and Assurance (ICSSA), Altoona, PA, Jul. 2017, 100–103. https://doi.org/10.1109/ICSSA.2017.8
Maki, N., Nakata, R., Toyoda, S., Kasai, Y., Shin, S., & Seto, Y. (2020). An effective cybersecurity exercises platform CyExec and its training contents. International Journal of Information and Education Technology, 10(3), 215–221. https://doi.org/10.18178/ijiet.2020.10.3.1366
Metasploitable. (2022). Retrieved October 15, 2022, from https://github.com/rapid7/metasploitable3
Mishra, P., & Koehler, M. J. (2006). Technological pedagogical content knowledge: A framework for teacher knowledge. Teachers College Record, 108(6), 1017–1054.
Mutillidae. (2022). Retrieved October 15, 2022, from https://github.com/webpwnized/mutillidae
NICE Challenge Project. (2022). Retrieved October 15, 2022, fromhttps://nice-challenge.com/
OWASP. (2022). Retrieved October 15, 2022, from https://owasp.org/
Papert, S. (1990). Introduction: Constructionist Learning. MIT Media Laboratory.
Parker, J., Hicks, M., Ruef, A., et al. (2020). Build it, break it, fix it: Contesting secure development. ACM Transactions on Privacy and Security, 23(2), 1–36. https://doi.org/10.1145/3383773
Pei, J., Han, J., Mortazavi-Asl, B., Pinto, H., Chen, Q., Dayal, U., & Hsu, M. C. (2001). PrefixSpan- mining sequential patterns efficiently by prefix-projected pattern growth. In: Proceedings of 17th International Conference on Data Engineering, 2–6 April, 2001, 215–224.
Schreuders, Z. C., Shaw, T., Shan-A-Khuda, M., Ravichandran, G., Keighley, J., & Ordean, M. (2017). Security Scenario Generator (SecGen): a framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events. In: Proceedings of 2017 USENIX Workshop on Advances in Security Education (ASE 17), 2017.
SEED Labs. (2022). Retrieved October 15, 2022, from https://seedsecuritylabs.org/
Shin, S., & Seto, Y. (2020). CyExec-training platform for cybersecurity education based on a virtual environment. International Journal of Learning Technologies and Learning Environments., 3(1), 1–20.
Švábenský, V., Čeleda, P., Vykopal, J., & Brišáková, S. (2021). Cybersecurity knowledge and skills taught in capture the fag challenges. Computers & Security, 102, 102154. https://doi.org/10.1016/j.cose.2020.102154
Švábenský, V., Vykopal, J., Čeleda, P., et al. (2022a). Student assessment in cybersecurity training automated by pattern mining and clustering. Education and Information Technologies, 27, 9231–9262. https://doi.org/10.1007/s10639-022-10954-4
Švábenský, V., Vykopal, J., Čeleda, P., et al. (2022b). Applications of educational data mining and learning analytics on data from cybersecurity training. Education and Information Technologies, 27, 12179–12212. https://doi.org/10.1007/s10639-022-11093-6
Tan, Z., Beuran, R., Hasegawa, S., et al. (2020). Adaptive security awareness training using linked open data datasets. Education and Information Technologies, 25, 5235–5259. https://doi.org/10.1007/s10639-020-10155-x
Tzafilkou, K., Protogeros, N., & Chouliara, A. (2020). Experiential learning in web development courses: Examining students’ performance, perception and acceptance. Education and Information Technologies, 25, 5687–5701. https://doi.org/10.1007/s10639-020-10211-6
Valtonen, T., Eriksson, M., Kärkkäinen, S., et al. (2023). (2023) Emerging imbalance in the development of TPACK - A challenge for teacher training. Education and Information Technologies, 28, 5363–5383. https://doi.org/10.1007/s10639-022-11426-5
Venter, I. M., Blignaut, R. J., Renaud, K., et al. (2019). Cyber security education is as essential as “the three R’s.” Heliyon, 5(12), E02855.
Vulnhub. (2022). Retrieved October 15, 2022, from https://www.vulnhub.com/
Vykopal, J., & Barták, M. (2016). On the design of security games: from frustrating to engaging learning. In: Proceedings of 2016 USENIX workshop on Advances in Security Education; 2016, August.
WebGoat. (2022). Retrieved October 15, 2022, from https://owasp.org/www-project-webgoat/
Wieringa, R. J. (2014). The design cycle. In: Design Science Methodology for Information Systems and Software Engineering (pp. 27–34). Springer. Retrieved July 12, 2023, from https://doi.org/10.1007/978-3-662-43839-8_3
Yamin, M. M., & Katt, B. (2022). Modeling and executing cyber security exercise scenarios in cyber ranges. Computers & Security, 116, 102635. https://doi.org/10.1016/j.cose.2022.102635
Zhou, Y., & Wang, P. (2019). An ensemble learning approach for XSS attack detection with domain knowledge and threat intelligence. Computers & Security, 82, 261–269. https://doi.org/10.1016/j.cose.2018.12.016
Acknowledgements
The author sincerely thanks the anonymous reviewers and editors for their valuable feedback, which helped improve this paper.
Funding
This research was supported by National Science and Technology Council of Taiwan under the number of MOST 111–2410-H-024–002-MY2, MOST 109–2511-H-024–001-MY2, and MOST 106–2511-S-024–002-MY3.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher's note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Su, JM. WebHOLE: Developing a web-based hands-on learning environment to assist beginners in learning web application security. Educ Inf Technol 29, 6579–6610 (2024). https://doi.org/10.1007/s10639-023-12090-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10639-023-12090-z