Table of Contents Author Guidelines Submit a Manuscript
The Scientific World Journal
Volume 2013, Article ID 946768, 10 pages
http://dx.doi.org/10.1155/2013/946768
Research Article

Vulnerability Assessment of IPv6 Websites to SQL Injection and Other Application Level Attacks

Department of Electrical Engineering, National Chung Cheng University, Chia-Yi 62102, Taiwan

Received 14 October 2013; Accepted 2 December 2013

Academic Editors: S. K. Bhatia and A. K. Misra

Copyright © 2013 Ying-Chiang Cho and Jen-Yi Pan. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Linked References

  1. S. Deering and R. Hinden, IETF RFC2460, Internet Protocol, Version 6, 1998, http://www.ietf.org/rfc/rfc2460.txt.
  2. M. Boucadair, J. Grimault, P. Lévis, A. Villefranque, and P. Morand, “Anticipate IPv4 address exhaustion: a critical challenge for internet survival,” in Proceedings of the 1st International Conference on Evolving Internet (INTERNET '09), pp. 27–32, Cannes La Bocca, France, August 2009. View at Publisher · View at Google Scholar · View at Scopus
  3. M. Gunn, “War dialing,” 2002.
  4. Wikipedia, “War dialing,” 2013, http://en.wikipedia.org/wiki/War_dialing.
  5. R. Oppliger, “Security at the internet layer,” Computer, vol. 31, no. 9, pp. 43–47, 1998. View at Publisher · View at Google Scholar · View at Scopus
  6. S. Weber and L. Cheng, “A survey of anycast in IPv6 networks,” IEEE Communications Magazine, vol. 42, no. 1, pp. 127–132, 2004. View at Publisher · View at Google Scholar · View at Scopus
  7. E. Fong and V. Okun, “Web application scanners: definitions and functions,” in Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS '07), Waikoloa, Hawaii, USA, January 2007. View at Publisher · View at Google Scholar · View at Scopus
  8. X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao, “A static analysis framework for detecting SQL injection vulnerabilities,” in Proceedings of the 31st Annual International Computer Software and Applications Conference (COMPSAC '07), pp. 87–96, Beijing, China, July 2007. View at Publisher · View at Google Scholar · View at Scopus
  9. J. Bau, E. Bursztein, D. Gupta, and J. Mitchell, “State of the art: automated black-box web application vulnerability testing,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '10), pp. 332–345, Oakland, Calif, USA, May 2010. View at Publisher · View at Google Scholar · View at Scopus
  10. G. Pant, P. Srinivasan, and F. Menczer, Crawling the Web, 2004.
  11. A. Heydon and M. Najork, “Mercator: a scalable, extensible web crawler,” World Wide Web, vol. 2, no. 4, pp. 219–229, 1999. View at Publisher · View at Google Scholar
  12. H. Y. Kao, S. H. Lin, J. M. Ho, and M. S. Chen, “Mining web informative structures and contents based on entropy analysis,” IEEE Transactions on Knowledge and Data Engineering, vol. 16, no. 1, pp. 41–55, 2004. View at Publisher · View at Google Scholar · View at Scopus
  13. I. S. Altingövde and O. Ulusoy, “Exploiting interclass rules for focused crawling,” IEEE Intelligent Systems, vol. 19, no. 6, pp. 66–73, 2004. View at Google Scholar · View at Scopus
  14. V. Shkapenyuk and T. Suel, “Design and implementation of a high-performance distributed web crawler,” in Proceedings of the 18th International Conference on Data Engineering, pp. 357–368, San Jose, Calif, USA, March 2002. View at Scopus
  15. C. Castillo, “Effective web crawling,” Computer Science, The University of Chile in fulfillment: ACM SIGIR Forum, 2004.
  16. S. Even, Graph Algorithms, Cambridge University Press, New York, NY, USA, 2011.
  17. A. Paraskevas, I. Katsogridakis, R. Law, and D. Buhalis, “Search engine marketing: transforming search engines into hotel distribution channels,” Cornell Hospitality Quarterly, vol. 52, no. 2, pp. 200–208, 2011. View at Publisher · View at Google Scholar · View at Scopus
  18. M. Weiser, “Program slicing,” IEEE Transactions on Software Engineering, vol. 10, no. 4, pp. 352–357, 1984. View at Google Scholar · View at Scopus
  19. A. Phalgune, “Testing and debugging web applications: an end-user perspective,” in Proceedings of the IEEE Symposium on Visual Languages and Human Centric Computing, pp. 289–290, Rome, Italy, September 2004. View at Publisher · View at Google Scholar · View at Scopus
  20. N. El Ioini and A. Sillitti, “Open web services testing,” in Proceedings of the IEEE World Congress on Services (SERVICES '11), pp. 130–136, Washington, DC, USA, July 2011. View at Publisher · View at Google Scholar · View at Scopus
  21. N. Khoury, P. Zavarsky, D. Lindskog, and R. Ruhl, “An analysis of black-box web application security scanners against stored SQL injection,” in Proceedings of the IEEE 3rd International Conference on Privacy, Security, Risk and Trust (passat) and IEEE 3rd International Conference on Social Computing (SocialCom '11), pp. 1095–1101, Boston, Mass, USA, October 2011. View at Publisher · View at Google Scholar · View at Scopus
  22. M. Bishop, “About Penetration Testing,” IEEE Security & Privacy, vol. 5, no. 6, pp. 84–87, 2007. View at Publisher · View at Google Scholar
  23. N. Antunes and M. Vieira, “Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services,” in Proceedings of the IEEE International Conference on Services Computing (SCC '11), pp. 104–111, Washington, DC, USA, July 2011. View at Publisher · View at Google Scholar · View at Scopus
  24. H. J. Kam and J. J. Pauli, “Work in progress—web penetration testing: effectiveness of student learning in Web application security,” in Proceedings of the Frontiers in Education Conference (FIE '11), pp. F3G-1–F3G-3, Rapid City, SD, USA, November 2011. View at Publisher · View at Google Scholar · View at Scopus
  25. C. Mainka, J. Somorovsky, and J. Schwenk, “Penetration testing tool for web services security,” in Proceedings of the IEEE 8th World Congress on Services (SERVICES '12), pp. 163–170, Honolulu, Hawaii, USA, June 2012. View at Publisher · View at Google Scholar
  26. D. A. Kindy and A. K. Pathan, “A survey on SQL injection: vulnerabilities, attacks, and prevention techniques,” in Proceedings of the 15th IEEE International Symposium on Consumer Electronics (ISCE '11), pp. 468–471, Singapore, June 2011. View at Publisher · View at Google Scholar · View at Scopus
  27. R. Johari and P. Sharma, “A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection,” in Proceedings of the International Conference on Communication Systems and Network Technologies (CSNT '12), pp. 453–458, Rajkot, India, May 2012. View at Publisher · View at Google Scholar
  28. M. Junjin, “An approach for SQL injection vulnerability detection,” in Proceedings of the 6th International Conference on Information Technology: New Generations (ITNG '09), pp. 1411–1414, Las Vegas, Nev, USA, April 2009. View at Publisher · View at Google Scholar · View at Scopus
  29. V. Chapela, Advanced SQL Injection, 2005.
  30. R. Overstreet, Protecting Yourself from SQL Injection Attacks, 2006.
  31. S. W. Boyd and A. D. Keromytis, “SQLrand: preventing SQL injection attacks,” pp. 292–302. View at Google Scholar · View at Scopus
  32. C. Anley, More Advanced SQL Injection, An NGSSoftware Insight Security Research (NISR) Publication, 2002.
  33. C. Anley, Advanced SQL Injection in SQL Server Application, An NGSSoftware Insight Security Research (NISR) Publication, 2002.
  34. E. H. Spafford, “OPUS: preventing weak password choices,” Computers and Security, vol. 11, no. 3, pp. 273–278, 1992. View at Google Scholar · View at Scopus
  35. D. P. Jablon, “Extended password key exchange protocols immune to dictionary attack,” in Proceedings of the 6th IEEE Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 248–255, Cambridge, Mass, USA, June 1997. View at Publisher · View at Google Scholar
  36. S. M. Bellovin and M. Merritt, “Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise,” in Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 244–250, ACM, November 1993. View at Scopus
  37. B. Schneier, “Attack trees,” Dr. Dobb's Journal, vol. 24, no. 12, pp. 21–29, 1999. View at Google Scholar
  38. L. R. Knudsen and M. J. B. Robshaw, “Brute force attacks,” in The Block Cipher Companion, Information Security and Cryptography, pp. 95–108, Springer, Berlin, Germany, 2011. View at Publisher · View at Google Scholar
  39. M. Vieira, N. Antunes, and H. Madeira, “Using web security scanners to detect vulnerabilities in web services,” in Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN '09), pp. 566–571, Lisbon, Portugal, July 2009. View at Publisher · View at Google Scholar · View at Scopus
  40. J. Fonseca, M. Vieira, and H. Madeira, “Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks,” in Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing (PRDC '07), pp. 365–372, Melbourne, Australia, December 2007. View at Publisher · View at Google Scholar · View at Scopus
  41. S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, “SecuBat: a web vulnerability scanner,” in Proceedings of the 15th International Conference on World Wide Web, pp. 247–256, ACM, May 2006. View at Publisher · View at Google Scholar · View at Scopus
  42. N. Antunes and M. Vieira, “Detecting SQL injection vulnerabilities in web services,” in Proceedings of the 4th Latin-American Symposium on Dependable Computing (LADC '09), pp. 17–24, Joao Pessoa, Brazil, September 2009. View at Publisher · View at Google Scholar · View at Scopus
  43. L. Auronen, “Tool-based approach to assessing Web application security,” in Seminar on Network Security, vol. 11, pp. 12–13, Helsinki University of Technology, 2002. View at Google Scholar
  44. E. Nordmark and R. Gilligan, IETF RFC4213, Basic Transition Mechanisms for IPv6 Hosts and Routers, 2005, http://www.ietf.org/rfc/rfc4213.txt.
  45. A. R. Choudhary, “In-depth analysis of IPv6 security posture,” in Proceedings of the 5th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom '09), November 2009. View at Publisher · View at Google Scholar · View at Scopus
  46. S. Szigeti and P. Risztics, “Will IPv6 bring better security?” in Proceedings of the 30th EUROMICRO Conference, pp. 532–537, September 2004. View at Scopus
  47. E. Davies, S. Krishnan, and P. Savola, IETF RFC4942, IPv6 Transition/Coexistence Security Considerations, 2007, http://www.ietf.org/rfc/rfc4942.txt.
  48. R. Priyadarshini, S. Aishwarya, and A. A. Ahmed, “Search engine vulnerabilities and threats—a survey and proposed solution for a secured censored search platform,” in Proceedings of the International Conference on Communication and Computational Intelligence (INCOCCI '10), pp. 535–539, Erode, India, December 2010. View at Scopus
  49. Wikipedia, “Application security,” 2012, http://en.wikipedia.org/wiki/Application_security.
  50. D. Watson, “Web application attacks,” Network Security, vol. 2007, no. 10, pp. 10–14, 2007. View at Publisher · View at Google Scholar · View at Scopus
  51. R. Radhakrishnan, M. Jamil, S. Mehfuz, and M. Moinuddin, “Security issues in IPv6,” in Proceedings of the 3rd International Conference on Networking and Services (ICNS '07), p. 110, Athens, Greece, June 2007. View at Publisher · View at Google Scholar · View at Scopus
  52. D. Yang, X. Song, and Q. Guo, “Security on IPv6,” in Proceedings of the 2nd IEEE International Conference on Advanced Computer Control (ICACC '10), pp. 323–326, March 2010. View at Publisher · View at Google Scholar · View at Scopus
  53. Y. W. Huang, C. Tsai, T. Lin, S. Huang, D. T. Lee, and S. Kuo, “A testing framework for web application security assessment,” Computer Networks, vol. 48, no. 5, pp. 739–761, 2005. View at Publisher · View at Google Scholar · View at Scopus
  54. O. Security, “The exploit database,” 2012, http://www.exploit-db.com.
  55. Y. Sun, I. G. Councill, and C. L. Giles, “BotSeer: an automated information system for analyzing Web robots,” in Proceedings of the 8th International Conference on Web Engineering (ICWE '08), pp. 108–114, Yorktown Heights, NJ, USA, July 2008. View at Publisher · View at Google Scholar · View at Scopus
  56. Y. Sun, I. G. Councill, and C. L. Giles, “The ethicality of web crawlers,” in Proceedings of the IEEE/WIC/ACM International Conference on Web Intelligence, WI 2010, pp. 668–675, Toronto, Canada, September 2010. View at Publisher · View at Google Scholar · View at Scopus
  57. J. Cho, H. Garcia-Molina, and L. Page, “Efficient crawling through URL ordering,” in Proceedings of the 7th International Conference on World Wide (WWW '98), pp. 161–172, 1998. View at Publisher · View at Google Scholar
  58. V. Shkapenyuk and T. Suel, “Design and implementation of a high-performance distributed web crawler,” in Proceedings of the 18th International Conference on Data Engineering, pp. 357–368, March 2002. View at Scopus
  59. M. Najork, “Breadth-first search crawling yields high-quality pages,” in Proceedings of the 10th International Conference on World Wide (WWW '01), pp. 114–118, 2001. View at Publisher · View at Google Scholar
  60. National Taiwan University, 2012, http://www.ntu.edu.tw/english/.
  61. N. Gaur, “Assessing the security of your web applications,” Linux Journal, vol. 2000, no. 72, article 3, 2000. View at Google Scholar
  62. P. Noiumkar and T. Chomsiri, “Top 10 free web-mail security test using session Hijacking,” in Proceedings of the 3rd International Conference on Convergence and Hybrid Information Technology (ICCIT '08), vol. 2, pp. 486–490, Busan, Republic of Korea, November 2008. View at Publisher · View at Google Scholar · View at Scopus
  63. D. Gollmann, “Securing Web applications,” Information Security Technical Report, vol. 13, no. 1, pp. 1–9, 2008. View at Publisher · View at Google Scholar · View at Scopus
  64. D. Scott and R. Sharp, “Abstracting application-level web security,” in Proceedings of the 11th International Conference on World Wide Web (WWW '02), pp. 396–407, ACM Press, May 2002. View at Publisher · View at Google Scholar · View at Scopus
  65. D. Scott and R. Sharp, “Abstracting application-level web security,” in Proceedings of the 11th International Conference on World Wide Web (WWW '02), pp. 396–407, ACM Press, May 2002. View at Publisher · View at Google Scholar · View at Scopus
  66. D. J. Bryce and T. C. Williams, “HTTP header intermediary for enabling session-based dynamic site searches,” U.S. Patent Application 11/299, 525.
  67. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna, “Cross site scripting prevention with dynamic data tainting and static analysis,” in Proceeding of the Network and Distributed System Security Symposium (NDSS '07), 2007.
  68. Forum, I. IPv6 Enabled WWW Web Sites List, 2012, http://www.ipv6forum.com/ipv6_enabled/approval_list.php.
  69. C. M. Judd, G. H. McClelland, and C. S. Ryan, Data Analysis: A Model Comparison Approach, Routledge/Taylor & Francis Group, 2009.
  70. N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: a static analysis tool for detecting web application vulnerabilities,” in Proceedings of the IEEE Symposium on Security and Privacy (S and P '06), pp. 258–263, Berkeley/Oakland, Calif, USA, May 2006. View at Publisher · View at Google Scholar · View at Scopus
  71. M. A. Howard, “A process for performing security code reviews,” IEEE Security and Privacy, vol. 4, no. 4, pp. 74–79, 2006. View at Publisher · View at Google Scholar · View at Scopus
  72. P. Cisar and S. M. Cisar, “Password—a form of authentication,” in Proceedings of the 5th International Symposium on Intelligent Systems and Informatics (SISY '07), pp. 29–32, Subotica, Serbia, August 2007. View at Publisher · View at Google Scholar · View at Scopus
  73. S. Riley, “Password security: what users know and what they actually do,” Usability News 8.1, 2006.
  74. X. Zheng and J. Jidong, “Research for the application and safety of MD5 algorithm in password authentication,” in Proceedings of the 9th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD '12), pp. 2216–2219, Sichuan, China, 2012. View at Publisher · View at Google Scholar