Improvement of Dynamic Web Vulnerability Inspection Method and Procedure by Website Structuring and Calculating Each Page&#039;s Action Size (웹 사이트 구조화 및 페이지별 동작크기 계산을 통한 동적 웹 취약점 점검 방법 및 절차 개선 연구)

Jae-Ho Lee (이재호); Lee Sang Joon (이상준)

doi:10.34163/jkits.2017.12.5.015

Improvement of Dynamic Web Vulnerability Inspection Method and Procedure by Website Structuring and Calculating Each Page's Action Size

Journal of Knowledge Information Technology and Systems
Abbr : JKITS
2017, 12(5), pp.747-763
DOI : 10.34163/jkits.2017.12.5.015
Publisher : Korea Knowledge Information Technology Society
Research Area : Interdisciplinary Studies > Interdisciplinary Research
Published : October 31, 2017

Jae-Ho Lee ¹, Lee Sang Joon ¹

¹전남대학교

Accredited

ABSTRACT

As the Web evolves, various web vulnerabilities are being discovered. Many companies and organizations are working to eliminate Web vulnerabilities, but they are not shrinking. Due to the nature of web vulnerability checks, dynamic checks are essential, and manual checks are preferred for accurate checking. In the case of a dynamic inspection performed manually, there are various problems such as false negative, missing inspection target and deflection due to inspectors. In this paper, we propose inspection methods and procedures to prevent a false negative, missing inspection target and deflection due to inspectors. In the proposed method, the web site is structured by Information Architecture(IA), and the detailed pages are classified into seven operation functions. The detailed pages are obtained by using the number of parameters, and the size of the entire website is calculated by adding the sizes of the detailed pages. Based on the number of Web vulnerability items to be used for the check, calculate the size of the page that can be checked in one day, and calculate the total inspection schedule. We verified the validity of the proposed method by comparing the number of vulnerabilities detected by the proposed method and the current method, and by analyzing the results of questionnaires for the related field workers. The proposed method can be applied not only to dynamic inspection but also to static inspection.

KEYWORDS

Web application, Web vulnerability, Dynamic inspection, Manual inspection, IA(Information Architecture), OWASP Top 10, AHP

Citation status

* References for papers published after 2023 are currently being built.

[web] D. S. Jeong / 2017 / Many security vulnerabilities found in most web applications / http://digitalyeogie.com/entry/49451?locPos=25Q&ts=1487390696&page=4862

[report] KISA / 2016 / Web vulnerability analysis and technical support / Korea Internet Security Agency

[web] M. S. Kim / 2017 / Bombu hacking is attacking web vulnerability DB-the reason for the 2 million personal information was revealed / http://news.kukinews.com/news/article.html?no=317262

[thesis] M. Y. Bae / 2016 / A study on HTML5 security fragility analysis and inspection technique / Graduate School Andong National University

[journal] 서광익 / 2010 / Dynamic Analysis based on AOP for Checking Security Vulnerability / 정보과학회논문지 : 소프트웨어 및 응용 / 한국정보과학회 37(10) : 773~778

[book] K. G. Kim / 2015 / Internet hacking and security-Introduction to Information Security and Practice / Hanbit academy

[thesis] T. Y. Park / 2015 / Study on the improvement of web vulnerability diagnosis of companies using Web Privacy Impact Assessment(WPIA) / Graduate school of Information Communication, Konkuk University

[journal] T. M. Liu / 2016 / The interactive mechanism of static and dynamic analysis in the reverse analysis of embedded software / International Journal of Multimedia and Ubiquitous Engineering 11(10) : 33~44

[confproc] A. D. Petukhov / 2008 / Detecting security vulnerabilities in web applications using dynamic analysis with penetration testing / OWASP Application Security Conference : 19~22

[web] G. H. Amir / 2016 / Static analysis vs dynamic analysis in software testing / https://www.testingexcellence.com/static-analysis-vs-dynamic-analysis-software-testing/

[journal] S. Z. JIN / 2011 / Detection of DOM-based cross-site scripting with dynamic request / KOREA INFORMATION SCIENCE SOCIETY 38(2C) : 168~171

[journal] D. D. Bertoglio / 2017 / Overview and open issues on penetration test / the Brazilian Computer Society 23(2)

[web] TTA / 2017 / Dictionary of information and communication terms / http://terms.tta.or.kr/dictionary/dictionaryView.do

[other] KISA / 2014 / Detailed information on how to analyze and evaluate key information infrastructure vulnerabilities / Korea Internet Security Agency

[web] A3 Security / 2017 / Explanation of technical vulnerability diagnosis consulting / http://www.a3sc.co.kr/01/cons02_6.php

[confproc] J. H. Lee / 2017 / A study on improvement of web vulnerability inspection standard of the Critical Information and Communication Infrastructure / Proceedings of the 21st KKITS Spring Conference 11(1) : 76~79

[web] OWASP / 2017 / Category:OWASP Top Ten Project / https://www.owasp.org/

[journal] 문재찬 / 2012 / Vulnerability Analysis and Threat Mitigation for Secure Web Application Development / 한국컴퓨터정보학회논문지 / 한국컴퓨터정보학회 17(2) : 127~137

[other] NCSC / 2005 / Homepage security management manual / National Cyber Security Center

[other] KISA / 2012 / Website development for information system development operators SW (web) development security guide / Korea Internet Security Agency

[web] Korea Law Information Center / 2017 / Vulnerability analysis and evaluation criteria for major IT infrastructure facilities(No. 2013-37) / / http://www.law.go.kr/

[other] KISA / 2013 / Homepage for information system development operator guide to vulnerability diagnosis and removal / Korea Internet Security Agency

[web] Wiki / 2017 / Web Vulnerability check / https://ko.wikipedia.org/wiki/

[book] J. M. Lee / 2011 / Information architecture for world wide web / Hanbit academy

[journal] R. W. Saaty / 1987 / The analytic hierarchy process -what it is and how it is used / Mathematical Modelling 9(3–5) : 161~176

[web] M. Alexander / 2017 / Decision-making using the analytic hierarchy process(AHP) and SAS/IML / http://analytics.ncsu.edu/sesug/2012/SD-04.pdf

[book] R. A. Kruger / 2015 / Focus groups: A practical guide for applied research / Sage Publication Inc

KJCKorea
Journal Central

Journal of Knowledge Information Technology and Systems 2023 KCI Impact Factor : 0.89

Improvement of Dynamic Web Vulnerability Inspection Method and Procedure by Website Structuring and Calculating Each Page's Action Size

ABSTRACT

KEYWORDS

Citation status

* References for papers published after 2023 are currently being built.

Journal of Knowledge Information Technology and Systems 2023 KCI Impact Factor : 0.89

Improvement of Dynamic Web Vulnerability Inspection Method and Procedure by Website Structuring and Calculating Each Page's Action Size

ABSTRACT

KEYWORDS

Statistics

Tools

Issue List

Citation status

KCI Citation Counts (1)

REFERENCES (27) * References for papers published after 2023 are currently being built.

Search PDF

Citation

* References for papers published after 2023 are currently being built.