Abstract
The number of Web attacks is increasing gradually, mainly the popularity of Web application in organization, school, and colleges. For this reason, the security of their sensitive information against attacker becomes very important for all organization and companies. In this paper, we describe different type of Web application attack like SQL injection, XSS attack, CSRF attack, and Buffer overflow. Besides, we discuss about different types of penetration tools for Web applications. Penetration testing try to find the vulnerabilities of Web application so that we can build a defense mechanism to deal with Web attack. Finally, we build attack trees and defense trees to represent the attacks and to prevent those attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Focardi, R., Luccio, F., & Squarcina, M. (2012). Fast sql blind injections in high latency networks. In 2012 IEEE First AESS European Conference on Satellite Telecommunications (ESTEL) (pp. 1–6), October 2012.
Benjamin, A. (2016). Search-based SQL injection attacks testing using genetic programming. In Genetic Programming: 19th European Conference, EuroGP 2016, Porto, Portugal (pp. 183–198), March 30–April 1, 2016.
Dharam, R., & Shiva, S. (2012). Runtime monitors for tautology based sql injection attacks. In International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec) (pp. 253–258), June 2012.
Owasp top 10-2013. https://www.owasp.org/. The ten most critical web application security risks.
Zeng, H. (2013). Research on developing an attack and defense lab environment for cross site scripting education in higher vocational colleges. In 2013 Fifth International Conference on Computational and Information Sciences (ICCIS) (pp. 1971–1974), June 2013.
Matsuda, T., Koizumi, D., & Sonoda, M. (2012). Cross site scripting attacks detection algorithm based on the appearance position of characters. In 2012 Mosharaka International Conference on Communications, Computers and Applications (MIC-CCA) (pp. 65–70), October 2012.
Avancini, A., & Ceccato, M. (2013). Circe: A grammar-based oracle for testing cross-site scripting in web applications. In 2013 20 th Working Conference on Reverse Engineering (WCRE) (pp. 262–271), October 2013.
Sun, Y., & He, D. (2012). Model checking for the defense against cross-site scripting attacks. In 2012 International Conference on Computer Science Service System (CSSS) (pp. 2161–2164), August 2012.
Alexenko, T., Jenne, M., Roy, S., & Zeng, W. (2010). Site request forgery: Attack and defense. In 2010 7th IEEE Consumer Communications and Networking Conference (CCNC) (pp. 1–2), January 2010.
Czeskis, A., Moshchuk, A., Kohno, T., & Wang, H. J. (2013). Server support for browser based csrf protection. In Proceedings of the 22nd International Conference on World Wide Web, ser. WWW 13 (pp. 273–284). Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee. [Online]. Available: https://dl.acm.org/citation.cfm?id=2488388.2488413.
Barth, A., Jackson, C., & Mitchell, J. C. (2008). Defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security, ser. CCS 08 (pp. 75–88). New York, NY, USA: ACM. [Online]. Available: https://doi.acm.org/10.1145/1455770.1455782.
Dinesh Chandra Misra, P. A., & Srivastava, A. K. (2012). Web application using broken authentication and session management, cross site request forgery and scripting attacks and sql injection. In 2012 International Conference on VSRD International Journal of Computer Science and Information Technology (Vol. 2, No. 4, pp. 356–364), January 2010.
Huluka, D., & Popov, O. (2012). Cause analysis of session management and broken authentication vulnerabilities. In 2012 World Congress on Internet Security (WorldCIS) (pp. 82–86), June 2012.
Eshete, B., Villafiorita, A., & Weldemariam, K. (2011). Early detection of security misconfiguration vulnerabilities in web applications. In 2011 Sixth International Conference on Availability, Reliability and Security (ARES) (pp. 169–174).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Sarkar, S. (2021). Detecting Vulnerabilities of Web Application Using Penetration Testing and Prevent Using Threat Modeling. In: Mallick, P.K., Bhoi, A.K., Chae, GS., Kalita, K. (eds) Advances in Electronics, Communication and Computing. ETAEERE 2020. Lecture Notes in Electrical Engineering, vol 709. Springer, Singapore. https://doi.org/10.1007/978-981-15-8752-8_3
Download citation
DOI: https://doi.org/10.1007/978-981-15-8752-8_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-8751-1
Online ISBN: 978-981-15-8752-8
eBook Packages: Computer ScienceComputer Science (R0)