Research Article
BibTex RIS Cite

WEB UYGULAMLAMA GÜVENLİĞİ AÇIKLIKLARI VE GÜVENLİK ÇÖZÜMLERİ ÜZERİNE BİR ARAŞTIRMA

Year 2016, Volume: 2 Issue: 1, 1 - 7, 30.06.2016
https://doi.org/10.18640/ubgmd.56836

Abstract

Bu çalışmada, OWASP tarafından yayınlanan 2013 yılına ait ilk 10 web uygulama güvenliği açıklıkları, açıklıkların kaynakları ve bu açıklıkları istismar eden saldırıları önlemek için kullanılan güvenlik çözümleri araştırılmıştır. Ayrıca açıklıkları kullanarak gerçekleştirilebilecek saldırılara karşı kullanılan güvenlik çözümleri; kullanım alanları, çalışma mantığı ve verimlilikleri açısından değerlendirilerek karşılaştırılmıştır. Elde edilen bilgiler ve bulgular doğrultusunda, hangi tür saldırılara karşı nasıl bir güvenlik çözümü tercih edilmesi konusunda öneriler sunularak, farkındalığın ve web uygulama güvenliğinin arttırılmasına yönelik çözümler sunulmuştur.

References

  • Manikanta, Y. V. N., & Sardana, A. (2012). Protecting web applications from SQL injection attacks by using framework and database firewall. In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (609-613). ACM.
  • Scholte, T., Balzarotti, D., & Kirda, E. (2012). Have things changed now? An empirical study on input validation vulnerabilities in web applications. Computers & Security, 31(3), 344-356.
  • Qian, L., Wan, J., Chen, L., & Chen, X. (2013). Complete Web Security Testing Methods and Recommendations. In Computer Sciences and Applications (CSA), 2013 International Conference on (86-89). IEEE.
  • Monga, M., Paleari, R., & Passerini, E. (2009). A hybrid analysis framework for detecting web application vulnerabilities. In Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems (25-32). IEEE Computer Society.
  • İnternet : Hacking PayPal Accounts with one click, URL: http://yasserali.com/hacking-paypal-accounts-with-one-click/.
  • İnternet: 2007 cyberattacs on Estonian, URL: http://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia, Son Erişim Tarihi: 02.08.2014
  • Jain, P., & Goyal, S. (2009). An Adaptive Intrusion Prevention System Based on Immunity. In Advances in Computing, Control, & Telecommunication Technologies, 2009. ACT'09. International Conference on (759-763). IEEE.
  • H. J., Richard Lin, C. H., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16-24.
  • Yip, A., Wang, X., Zeldovich, N., & Kaashoek, M. F. (2009). Improving application security with data flow assertions. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles (291-304). ACM.
  • Son, S., McKinley, K. S., & Shmatikov, V. (2013). Diglossia: detecting code injection attacks with precision and efficiency. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (1181-1192). ACM.
  • Krishnamurthy, A., Mettler, A., & Wagner, D. (2010). Fine-grained privilege separation for web applications. In Proceedings of the 19th international conference on World wide web (551-560). ACM.
  • Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., & Kruegel, C. (2009). SWAP: Mitigating XSS attacks using a reverse proxy. In Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems (33-39). IEEE Computer Society.
  • Guan, X., Wang, W., & Zhang, X. (2009). Fast intrusion detection based on a non-negative matrix factorization model. Journal of Network and Computer Applications, 32(1), 31-44.
  • Chakrabarti, S., Chakraborty, M., & Mukhopadhyay, I. (2010). Study of snort-based IDS. In Proceedings of the International Conference and Workshop on Emerging Trends in Technology (43-47). ACM.
  • Hoang, X. D., Hu, J., & Bertok, P. (2009). A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference. Journal of Network and Computer Applications, 32(6), 1219-1228.
  • Meng, Y., & Kwok, L. F. (2014). Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection. Journal of Network and Computer Applications, 39, 83-92.
  • WhiteHat Security, Website Security Statistics Report. 2013.
  • CENZIC Application Vulnerability Trends Report, 2014.
  • Du, W., Jayaraman, K., Tan, X., Luo, T., & Chapin, S.
  • (2011). Position paper: why are there so many vulnerabilities in web applications?. In Proceedings of the 2011 workshop on New security paradigms workshop (83-94). ACM.
  • Dalai, A. K., & Jena, S. K. (2011, Şubat). Evaluation of web application security risks and secure design patterns. In Proceedings of the 2011 International Conference on Communication, Computing & Security (565-568). ACM.
  • İnternet: Web Application Security Fundamentals,
  • URL:http://msdn.microsoft.com/en-us/library/ff648636.aspx, Yayınlanma Tarihi: Haziran 2003.
  • İnternet: "Top 10 2013 - Top 10 ",
  • URL: https://www.owasp.org/index.php/Top_10_2013-Top_10, Değiştirilme Tarihi: 26 Ağustos 2014.
  • Liu, A., Yuan, Y., Wijesekera, D., & Stavrou, A. (2009). SQLProb: a proxy-based architecture towards preventing SQL injection attacks. In Proceedings of the 2009 ACM symposium on Applied Computing (2054-2061). ACM.
  • Silva Pinto, B., & Barnett, R. (2011). A novel algorithm for obfuscated code analysis. In Information Forensics and Security (WIFS), 2011 IEEE International Workshop on (1-5). IEEE.
  • Khairkar, A. D., Kshirsagar, D. D., & Kumar, S. (2013). Ontology for Detection of Web Attacks. In Communication Systems and Network Technologies (CSNT), 2013 International Conference on (612-615). IEEE.
  • Al-Khashab, E., Al-Anzi, F. S., & Salman, A. A. (2011). PSIAQOP: preventing SQL injection attacks based on query optimization process. In Proceedings of the Second Kuwait Conference on e-Services and e-Systems(10).ACM.
Year 2016, Volume: 2 Issue: 1, 1 - 7, 30.06.2016
https://doi.org/10.18640/ubgmd.56836

Abstract

References

  • Manikanta, Y. V. N., & Sardana, A. (2012). Protecting web applications from SQL injection attacks by using framework and database firewall. In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (609-613). ACM.
  • Scholte, T., Balzarotti, D., & Kirda, E. (2012). Have things changed now? An empirical study on input validation vulnerabilities in web applications. Computers & Security, 31(3), 344-356.
  • Qian, L., Wan, J., Chen, L., & Chen, X. (2013). Complete Web Security Testing Methods and Recommendations. In Computer Sciences and Applications (CSA), 2013 International Conference on (86-89). IEEE.
  • Monga, M., Paleari, R., & Passerini, E. (2009). A hybrid analysis framework for detecting web application vulnerabilities. In Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems (25-32). IEEE Computer Society.
  • İnternet : Hacking PayPal Accounts with one click, URL: http://yasserali.com/hacking-paypal-accounts-with-one-click/.
  • İnternet: 2007 cyberattacs on Estonian, URL: http://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia, Son Erişim Tarihi: 02.08.2014
  • Jain, P., & Goyal, S. (2009). An Adaptive Intrusion Prevention System Based on Immunity. In Advances in Computing, Control, & Telecommunication Technologies, 2009. ACT'09. International Conference on (759-763). IEEE.
  • H. J., Richard Lin, C. H., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16-24.
  • Yip, A., Wang, X., Zeldovich, N., & Kaashoek, M. F. (2009). Improving application security with data flow assertions. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles (291-304). ACM.
  • Son, S., McKinley, K. S., & Shmatikov, V. (2013). Diglossia: detecting code injection attacks with precision and efficiency. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (1181-1192). ACM.
  • Krishnamurthy, A., Mettler, A., & Wagner, D. (2010). Fine-grained privilege separation for web applications. In Proceedings of the 19th international conference on World wide web (551-560). ACM.
  • Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., & Kruegel, C. (2009). SWAP: Mitigating XSS attacks using a reverse proxy. In Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems (33-39). IEEE Computer Society.
  • Guan, X., Wang, W., & Zhang, X. (2009). Fast intrusion detection based on a non-negative matrix factorization model. Journal of Network and Computer Applications, 32(1), 31-44.
  • Chakrabarti, S., Chakraborty, M., & Mukhopadhyay, I. (2010). Study of snort-based IDS. In Proceedings of the International Conference and Workshop on Emerging Trends in Technology (43-47). ACM.
  • Hoang, X. D., Hu, J., & Bertok, P. (2009). A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference. Journal of Network and Computer Applications, 32(6), 1219-1228.
  • Meng, Y., & Kwok, L. F. (2014). Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection. Journal of Network and Computer Applications, 39, 83-92.
  • WhiteHat Security, Website Security Statistics Report. 2013.
  • CENZIC Application Vulnerability Trends Report, 2014.
  • Du, W., Jayaraman, K., Tan, X., Luo, T., & Chapin, S.
  • (2011). Position paper: why are there so many vulnerabilities in web applications?. In Proceedings of the 2011 workshop on New security paradigms workshop (83-94). ACM.
  • Dalai, A. K., & Jena, S. K. (2011, Şubat). Evaluation of web application security risks and secure design patterns. In Proceedings of the 2011 International Conference on Communication, Computing & Security (565-568). ACM.
  • İnternet: Web Application Security Fundamentals,
  • URL:http://msdn.microsoft.com/en-us/library/ff648636.aspx, Yayınlanma Tarihi: Haziran 2003.
  • İnternet: "Top 10 2013 - Top 10 ",
  • URL: https://www.owasp.org/index.php/Top_10_2013-Top_10, Değiştirilme Tarihi: 26 Ağustos 2014.
  • Liu, A., Yuan, Y., Wijesekera, D., & Stavrou, A. (2009). SQLProb: a proxy-based architecture towards preventing SQL injection attacks. In Proceedings of the 2009 ACM symposium on Applied Computing (2054-2061). ACM.
  • Silva Pinto, B., & Barnett, R. (2011). A novel algorithm for obfuscated code analysis. In Information Forensics and Security (WIFS), 2011 IEEE International Workshop on (1-5). IEEE.
  • Khairkar, A. D., Kshirsagar, D. D., & Kumar, S. (2013). Ontology for Detection of Web Attacks. In Communication Systems and Network Technologies (CSNT), 2013 International Conference on (612-615). IEEE.
  • Al-Khashab, E., Al-Anzi, F. S., & Salman, A. A. (2011). PSIAQOP: preventing SQL injection attacks based on query optimization process. In Proceedings of the Second Kuwait Conference on e-Services and e-Systems(10).ACM.
There are 29 citations in total.

Details

Primary Language Turkish
Subjects Engineering
Journal Section Makaleler
Authors

DURMUŞ Aydoğdu

MERVE Gündüz This is me

Publication Date June 30, 2016
Submission Date May 18, 2015
Published in Issue Year 2016 Volume: 2 Issue: 1

Cite

IEEE D. Aydoğdu and M. Gündüz, “WEB UYGULAMLAMA GÜVENLİĞİ AÇIKLIKLARI VE GÜVENLİK ÇÖZÜMLERİ ÜZERİNE BİR ARAŞTIRMA”, UBGMD, vol. 2, no. 1, pp. 1–7, 2016, doi: 10.18640/ubgmd.56836.