• Refine Query
  • Source
  • Publication year
  • to
  • Language
  • 15
  • 3
  • 1
  • 1
  • 1
  • Tagged with
  • 24
  • 24
  • 24
  • 9
  • 8
  • 8
  • 6
  • 5
  • 4
  • 4
  • 4
  • 4
  • 4
  • 4
  • 4
  • About
  • The Global ETD Search service is a free service for researchers to find electronic theses and dissertations. This service is provided by the Networked Digital Library of Theses and Dissertations.
    Our metadata is collected from universities around the world. If you manage a university/consortium/country archive and want to be added, details can be found on the NDLTD website.
1

Web application Security

Charpentier Rojas, Jose Enrique January 2013 (has links)
Problems related to web application security comes in many ways, one example is inexperience programmers but not only in the way they code and program but also which language and structure they use to code. Not only programmers but Software companies left holes in the software they developed of course without intention.Because is proven that most of the vulnerabilities start in the web application side, as developers we need to follow certain principles, test our code and learn as much as possible about the subject, as a foundation of web application security in order to know how to prevent issues to the most significant treats.The penetration test aimed to help the IT business to discover vulnerabilities in their system ensure their integrity and continue further in the web application security process. The vulnerability research perform in this report is the introduction of a big work that is under continuity for the company.Finally the success of following security standards, process and methodologies applied on this field is considered the best approach to ensure web application security and priceless information you can benefit from.
2

LIDS: An Extended LSTM Based Web Intrusion Detection System With Active and Distributed Learning

Sagayam, Arul Thileeban 24 May 2021 (has links)
Intrusion detection systems are an integral part of web application security. As Internet use continues to increase, the demand for fast, accurate intrusion detection systems has grown. Various IDSs like Snort, Zeek, Solarwinds SEM, and Sleuth9, detect malicious intent based on existing patterns of attack. While these systems are widely deployed, there are limitations with their approach, and anomaly-based IDSs that classify baseline behavior and trigger on deviations were developed to address their shortcomings. Existing anomaly-based IDSs have limitations that are typical of any machine learning system, including high false-positive rates, a lack of clear infrastructure for deployment, the requirement for data to be centralized, and an inability to add modules tailored to specific organizational threats. To address these shortcomings, our work proposes a system that is distributed in nature, can actively learn and uses experts to improve accuracy. Our results indicate that the integrated system can operate independently as a holistic system while maintaining an accuracy of 99.03%, a false positive rate of 0.5%, and speed of processing 160,000 packets per second for an average system. / Master of Science / Intrusion detection systems are an integral part of web application security. The task of an intrusion detection system is to identify attacks on web applications. As Internet use continues to increase, the demand for fast, accurate intrusion detection systems has grown. Various IDSs like Snort, Zeek, Solarwinds SEM, and Sleuth9, detect malicious intent based on existing attack patterns. While these systems are widely deployed, there are limitations with their approach, and anomaly-based IDSs that learn a system's baseline behavior and trigger on deviations were developed to address their shortcomings. Existing anomaly-based IDSs have limitations that are typical of any machine learning system, including high false-positive rates, a lack of clear infrastructure for deployment, the requirement for data to be centralized, and an inability to add modules tailored to specific organizational threats. To address these shortcomings, our work proposes a system that is distributed in nature, can actively learn and uses experts to improve accuracy. Our results indicate that the integrated system can operate independently as a holistic system while maintaining an accuracy of 99.03%, a false positive rate of 0.5%, and speed of processing 160,000 packets per second for an average system.
3

A Model-driven Penetration Test Framework for Web Applications

Xiong, Pulei 12 January 2012 (has links)
Penetration testing is widely used in industry as a test method for web application security assessment. However, penetration testing is often performed late in a software development life cycle as an isolated task and usually requires specialized security experts. There is no well-defined test framework providing guidance and support to general testers who usually do not have in-depth security expertise to perform a systematic and cost-efficient penetration test campaign throughout a security-oriented software development life cycle. In this thesis, we propose a model-driven penetration test framework for web applications that consists of a penetration test methodology, a grey-box test architecture, a web security knowledge base, a test campaign model, and a knowledge-based PenTest workbench. The test framework enables general testers to perform a penetration test campaign in a model-driven approach that is fully integrated into a security-oriented software development life cycle. Security experts are still required to build up and maintain a web security knowledgebase for test campaigns, but the general testers are capable of developing and executing penetration test campaigns with reduced complexity and increased reusability in a systematic and cost-efficient approach. A prototype of the framework has been implemented and applied to three web applications: the benchmark WebGoat web application, a hospital adverse event management system (AEMS), and a palliative pain and symptom management system (PAL-IS). An evaluation of the test framework prototype based on the case studies indicates the potential of the proposed test framework to improve how penetration test campaigns are performed and integrated into a security-oriented software development life cycle.
4

A Model-driven Penetration Test Framework for Web Applications

Xiong, Pulei 12 January 2012 (has links)
Penetration testing is widely used in industry as a test method for web application security assessment. However, penetration testing is often performed late in a software development life cycle as an isolated task and usually requires specialized security experts. There is no well-defined test framework providing guidance and support to general testers who usually do not have in-depth security expertise to perform a systematic and cost-efficient penetration test campaign throughout a security-oriented software development life cycle. In this thesis, we propose a model-driven penetration test framework for web applications that consists of a penetration test methodology, a grey-box test architecture, a web security knowledge base, a test campaign model, and a knowledge-based PenTest workbench. The test framework enables general testers to perform a penetration test campaign in a model-driven approach that is fully integrated into a security-oriented software development life cycle. Security experts are still required to build up and maintain a web security knowledgebase for test campaigns, but the general testers are capable of developing and executing penetration test campaigns with reduced complexity and increased reusability in a systematic and cost-efficient approach. A prototype of the framework has been implemented and applied to three web applications: the benchmark WebGoat web application, a hospital adverse event management system (AEMS), and a palliative pain and symptom management system (PAL-IS). An evaluation of the test framework prototype based on the case studies indicates the potential of the proposed test framework to improve how penetration test campaigns are performed and integrated into a security-oriented software development life cycle.
5

A Model-driven Penetration Test Framework for Web Applications

Xiong, Pulei 12 January 2012 (has links)
Penetration testing is widely used in industry as a test method for web application security assessment. However, penetration testing is often performed late in a software development life cycle as an isolated task and usually requires specialized security experts. There is no well-defined test framework providing guidance and support to general testers who usually do not have in-depth security expertise to perform a systematic and cost-efficient penetration test campaign throughout a security-oriented software development life cycle. In this thesis, we propose a model-driven penetration test framework for web applications that consists of a penetration test methodology, a grey-box test architecture, a web security knowledge base, a test campaign model, and a knowledge-based PenTest workbench. The test framework enables general testers to perform a penetration test campaign in a model-driven approach that is fully integrated into a security-oriented software development life cycle. Security experts are still required to build up and maintain a web security knowledgebase for test campaigns, but the general testers are capable of developing and executing penetration test campaigns with reduced complexity and increased reusability in a systematic and cost-efficient approach. A prototype of the framework has been implemented and applied to three web applications: the benchmark WebGoat web application, a hospital adverse event management system (AEMS), and a palliative pain and symptom management system (PAL-IS). An evaluation of the test framework prototype based on the case studies indicates the potential of the proposed test framework to improve how penetration test campaigns are performed and integrated into a security-oriented software development life cycle.
6

A Model-driven Penetration Test Framework for Web Applications

Xiong, Pulei January 2012 (has links)
Penetration testing is widely used in industry as a test method for web application security assessment. However, penetration testing is often performed late in a software development life cycle as an isolated task and usually requires specialized security experts. There is no well-defined test framework providing guidance and support to general testers who usually do not have in-depth security expertise to perform a systematic and cost-efficient penetration test campaign throughout a security-oriented software development life cycle. In this thesis, we propose a model-driven penetration test framework for web applications that consists of a penetration test methodology, a grey-box test architecture, a web security knowledge base, a test campaign model, and a knowledge-based PenTest workbench. The test framework enables general testers to perform a penetration test campaign in a model-driven approach that is fully integrated into a security-oriented software development life cycle. Security experts are still required to build up and maintain a web security knowledgebase for test campaigns, but the general testers are capable of developing and executing penetration test campaigns with reduced complexity and increased reusability in a systematic and cost-efficient approach. A prototype of the framework has been implemented and applied to three web applications: the benchmark WebGoat web application, a hospital adverse event management system (AEMS), and a palliative pain and symptom management system (PAL-IS). An evaluation of the test framework prototype based on the case studies indicates the potential of the proposed test framework to improve how penetration test campaigns are performed and integrated into a security-oriented software development life cycle.
7

Creating Application Security Layer Based On Resource Access Decision Service

Metin, Mehmet Ozer 01 September 2003 (has links) (PDF)
Different solutions have been used for each security aspects (access control, application security) to secure enterprise web applications. However combining &quot / enterprise-level&quot / and &quot / application-level&quot / security aspects in one layer could give great benefits such as reusability, manageability, and scalability. In this thesis, adding a new layer to n-tier web application architectures to provide a common evaluation and enforcement environment for both enterprise-level and application level policies to bring together access controlling with application-level security. Removing discrimination between enterprise-level and application-level security policies improves manageability, reusability and scalability of whole system. Resource Access Decision (RAD) specification has been implemented and used as authentication mechanism for this layer. RAD service not only provides encapsulating domain specific factors to give access decisions but also can form a solid base to apply positive and negative security model to secure enterprise web applications. Proposed solution has been used in a real life system and test results have been presented.
8

Moving Target Defense for Web Applications

January 2018 (has links)
abstract: Web applications continue to remain as the most popular method of interaction for businesses over the Internet. With it's simplicity of use and management, they often function as the "front door" for many companies. As such, they are a critical component of the security ecosystem as vulnerabilities present in these systems could potentially allow malicious users access to sensitive business and personal data. The inherent nature of web applications enables anyone to access them anytime and anywhere, this includes any malicious actors looking to exploit vulnerabilities present in the web application. In addition, the static configurations of these web applications enables attackers the opportunity to perform reconnaissance at their leisure, increasing their success rate by allowing them time to discover information on the system. On the other hand, defenders are often at a disadvantage as they do not have the same temporal opportunity that attackers possess in order to perform counter-reconnaissance. Lastly, the unchanging nature of web applications results in undiscovered vulnerabilities to remain open for exploitation, requiring developers to adopt a reactive approach that is often delayed or to anticipate and prepare for all possible attacks which is often cost-prohibitive. Moving Target Defense (MTD) seeks to remove the attackers' advantage by reducing the information asymmetry between the attacker and defender. This research explores the concept of MTD and the various methods of applying MTD to secure Web Applications. In particular, MTD concepts are applied to web applications by implementing an automated application diversifier that aims to mitigate specific classes of web application vulnerabilities and exploits. Evaluation is done using two open source web applications to determine the effectiveness of the MTD implementation. Though developed for the chosen applications, the automation process can be customized to fit a variety of applications. / Dissertation/Thesis / Masters Thesis Computer Science 2018
9

Rules Based Analysis Engine for Application Layer IDS

Scrobonia, David 01 May 2017 (has links)
Web application attack volume, complexity, and costs have risen as people, companies, and entire industries move online. Solutions implemented to defend web applications against malicious activity have traditionally been implemented at the network or host layer. While this is helpful for detecting some attacks, it does not provide the gran- ularity to see malicious behavior occurring at the application layer. The AppSensor project, an application level intrusion detection system (IDS), is an example of a tool that operates in this layer. AppSensor monitors users within the application by observing activity in suspicious areas not able to be seen by traditional network layer tools. This thesis aims to improve the state of web application security by supporting the development of the AppSensor project. Specifically, this thesis entails contributing a rules-based analysis engine to provide a new method for determining whether suspicious activity constitutes an attack. The rules-based method aggregates information from multiple sources into a logical rule to identify malicious activity, as opposed to relying on a single source of information. The rules-based analysis engine is designed to offer more flexible configuration for administrators and more accurate results than the incumbent analysis engine. Tests indicate that the new engine should not hamper the performance of AppSensor and use cases highlight how rules can be leveraged for more accurate results.
10

Detecting changes in web applications

Lunyov, Phillip January 2020 (has links)
As the availability and popularity of the Internet continues to grow, the trend ofproviding global access to business resources and services online is an efficient andprofitable way for organizations to acquire a new share of the market. Due to the flexibilityand scalability of modern web technologies, web-based applications processand store personal or critical information in enormous amounts. Hence, the overallapplication’s functionality and secure data processing are the main key factors ofeach web application. For ensuring those key factors, the web page code must be regularlymonitored to retain the overall quality of the code. This project is devoted tochange identification and classification in modern web-based applications, based onthe comparison of two versions of web page code, acquired in different time periods.The foundation of the development is described as a detection algorithm in one of theacademic papers. The algorithm was supplemented by a more extensive classificationof changes that was originally proposed by the author. The result of the researchis a semi-automatic tool, developed in Python. The tool compares two versions ofthe web page code to find changes and classify those changes. The result of the tool’sexecution is a report file that contains statistics of the overall algorithm’s executionand type-clustered information about the detected changes between two versions ofthe web page code. The analysis of results showed that the implemented diff-toolprovides reliable results and allocates all types of possible changes in the web pagecodes, which are acknowledged by statistical analysis. The comparative analysis ofthe results of the developed diff-tool with the results of other similar technical solutionsrevealed serious shortcomings of other solutions, due to their data processingimplementation, classification of the changes and resulting report file.

Page generated in 0.0905 seconds