Security Assessment through Google Tools -Focusing on the Korea University Website



Similar documents
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Adobe Systems Incorporated

Magento Security and Vulnerabilities. Roman Stepanov

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Where every interaction matters.

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

How To Fix A Web Application Security Vulnerability

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Web Application Report

Web Application Report

Web Application Vulnerability Testing with Nessus

Testing the OWASP Top 10 Security Issues

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Cloud Security:Threats & Mitgations

Network Security Exercise #8

Comparison of Secure Development Frameworks for Korean e- Government Systems

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

The Top Web Application Attacks: Are you vulnerable?

Web application testing

Penta Security 3rd Generation Web Application Firewall No Signature Required.

OWASP AND APPLICATION SECURITY

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Addressing Cyber Security in Oracle Utilities Applications

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

OWASP Top Ten Tools and Tactics

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Reducing Application Vulnerabilities by Security Engineering

Overview of the Penetration Test Implementation and Service. Peter Kanters

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Using Free Tools To Test Web Application Security

How to complete the Secure Internet Site Declaration (SISD) form

Table of Contents. Page 2/13

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Security Threats on National Defense ICT based on IoT

What is Web Security? Motivation

05.0 Application Development

Pentests more than just using the proper tools

Studying Security Weaknesses of Android System

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Pentests more than just using the proper tools

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Web Vulnerability Scanner by Using HTTP Method

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Development Processes (Lecture outline)

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Secure Coding in Node.js

Attack Vector Detail Report Atlassian

Rational AppScan & Ounce Products

SQuAD: Application Security Testing

Secure development and the SDLC. Presented By Jerry

Web application security

Using an Open Source Threat Model for Prioritized Defense

(WAPT) Web Application Penetration Testing

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

OWASP TOP 10 ILIA

A Research on Security Awareness and Countermeasures for the Single Server

Don t Spill Your Candy in the Lobby

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

SOFTARE SECURTY OF WEB APPLICATION AND WEB ATTACKS

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Executive Summary On IronWASP

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Early Vulnerability Detection for Supporting Secure Programming

IJMIE Volume 2, Issue 9 ISSN:

A Call for Drastic Action. A Survey of Web Application Firewalls

Passing PCI Compliance How to Address the Application Security Mandates

Ethical Hacking as a Professional Penetration Testing Technique

HTTPParameter Pollution. ChrysostomosDaniel

Web Application Security

Web Application Security 101

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Web App Security Audit Services

Web Application Security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

MANAGED SECURITY TESTING

Penetration Testing in Romania

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Transcription:

, pp.9-13 http://dx.doi.org/10.14257/astl.2015.93.03 Security Assessment through Google Tools -Focusing on the Korea University Website Mi Young Bae 1,1, Hankyu Lim 1, 1 Department of Multimedia Engineering, Andong National University, 388 Seongcheon-Dong, Andong-City, Gyeongsangbuk-Do, Republic of Korea mybae73@naver.com, hklim@anu.ac.kr Abstract. Recent cyber-attacks have been targeted at websites in most cases. Therefore, in the present study, the security vulnerability of home pages will be diagnosed through Googling that can collect information the most easily based on the home pages of universities in South Korea. The present study is intended to promote people s awareness of Google search engine s methods of attacking vulnerability and present countermeasures that can defend security vulnerability revealed by Google hacking. Keywords: Secure coding, Google Hacking, Security Assessment, Web site. 1 Introduction Since software of today exchanges data in Internet environments, the possibility to be attacked by malicious hackers always exists. Target attacking activities that occurred in one year of 2013 increased by 91% compared to the previous year and the number of spill accidents increased by 62%. Through the spill accidents, more than 552 million IDs were exposed[1]. In addition, the number of web-based attack cases increased by 23% and one out of eight lawful websites were shown to have serious vulnerable points. As cyber-crimes become more and more rampant, the costs and time to solve related problems are continuously increasing. This is part of facts revealed through the 5th annual cyber-crime cost study conducted by Ponemon Institute. Through an international study conducted in 2014 in seven countries by a US based company, it was revealed that the average cyber-crime cost of US companies increased by 9% in one year from 11.6 million dollars in 2013 to 12.7 million dollars in 2014. It was also shown that the average time taken to solve cyber-crimes also increased from 32 days in 2013 to 45 days in 2014[2, 3]. The recognition that to resolve this security vulnerability, rather than reinforcing security systems against external environments, the development of sturdy software by programmers is the most essential and effective is increasing. Nevertheless, the number of pieces of personal information spilt over the last five years reaches as high as 200 million including 10.81 million through auction hacking (Feb. 2008), SK Broadband 6 million (April 2008), GS Caltex 11.25 million (Sept. 1 Corresponding Author : Hankyu Lim, hklim@anu.ac.kr ISSN: 2287-1233 ASTL Copyright 2015 SERSC

2008), SK Coms 35 million (July 2011) plus those cases of information spill that were omitted from submitted data for the reason of personal information work transfer[4]. Although methods of stealing personal information which is so serious a problem are diverse including hacking by outsiders and spills by insiders, Googling through Google searches is regarded as the easiest method. Therefore, in the present study, the security vulnerability of home pages will be examined through Googling that can collect information the most easily based on the home pages of universities in South Korea and people s awareness of Google search engine s methods of attacking vulnerability will be promoted. In addition, countermeasures that can defend security vulnerability revealed by Google hacking will be presented. 2 Checking Website Security Vulnerabilities Since 2012, stepwise mandatory application of security by software development has been institutionalized for public web services of domestic public institutions as a countermeasure against security threats[5]. In particular, according to the 2014 educational institution home page security vulnerability checking promotion plan, home page security vulnerability checking items were distributed as part of the reinforcement of the checking of security vulnerability in home pages operated by educational institutions such as si/do education offices and universities. The detailed contents of the security vulnerability checking items are as shown in <Table 1> and <Table 2>. Table 1. OWASP Security vulnerability assessment items Security Vulnerability Type 1 Injection 6 Sensitive Data Exposure 2 Broken Authentication and Session Management 7 Missing Function Level Access 3 Cross-Site Scripting (XSS) 8 Cross-Site Request Forgery (CSRF) 4 Insecure Direct Object References 9 Using Components with Known Vulnerabilities 5 Security Misconfiguration 10 Unvalidated Redirects and Forwards Table 2. NIS Security vulnerability assessment items Security Vulnerability Type 1 Directory listing vulnerability 5 WebDAV Vulnerability 2 File Download Vulnerability 6 Tech note Vulnerability 3 Cross-Site Scripting (XSS) 7 ZeroBoard Vulnerability 4 File Upload Vulnerability 8 SQL injection Vulnerability 10 Copyright 2015 SERSC

Programmers want vulnerability in their programs to be completely removed so that their programs can operate as secure programs. However, expertise about vulnerability items cannot be obtained easily and there are difficulties in recognizing how vulnerability items can be corrected. 3 Google Hacking Google collect information through many major media. The types of collected information include those pieces of information that are directly provided when major tools of Google are used, those pieces of information that are collected by Google robots web crawlers, those pieces of information that are provided by others when they use Google s tools, and those pieces of information that are obtained from third party databases and business partners[6]. Googling is using Google searches to obtain information from the Web. However, Googling has been abused and established as an easy way to extract personal information. Although large firms that are highly interested in security are implementing defensive measures against such extraction of personal information, entities such as schools and hospitals are still vulnerable to such attacks. Googling is used not only in extracting personal information but also in attacks that find company computing system administrator account information and push malignant codes onto the accounts because by searching under certain options, even important personal information existing in the relevant sites can be identified. 4 Security Vulnerabilities Diagnosis through Google Hacking A. Personal Information Disclosure Vulnerability Even simple search words such as member list and member list.xls produced approximately 450,000 search results and quite some of which were files containing students birth days, phone numbers, and addresses. The contents could be seen through downloading and file opening without any restriction. Fig. 1. Google search results and disclosure of personal information file This security vulnerability corresponds to the exposure of important information among OWAP security vulnerability items and the file download vulnerability among the security vulnerability checking items of the National Intelligence Service. Copyright 2015 SERSC 11

B. SQL Injection Vulnerability This is a vulnerability item that enables attackers to insert SQL sentences into the input form and URL input section in web applications interlocked with databases to read and manipulate information in the database. To find administrator pages in order to inject SQLs, administrator pages were searched in Google using the keyword inurl:admin site:ac.kr. Through the searches, quite a few of approximately 26,900 websites exposed administrator log-in screens as they were. Fig. 2. Google search results and administrator mode C. Directory listing vulnerability Since there was vulnerability that all directories or directories that contain important information are listed outside due to the failure of setting index security in public servers, Googling with intitle:index.of inurl:ac.kr produced approximately 1,610,000 search results and quite a few of them listed directories as they were. Fig. 3. Google search results and directory listings D. Error messages vulnerability 12 Copyright 2015 SERSC

Since AP installation information, ID/PW information, and SQL injection attack information are provided when error messages are searched at Google, detailed information on server invasion pathways is provided. This is the result of a search at Google using the keyword, ORA-00921:unexpected end of SQL command inurl:ac.kr. Fig. 4. Google search results and the error message exposure 5 Conclusion In the present study, security vulnerability of the home pages of universities in South Korea was diagnosed using very simple Google search words. According to the diagnosis, quite some part with security vulnerability existed. Nevertheless, concrete guidelines for methods for preventing or checking security incidents by Google hacking are still insufficient. To prevent Google hacking, vulnerability scanning of web servers should be conducted using Google hacking vulnerability scanners and if any vulnerable points are found, the cause should be grasped and necessary actions should be taken. Hereafter, the security vulnerability of home pages of universities in South Korea will be analyzed using Google hacking vulnerability scanners and methods for solving the vulnerability will be presented based on the results of the analysis. References 1. Symantec: Internet Security Threat Report, 2013 Trends, Volume 19, (2014) 2. Ministry of Public Administration and Security, Software Development Security Guide, 2012.5 3. http://www8.hp.com/kr/ko/software-solutions/ponemon-cyber-security-report/ 4. Kim Namil,"Revealed personal information during 5 years is 200 millions, the penalty is 94.39 million won for 14 cases", Hankyeorae, (2014) 5. Ministry of Security and Public Administration: Secure Coding Inspection Guide for e-gow SW,(2014) 6. Greg Conti: Google knows you, Bpanbooks, (2009) Copyright 2015 SERSC 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information