Antidefacement
DOI:
https://doi.org/10.18046/syt.v14i39.2341Palavras-chave:
Defacement, Web application, security, vulnerability, Web security, integrity.Resumo
Internet connects around three billions of users worldwide, a number increasing every day. Thanks to this technology, people, companies and devices perform several tasks, such as information broadcasting through websites. Because of the large volumes of sensitive information and the lack of security in the websites, the number of attacks on these applications has been increasing significantly. Attacks on websites have different purposes, one of these is the introduction of unauthorized modifications (defacement). Defacement is an issue which involves impacts on both, system users and company image, thus, the researchers community has been working on solutions to reduce security risks. This paper presents an introduction to the state of the art about techniques, methodologies and solutions proposed by both, the researchers community and the computer security industry.
Referências
Aman, H., Yamashita, A., Sasaki, T., & Kawahara, M. (2014, August). Multistage growth model for code change events in open source software development: An example using development of Nagios. In: Software Engineering and Advanced Applications (SEAA), 2014 40th EUROMICRO Conference on (pp. 207-212). IEEE.
Amanatidis, T., & Chatzigeorgiou, A. (2016). Studying the evolution of PHP web applications. Information and Software Technology, 72, 48-67.
Barnes, J. (2013, February 18). Free real user monitoring [StatusCake]. Retrieved from: https://www.statuscake.com/free-real-user-monitoring/#
Barreno, M., Nelson, B., Joseph, A. D., & Tygar, J. D. (2010). The security of machine learning. Machine Learning, 81(2), 121-148.
Bartoli, A., Davanzo, G., & Medvet, E. (2009). The reaction time to web site defacements. IEEE Internet Computing, 13(4), 52-58.
Bartoli, A., Davanzo, G., & Medvet, E. (2010). A framework for large-scale detection of website defacements. ACM Transactions on Internet Technology (TOIT), 10(3), 10.
Batyuk, L., Herpich, M., Camtepe, S. A., Raddatz, K., Schmidt, A. D., & Albayrak, S. (2011, October). Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications. In: Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on (pp. 66-72). IEEE.
Borgolte, K., Kruegel, C., & Vigna, G. (2015). Meerkat: Detecting website defacements through image-based object recognition. In: 24th USENIX Security Symposium (USENIX Security 15) (pp. 595-610).
Caswell, B., Beale, J., & Baker, A. (2007). Snort intrusion detection and prevention toolkit. Syngress.
Cerf, V. G., & Quaynor, N. (2014). The Internet of Everyone. Internet Computing, IEEE, 18(3), 96-96.
Dalai, A. K., & Jena, S. K. (2011, February). Evaluation of web application security risks and secure design patterns. In: Proceedings of the 2011 International Conference on Communication, Computing & Security (pp. 565-568). ACM.
Davanzo, G., Medvet, E., & Bartoli, A. (2011). Anomaly detection techniques for a web defacement monitoring service. Expert Systems with Applications, 38(10), 12521-12530.
Diakopoulos, N., & Cass, S. (2015). Interactive: The top programming languages 2015. IEEE Spectrum, online, July, 20. Retrieved from: http://spectrum.ieee.org/static/interactive-the-top-programming-languages-2015
Eshete, B., Villafiorita, A., & Weldemariam, K. (2011, July). Malicious website detection: Effectiveness and efficiency issues. In: SysSec Workshop (SysSec), 2011 First (pp. 123-126). IEEE.
Fujimura, N., & Mei, J. (2007, October). Implementation of file interpolation detection system. In: Proceedings of the 35th annual ACM SIGUCCS fall conference (pp. 118-121). ACM.
Futoransky, A., Gutesman, E., & Waissbein, A. (2007). A dynamic technique for enhancing the security and privacy of web applications. In: Proc. Black Hat USA.
Gross, G. (2015, June). US Army website defaced, then brought down. Retrieved from: http://www.pcworld.com/article/2932936/us-army-website-defaced-then-brought-down.html
Gupta, S., & Gupta, B. B. (2015, May). PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In: Proceedings of the 12th ACM International Conference on Computing Frontiers (p. 59). ACM.
Haq, N. F., Onik, A. R., Hridoy, M. A. K., Rafni, M., Shah, F. M., & Farid, D. M. (2015). Application of Machine Learning Approaches in Intrusion Detection System: A Survey. IJARAI- International Journal of Advanced Research in Artificial Intelligence, 4(3), 9-18.
Harper, A., Harris, S., Ness, J., Eagle, C., Lenkey, G., & Williams, T. (2015). Gray hat hacking the ethical hackers handbook. McGraw-Hill Osborne Media.
Hollander, Y. (2000). Prevent web site defacement. Internet Security Advisor, 3(6), 22.
Howard, G. M., Gutierrez, C. N., Arshad, F. A., Bagchi, S., & Qi, Y. (2014, June). pSigene: Webcrawling to Generalize SQL Injection Signatures. In:
Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on (pp. 45-56). IEEE.
IPVTec (2014). What´s IPVmon? Retrieved from: http://www.ipvtec.com/whats-ipvmon/
Jericho & Munge. (2000). Hard-core web defacement statistics trends and analysis. In: Black Hat USA 2000. Retrieved from: https://www.blackhat.com/html/bh-usa-00/bh-usa-00-speakers.html#JerichoPunkis
Jingling, Z., & Rulin, G. (2015, July). A New Framework of Security Vulnerabilities Detection in PHP Web Application. In: Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2015 9th International Conference on (pp. 271-276). IEEE.
Kim, G. H., & Spafford, E. H. (1994, November). The design and implementation of tripwire: A file system integrity checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security (pp. 18-29). ACM.
Kim, W., Lee, J., Park, E., & Kim, S. (2006). Advanced mechanism for reducing false alarm rate in web page defacement detection. In: The 7th International Workshop on Information Security Applications.
Kumar, M. (2015, May). Gaana.com Hacked, 10 Million User´s Details Exposed. Retrieved from: http://thehackernews.com/2015/05/gaanacom-hacked-10-million-users.html
Lui, Z. & Cinquini, M. J. (2012). Web content defacement protection system [U.S. Patent No. 8,145,908]. Washington, DC: U.S. Patent and Trademark Office.
Medvet, E., Fillon, C., & Bartoli, A. (2007, August). Detection of web defacements by means of genetic programming. In: Information Assurance and Security, 2007. IAS 2007. Third International Symposium on (pp. 227-234). IEEE.
Mohaisen, A. (2015, November). Towards automatic and lightweight detection and classification of malicious web contents. In: Hot Topics in Web Systems and Technologies (HotWeb), 2015 Third IEEE Workshop on (pp. 67-72). IEEE.
Muñoz, F. R., & Villalba, L. G. (2012). Preproceso de formularios para el análisis de seguridad de las aplicaciones web. Actas de la XII Reunión Española sobre Criptologıa y Seguridad de la Información (RECSI 2012), Donostia-San Sebastián, España.
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., & Evans, D. (2005, May). Automatically hardening web applications using precise tainting. In: IFIP International Information Security Conference (pp. 295-307). Springer.
Open Web Application Security Project [OWASP]. (2013). OWASP Top 10 - 2013 The ten most critical web application security risks. Retrieved from: https://www.owasp.org/index.php/Top_10_2013-Top_10
Open Web Application Security Project [OWASP]. (2016). PHP Top 5. Retrieved from: https://www.owasp.org/index.php/PHP_Top_5
Roesch, M. (1999, November). Snort: Lightweight intrusion detection for networks. In LISA, 99(1), 229-238.
Shahriar, H., & Zulkernine, M. (2009, May). Mutec: Mutation-based testing of cross site scripting. In Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems (pp. 47-53). IEEE Computer Society.
Shani, O. (2008). System and method for identification, prevention and management of web-sites defacement attacks [Patent Application No. 12/531,728]. . Washington, DC: U.S. Patent and Trademark Office.
Socuri [Web site] (2016). Retrieved from: https://sucuri.net/?clickid=QszQyrVcJ2HBV35ytHQRK1hvUkSUeXwqU0SxXQ0
Sommer, R., & Paxson, V. (2010, May). Outside the closed world: On using machine learning for network intrusion detection. In: 2010 IEEE symposium on security and privacy (pp. 305-316). IEEE.
Son, S., & Shmatikov, V. (2011, June). SAFERPHP: Finding semantic vulnerabilities in PHP applications. In: Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security (p. 8). ACM.
Stamm, S., Sterne, B., & Markham, G. (2010, April). Reining in the web with content security policy. In: Proceedings of the 19th international conference on World Wide Web (pp. 921-930). ACM.
Stuttard, D. & Pinto, M. (2011). The web application hacker's handbook: finding and exploiting security flaws. Hoboken, NJ: John Wiley & Sons.
Tanaka, T., Kai, T., Tamura, Y., & Sasaki, R. (2011, October). Development and evaluation of defaced sites automatic detection system DICE. In: Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), 2011 Seventh International Conference on (pp. 196-201). IEEE.
Ullrich, J. B., & Lam, J. (2008). Defacing websites via SQL injection. Network Security, 2008(1), 9-10.
Urcuqui, C., & Navarro, A. (2016, April). Machine learning classifiers for android malware analysis. In: Communications and Computing (COLCOM), 2016 IEEE Colombian Conference on (pp. 1-6). IEEE.
Vanderaj. (2016). The open web application security project, PHP Top 5. Retrieved from: https://www.owasp.org/index.php/PHP_Top_5#P3:_SQL_Injection
Wei, W. (2015, November). Rise in website defacement attacks by hackers around the world. Retrieved from: http://thehackernews.com/2013/11/rise-in-website-defacement-attacks-by.html
WhiteHat Security. (2016). Web applications security statistics report 2016. Retrieved from: https://www.whitehatsec.com/info/website-stats-report-2016-wp/
Xie, Y. & Aiken, A. (2006, July). Static detection of security vulnerabilities in scripting languages. In: USENIX Security, 6, 179-192.
Zhong, Y., Asakura, H., Takakura, H., & Oshima, Y. (2015, July). Detecting malicious inputs of web application parameters using character class sequences. In Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual (Vol. 2, pp. 525-532). IEEE.
Zone-H [website]. (2016). Retrieved from: http://www.zone-h.org
Downloads
Publicado
Edição
Seção
Licença
Esta publicação está licenciada sob os termos da licença CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/deed.pt_BR).