By Topic

Optimum tuning of defense settings for common attacks on the web applications

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Dwen-Ren Tsai ; Dept. of Computer Science, Chinese Culture University, Taipei, Taiwan ; Allen Y. Chang ; Peichi Liu ; Hsuan-Chang Chen

Statistics from various sources indicate that there are roughly 75% cyber attacks occurred in the web applications, and the trend is growing. The unsafe coding of web application or the vulnerability of the application itself is yet to be patched result in a high security risk. In addition to white-box testing to examine the source code, black box testing for vulnerability scan or penetration test, one may choose to setup defense facilities at the front-end of the server - such as: application-layer intrusion prevention system, or application software and hardware firewall to enhance the defense mechanism or to gain more time to patch the vulnerability. This paper presents an optimum tuning method utilizing the application firewall widely used by the modern enterprises. We explore several attacking methods commonly used nowadays, such as the signature of cross-site scripting and SQL injection, and introduce a new method to setup the parameters of the device to strengthen the defense. To enhance the security of the back-end application servers, we use keyword filtering and re-treatment to rule out the blacklist, and to adjust the system settings so that it can effectively block the assaults or reduce the possibility of successful attacks. In addition, we also simulate attacks to web browsing and application through vulnerability scanning tools to test the security of application system and to make sure the necessary defense of the optimum tuning parameters. This concept does produce good results in our implementation of verification tests. It is worth promoting as a reference.

Published in:

43rd Annual 2009 International Carnahan Conference on Security Technology

Date of Conference:

5-8 Oct. 2009