Skip to main content
SpringerLink
Log in

Detecting Vulnerabilities of Web Application Using Penetration Testing and Prevent Using Threat Modeling

  • Conference paper
  • First Online:
Advances in Electronics, Communication and Computing (ETAEERE 2020)

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 709))

Abstract

The number of Web attacks is increasing gradually, mainly the popularity of Web application in organization, school, and colleges. For this reason, the security of their sensitive information against attacker becomes very important for all organization and companies. In this paper, we describe different type of Web application attack like SQL injection, XSS attack, CSRF attack, and Buffer overflow. Besides, we discuss about different types of penetration tools for Web applications. Penetration testing try to find the vulnerabilities of Web application so that we can build a defense mechanism to deal with Web attack. Finally, we build attack trees and defense trees to represent the attacks and to prevent those attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 299.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 379.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 379.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Focardi, R., Luccio, F., & Squarcina, M. (2012). Fast sql blind injections in high latency networks. In 2012 IEEE First AESS European Conference on Satellite Telecommunications (ESTEL) (pp. 1–6), October 2012.

    Google Scholar 

  2. Benjamin, A. (2016). Search-based SQL injection attacks testing using genetic programming. In Genetic Programming: 19th European Conference, EuroGP 2016, Porto, Portugal (pp. 183–198), March 30–April 1, 2016.

    Google Scholar 

  3. Dharam, R., & Shiva, S. (2012). Runtime monitors for tautology based sql injection attacks. In International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec) (pp. 253–258), June 2012.

    Google Scholar 

  4. Owasp top 10-2013. https://www.owasp.org/. The ten most critical web application security risks.

  5. Zeng, H. (2013). Research on developing an attack and defense lab environment for cross site scripting education in higher vocational colleges. In 2013 Fifth International Conference on Computational and Information Sciences (ICCIS) (pp. 1971–1974), June 2013.

    Google Scholar 

  6. Matsuda, T., Koizumi, D., & Sonoda, M. (2012). Cross site scripting attacks detection algorithm based on the appearance position of characters. In 2012 Mosharaka International Conference on Communications, Computers and Applications (MIC-CCA) (pp. 65–70), October 2012.

    Google Scholar 

  7. Avancini, A., & Ceccato, M. (2013). Circe: A grammar-based oracle for testing cross-site scripting in web applications. In 2013 20 th Working Conference on Reverse Engineering (WCRE) (pp. 262–271), October 2013.

    Google Scholar 

  8. Sun, Y., & He, D. (2012). Model checking for the defense against cross-site scripting attacks. In 2012 International Conference on Computer Science Service System (CSSS) (pp. 2161–2164), August 2012.

    Google Scholar 

  9. Alexenko, T., Jenne, M., Roy, S., & Zeng, W. (2010). Site request forgery: Attack and defense. In 2010 7th IEEE Consumer Communications and Networking Conference (CCNC) (pp. 1–2), January 2010.

    Google Scholar 

  10. Czeskis, A., Moshchuk, A., Kohno, T., & Wang, H. J. (2013). Server support for browser based csrf protection. In Proceedings of the 22nd International Conference on World Wide Web, ser. WWW 13 (pp. 273–284). Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee. [Online]. Available: https://dl.acm.org/citation.cfm?id=2488388.2488413.

  11. Barth, A., Jackson, C., & Mitchell, J. C. (2008). Defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security, ser. CCS 08 (pp. 75–88). New York, NY, USA: ACM. [Online]. Available: https://doi.acm.org/10.1145/1455770.1455782.

  12. Dinesh Chandra Misra, P. A., & Srivastava, A. K. (2012). Web application using broken authentication and session management, cross site request forgery and scripting attacks and sql injection. In 2012 International Conference on VSRD International Journal of Computer Science and Information Technology (Vol. 2, No. 4, pp. 356–364), January 2010.

    Google Scholar 

  13. Huluka, D., & Popov, O. (2012). Cause analysis of session management and broken authentication vulnerabilities. In 2012 World Congress on Internet Security (WorldCIS) (pp. 82–86), June 2012.

    Google Scholar 

  14. Eshete, B., Villafiorita, A., & Weldemariam, K. (2011). Early detection of security misconfiguration vulnerabilities in web applications. In 2011 Sixth International Conference on Availability, Reliability and Security (ARES) (pp. 169–174).

    Google Scholar 

  15. https://web.nvd.nist.gov/.

Download references

Author information

Authors and Affiliations

  1. Hijli College, Kharagpur, India

    Sandip Sarkar

Authors
  1. Sandip Sarkar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sandip Sarkar .

Editor information

Editors and Affiliations

  1. School of Computer Engineering, Kalinga Institute of Industrial Technology (KIIT Deemed to be University), Bhubaneswar, Odisha, India

    Pradeep Kumar Mallick

  2. Department Electrical and Electronics Engineering, Sikkim Manipal Institute of Technology, Rangpo, Sikkim, India

    Akash Kumar Bhoi

  3. Division of Information and Communication, Baekseok University, Cheonan, Ch’ungch’ong-namdo, Korea (Republic of)

    Gyoo-Soo Chae

  4. Vel Tech Rangarajan Dr. Sagunthala R&D Institute of Science and Technology, Chennai, Tamil Nadu, India

    Kanak Kalita

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sarkar, S. (2021). Detecting Vulnerabilities of Web Application Using Penetration Testing and Prevent Using Threat Modeling. In: Mallick, P.K., Bhoi, A.K., Chae, GS., Kalita, K. (eds) Advances in Electronics, Communication and Computing. ETAEERE 2020. Lecture Notes in Electrical Engineering, vol 709. Springer, Singapore. https://doi.org/10.1007/978-981-15-8752-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-981-15-8752-8_3

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-15-8751-1

  • Online ISBN: 978-981-15-8752-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation