To see the other types of publications on this topic, follow the link: OWASP TOP 10.
Journal articles on the topic 'OWASP TOP 10'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 15 journal articles for your research on the topic 'OWASP TOP 10.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse journal articles on a wide variety of disciplines and organise your bibliography correctly.
1
Wetter, Dirk. "OWASP Top 10: Zwei Jahre danach." Datenschutz und Datensicherheit - DuD 36, no. 11 (October 23, 2012): 810–13. http://dx.doi.org/10.1007/s11623-012-0277-1.
Full text
2
Wibowo, Ripto Mukti, and Aruji Sulaksono. "Web Vulnerability Through Cross Site Scripting (XSS) Detection with OWASP Security Shepherd." Indonesian Journal of Information Systems 3, no. 2 (February 25, 2021): 149. http://dx.doi.org/10.24002/ijis.v3i2.4192.
Full textAbstract:
Web applications are needed as a solution to the use of internet technology that can be accessed globally, capable of displaying information that is rich in content, cost effective, easy to use and can also be accessed by anyone, anytime and anywhere. In the second quarter of 2020, Wearesocial released information related to internet users in the world around 4.54 billion with 59% penetration. People become very dependent on the internet and also technology. This condition was also triggered due to the Covid-19 pandemic.One thing that becomes an issue on website application security is internet attacks on website platforms and we never expected the vulnerability. One type of attack or security threat that often arises and often occurs is Cross Site Scripting (XSS). XSS is one of Top 10 Open Web Application Security Projects (OWASP) lists.There are several alternatives that we can use to prevent cyber-attack. OWASP Security Shepherd can be used as a way to prevent XSS attacks. The OWASP Security Shepherd project allows users to learn or develop their manual penetration testing skills. In this research, there are several case examples or challenges that we can use as a simulation of the role of OWASP Security Shepherd to detect this XSS. The purpose of this paper is to conduct a brief and clear review of technology on OWASP Security Shepherd. This technology was chosen as an appropriate and inexpensive alternative for users to ward off XSS attacks.
3
Li, Jinfeng. "Vulnerabilities Mapping based on OWASP-SANS: A Survey for Static Application Security Testing (SAST)." Annals of Emerging Technologies in Computing 4, no. 3 (July 1, 2020): 1–8. http://dx.doi.org/10.33166/aetic.2020.03.001.
Full textAbstract:
The delivery of a framework in place for secure application development is of real value for application development teams to integrate security into their development life cycle, especially when a mobile or web application moves past the scanning stage and focuses increasingly on the remediation or mitigation phase based on static application security testing (SAST). For the first time, to the author’s knowledge, the industry-standard Open Web Application Security Project (OWASP) top 10 vulnerabilities and CWE/SANS top 25 most dangerous software errors are synced up in a matrix with Checkmarx vulnerability queries, producing an application security framework that helps development teams review and address code vulnerabilities, minimise false positives discovered in static scans and penetration tests, targeting an increased accuracy of the findings. A case study is conducted for vulnerabilities scanning of a proof-of-concept mobile malware detection app. Mapping the OWASP/SANS with Checkmarx vulnerabilities queries, flaws and vulnerabilities are demonstrated to be mitigated with improved efficiency.
4
Kellezi, Deina, Christian Boegelund, and Weizhi Meng. "Securing Open Banking with Model-View-Controller Architecture and OWASP." Wireless Communications and Mobile Computing 2021 (September 21, 2021): 1–13. http://dx.doi.org/10.1155/2021/8028073.
Full textAbstract:
In 2015, the European Union passed the PSD2 regulation, with the aim of transferring ownership of bank accounts to the private person. As a result, Open Banking has become an emerging concept, which provides third-party financial service providers open access to bank APIs, including consumer banking, transaction, and other financial data. However, such openness may also incur many security issues, especially when the data can be exposed by an API to a third party. Focused on this challenge, the primary goal of this work is to develop one innovative web solution to the market. We advocate that the solution should be able to trigger transactions based on goals and actions, allowing users to save up money while encouraging positive habits. In particular, we propose a solution with an architectural model that ensures clear separation of concern and easy integration with Nordea’s (the largest bank in the Nordics) Open Banking APIs (sandbox version), and a technological stack with the microframework Flask, the cloud application platform Heroku, and persistent data storage layer using Postgres. We analyze and map the web application’s security threats and determine whether or not the technological frame can provide suitable security level, based on the OWASP Top 10 threats and threat modelling methodology. The results indicate that many of these security measures are either handled automatically by the components offered by the technical stack or are easily preventable through included packages of the Flask Framework. Our findings can support future developers and industries working with web applications for Open Banking towards improving security by choosing the right frameworks and considering the most important vulnerabilities.
5
Chen, Zhuang, Min Guo, and Lin zhou. "Research on SQL injection detection technology based on SVM." MATEC Web of Conferences 173 (2018): 01004. http://dx.doi.org/10.1051/matecconf/201817301004.
Full textAbstract:
SQL injection, which has the characteristics of great harm and fast variation, has always ranked the top of the OWASP TOP 10, which has always been a hot spot in the research of web security. In view of the difficulty of detecting unknown attacks by the existing rule matching method, a method of SQL injection detection based on machine learning is proposed. And the author analyses the method of SQL injection feature extraction, f Finally, the word2vec method is selected to process the text data of the HTTP request, which can effectively represent the SQL injection features containing the attack payload. Training and classification of processed samples with SVM algorithm, The experiment shows that this method effectively solves the problem of SQL injection to the mutation and the high leakage rate of the rule matching. By comparing with the classification results of statistical features, this SQL injection classification model has a higher detection rate.
6
Chou, Yuyu, and Jan Oetting. "Risk Assessment for Cloud-Based IT Systems." International Journal of Grid and High Performance Computing 3, no. 2 (April 2011): 1–13. http://dx.doi.org/10.4018/jghpc.2011040101.
Full textAbstract:
The use of Cloud Computing services is an attractive option to improve IT systems to achieve rapidly and elastically provisioned capability, and also to offer economic benefits. However, companies see security as a major concern in migrating to the Cloud. To bring clarity in Cloud security, this paper presents a systematic approach to manage the risks and analyzes the full range of risk in Cloud Computing solutions. Furthermore, as a study case, Google App Engine Platform is assessed based on ISO/IEC 27002 and OWASP Top 10 Risk List in this paper. Knowing the risks of Cloud solutions, companies can execute well-informed decisions on going into the Cloud and build their Cloud solutions in a secure way, relying on a robust e-trust relationship.
7
Waheed Kadhim, Raed, and Methaq Talib Gaata. "A hybrid of CNN and LSTM methods for securing web application against cross-site scripting attack." Indonesian Journal of Electrical Engineering and Computer Science 21, no. 2 (February 1, 2021): 1022. http://dx.doi.org/10.11591/ijeecs.v21.i2.pp1022-1029.
Full textAbstract:
<span>Cross-site scripting (XSS) is today one of the biggest threatthat could targeting the Web application. Based on study published by the open web applications security project (OWASP), XSS vulnerability has been present among the TOP 10 Web application vulnerabilities.Still,an important security-related issue remains how to effectively protect web applications from XSS attacks.In first part of this paper, a method for detecting XSS attack was proposed by combining </span><span lang="EN-GB">convolutional</span><span> neural network (CNN) with long short term memories<strong> (</strong>LSTM), Initially, pre-processing was applied to XSS Data Set by decoding, generalization and tokanization, and then word2vec was applied to convert words into word vectors in XSS payloads. And then we use the combination CNN with LSTM to train and test word vectors to produce a model that can be used in a web application. Based on the obtaned results, it is observed that the proposed model achevied an excellent result with accuracy of 99.4%.</span>
8
Yoda, Minami, Shuji Sakuraba, Yuichi Sei, Yasuyuki Tahara, and Akihiko Ohsuga. "Detection of the Hardcoded Login Information from Socket and String Compare Symbols." Annals of Emerging Technologies in Computing 5, no. 1 (January 1, 2021): 28–39. http://dx.doi.org/10.33166/aetic.2021.01.003.
Full textAbstract:
Internet of Things (IoT) for smart homes enhances convenience; however, it also introduces the risk of the leakage of private data. TOP10 IoT of OWASP 2018 shows that the first vulnerability is ”Weak, easy to predict, or embedded passwords.” This problem poses a risk because a user can not fix, change, or detect a password if it is embedded in firmware because only the developer of the firmware can control an update. In this study, we propose a lightweight method to detect the hardcoded username and password in IoT devices using a static analysis called Socket Search and String Search to protect from first vulnerability from 2018 OWASP TOP 10 for the IoT device. The hardcoded login information can be obtained by comparing the user input with strcmp or strncmp. Previous studies analyzed the symbols of strcmp or strncmp to detect the hardcoded login information. However, those studies required a lot of time because of the usage of complicated algorithms such as symbolic execution. To develop a lightweight algorithm, we focus on a network function, such as the socket symbol in firmware, because the IoT device is compromised when it is invaded by someone via the Internet. We propose two methods to detect the hardcoded login information: string search and socket search. In string search, the algorithm finds a function that uses the strcmp or strncmp symbol. In socket search, the algorithm finds a function that is referenced by the socket symbol. In this experiment, we measured the ability of our proposed method by searching six firmware in the real world that has a backdoor. We ran three methods: string search, socket search, and whole search to compare the two methods. As a result, all methods found login information from five of six firmware and one unexpected password. Our method reduces the analysis time. The whole search generally takes 38 mins to complete, but our methods finish the search in 4-6 min.
9
Farooq, Umar. "Ensemble Machine Learning Approaches for Detection of SQL Injection Attack." Tehnički glasnik 15, no. 1 (March 4, 2021): 112–20. http://dx.doi.org/10.31803/tg-20210205101347.
Full textAbstract:
In the current era, SQL Injection Attack is a serious threat to the security of the ongoing cyber world particularly for many web applications that reside over the internet. Many webpages accept the sensitive information (e.g. username, passwords, bank details, etc.) from the users and store this information in the database that also resides over the internet. Despite the fact that this online database has much importance for remotely accessing the information by various business purposes but attackers can gain unrestricted access to these online databases or bypass authentication procedures with the help of SQL Injection Attack. This attack results in great damage and variation to database and has been ranked as the topmost security risk by OWASP TOP 10. Considering the trouble of distinguishing unknown attacks by the current principle coordinating technique, a strategy for SQL injection detection dependent on Machine Learning is proposed. Our motive is to detect this attack by splitting the queries into their corresponding tokens with the help of tokenization and then applying our algorithms over the tokenized dataset. We used four Ensemble Machine Learning algorithms: Gradient Boosting Machine (GBM), Adaptive Boosting (AdaBoost), Extended Gradient Boosting Machine (XGBM), and Light Gradient Boosting Machine (LGBM). The results yielded by our models are near to perfection with error rate being almost negligible. The best results are yielded by LGBM with an accuracy of 0.993371, and precision, recall, f1 as 0.993373, 0.993371, and 0.993370, respectively. The LGBM also yielded less error rate with False Positive Rate (FPR) and Root Mean Squared Error (RMSE) to be 0.120761 and 0.007, respectively. The worst results are yielded by AdaBoost with an accuracy of 0.991098, and precision, recall, f1 as 0.990733, 0.989175, and 0.989942, respectively. The AdaBoost also yielded high False Positive Rate (FPR) to be 0.009.
10
Ferrara, Pietro, Amit Kr Mandal, Agostino Cortesi, and Fausto Spoto. "Static analysis for discovering IoT vulnerabilities." International Journal on Software Tools for Technology Transfer, November 24, 2020. http://dx.doi.org/10.1007/s10009-020-00592-x.
Full textAbstract:
AbstractThe Open Web Application Security Project (OWASP), released the “OWASP Top 10 Internet of Things 2018” list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia’s analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies.
11
"Web Application Penetration Testing." VOLUME-8 ISSUE-10, AUGUST 2019, REGULAR ISSUE 8, no. 10 (August 10, 2019): 1029–35. http://dx.doi.org/10.35940/ijitee.j9173.0881019.
Full textAbstract:
This paper describes the in-depth technical approach to perform manual penetration test in web applications for testing the integrity and security of the application and also serves as a guide to test OWASP top 10 security vulnerabilities. The paper is more focused on providing detailed knowledge about manual web application penetration testing methodologies in order to secure them from malicious black hat hackers.
12
"The Solutions of SQL Injection Vulnerability in Web Application Security." International Journal of Engineering and Advanced Technology 8, no. 6 (August 30, 2019): 3803–8. http://dx.doi.org/10.35940/ijeat.f9395.088619.
Full textAbstract:
Web Applications are commonly using all the services made available online. The rapid development of the Internet of Things (IOT), all the organizations provides their services and controlled through an online, like online transaction of money, business transaction of buying and selling the products, healthcare services, military and GPS Systems. Web application development and maintenance is very difficult based on the security. Attacks are many forms to stealing the secure, personal information and privacy data. There is one major open source community Open Web Application Security Project (OWASP) providing information, development and validation of web application projects to make application to be secure. This research work, discussing few of the solutions, detection and prevention methods of Injection risk out of the top 10 OWASP risks. Due to the injection risk, impact on business that may lead to loss of information, unauthorized access of personal and secure information.
13
Vergara Fajardo, Geraldín, Diana Marcela Montaño, Siler Amado Donado, and Katerine Márceles Villalba. "CONCEPTUAL FOUNDATION FOR AN AUTOMATED PENTESTER BASED ON A SINGLE BOARD COMPUTER." Ingeniería Solidaria 15, no. 28 (May 27, 2019). http://dx.doi.org/10.16925/2357-6014.2019.02.08.
Full textAbstract:
Introducción: Este artículo es producto del trabajo de investigación “Pruebas de Concepto Automatizado sobre Aplicaciones Web Basados en OWASP”, realizado durante el 2017 y 2018 en la ciudad de Popayán, capital del departamento del Cauca.
Problema: Establecer e identificar un soporte teórico del tema de investigación que ayudará a resolver la pregunta problema del trabajo investigativo, ¿Es necesario desarrollar scripts que automaticen el proceso de pruebas de concepto para la detección de vulnerabilidades correspondientes al Top 10 de OWASP 2017?
Objetivo: Proponer un componente conceptual y de antecedentes, a través del estudio de fuentes primarias, secundarias, factores de inclusión y exclusión, que permitan determinar la relevancia a la problemática propuesta, para llegar a la construcción de una solución.
Metodología: La metodología empleada fue documental, por lo que se consultaron varias fuentes de bases de datos, para poder determinar las bases conceptuales, teóricas y de antecedentes pertinentes que soportarán este trabajo de investigación.
Resultados: Como resultado se obtuvo un análisis significativo, se logró obtener bases conceptuales pertinentes que permitieron aportar a la solución del problema.
Conclusión: A pesar de la existencia de herramientas para realizar pentesting web, ninguna resuelve totalmente la problemática planteada en este artículo, no obstante, los artículos encontrados ayudaron en la solución del objetivo.
Originalidad: Automatización del proceso de pentesting, bajo la metodología OWASP, en un SBC, utilizando software libre, para disminuir costos a empresarios al momento de probar la seguridad de aplicaciones web.
Limitaciones: El acceso a las bases de datos en la institución, el tiempo y dinero empleado para realizar pruebas en otros dispositivos SBC.
14
Monar Monar, Joffre Stalin, Danilo Mauricio Pastor Ramirez, Gloria de Lourdes Arcos Medina, and Mayra Alejandra Oñate Andino. "Técnicas de programación segura para mitigar vulnerabilidades en aplicaciones web." Congreso de Ciencia y Tecnología ESPE 13, no. 1 (June 23, 2018). http://dx.doi.org/10.24133/cctespe.v13i1.753.
Full textAbstract:
Actualmente, la gran mayoría de aplicaciones web contienen vulnerabilidades de seguridad. Probablemente, se deba a falta de cultura de los desarrolladores o a la ausencia de técnicas de codificación específicas. Se analizaron ciertos trabajos relacionados al tema, pero consideramos que no definen técnicas de programación precisos, ni se enfocan a un lenguaje de programación específico. El presente trabajo propone un conjunto de técnicas de programación segura para reducir las vulnerabilidades en las aplicaciones web utilizando el entorno de desarrollo PHP. Para esto se determinaron diez vulnerabilidades usando las recomendaciones OWASP TOP-10. Luego, se plantean las siete técnicas y su respectiva forma de implementarlas. Se valida las técnicas y se mide las vulnerabilidades de una aplicación web en dos escenarios; con y sin la implementación de las técnicas propuestas. Los resultados muestran que el uso de las técnicas propuestas se relaciona significativamente con la cantidad de vulnerabilidades encontradas y por lo tanto mejora el nivel de seguridad de las aplicaciones web.
15
"Building the Security Function Point Method for Web Application Vulnerability Remediation." International Journal of Recent Technology and Engineering 8, no. 4 (November 30, 2019): 5962–68. http://dx.doi.org/10.35940/ijrte.d8948.118419.
Full textAbstract:
The web application vulnerability remediation activities are important in terms of actual risk management in corporate security activities. However, traditional software development resource estimation methods do not discuss resource estimation for software vulnerability remediation in terms of security. Moreover, it is difficult to estimate the exact web vulnerability remediation resources using correction factors. In these backgrounds this study aims to establish a resource estimation methodology for web application vulnerability remediation in terms of security from the perspective of dynamic analysis, contributing to foundation building for the systematic management of web application vulnerability remediation among information security organizations and related practitioners. For the new model development, this study used 64 application data of the experimental company to derive the security function point method and 6 web vulnerability assessment project data from the same company to verify the methodology.Hence a web application vulnerability remediation standard was established, and a new security web vulnerability remediation resource estimation technique, “Security Function Point Method (SFPM),” was proposed through data collection based on the standard.It covers the de facto global web application vulnerability framework named OWASP Top 10(2017) and several Korea’s standards fromthe practical field. Thus, it is possible tocalculate the web application vulnerability remediation resourcesin a better way