A Scheme to Create Simulated Test Items for Facilitating the Assessment in Web Security Subject

Su, Jun-Ming; Cheng, Ming-Hua; Wang, Xinjie; Tseng, Shian‐Shyong

doi:10.1109/ubi-media.2019.00067

Cited by 4 publications

(1 citation statement)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…CyExec uses traditional web technology in the attack by using WebGoat as an experimental target. Su J, Cheng M, Wang X, and Tseng S [8] proposed a scheme to create a simulation test to assess student learning outcomes online in web security subjects called the SimTI-WS scheme. The focus topic is discussed about CSRF based on WebGoat.…”

Section: Related Workmentioning

confidence: 99%

Web Application Security Education Platform Based on OWASP API Security Project

Idris

Syarif

Winarno

2022

EMITTER Int'l J. of Engin. Technol.

View full text Add to dashboard Cite

The trend of API-based systems in web applications in the last few years keeps steadily growing. API allows web applications to interact with external systems to enable business-to-business or system-to-system integration which leads to multiple application innovations. However, this trend also comes with a different surface of security problems that can harm not only web applications, but also mobile and IoT applications. This research proposed a web application security education platform which is focused on the OWASP API security project. This platform provides different security risks such as excessive data exposure, lack of resources and rate-limiting, mass assignment, and improper asset management which cannot be found in monolithic security learning application like DVWA, WebGoat, and Multillidae II. The development also applies several methodologies such as Capture-The-Flag (CTF) learning model, vulnerability assessment, and container virtualization. Based on our experiment, we are successfully providing 10 API vulnerability challenges to the platform with 3 different levels of severity risk rating which can be exploited using tools like Burp Suite, SQLMap, and JWTCat. In the end, based on our performance experiment, all of the containers on the platform can be deployed in approximately 16 seconds with minimum storage resource and able to serve up to 1000 concurrent users with the average throughput of 50.58 requests per second, 96.35% successful requests, and 15.94s response time.

show abstract

Section: Related Workmentioning

confidence: 99%

Web Application Security Education Platform Based on OWASP API Security Project

Idris

Syarif

Winarno

2022

EMITTER Int'l J. of Engin. Technol.

View full text Add to dashboard Cite

show abstract

DoWTS – Denial-of-Wallet Test Simulator: Synthetic data generation for preemptive defence

2022

View full text Add to dashboard Cite

The intentional targeting of components in a cloud based application, in order to artificially inflate usage bills, is an issue application owners have faced for many years. This has occurred under many guises, such as: Economic Denial of Sustainability (EDoS), Click Fraud and even secondary effects of Denial of Service (DoS) attacks. With the advent of commercial offerings of serverless computing circa 2015, a variant of the EDoS attack has emerged, termed, Denial-of-Wallet (DoW). We describe our development of a simulation tool as safe means to research these attacks as well as to generate datasets for the training of future mitigation systems to combat DoW. We believe that DoW may become increasingly prevalent as applications further utilise services based on a pay-per-invocation cost model. Given that the damage caused is purely financial, such attacks may not be disclosed as application users are not directly effected. As such, we believe that the development of an attack simulator and specific testing of security measures against this niche attack will be able to provide previously unavailable data and insights for the research community. We have developed a prototype DoW simulator that can emulate multiple months worth of API calls in a matter of hours for ease of training data generation. Our aspiration for the future of this work is to provide a system and starting point for research on this form of attack. We present our work on such a system Denial-of-Wallet Test Simulator (DoWTS) - a system that allows for safe testing of theorised DoW attacks against serverless applications via synthetic data generation. We also expand upon prior research on DoW and provide an analysis on the lack of specific safety measures for DoW.

show abstract

DoWNet—classification of Denial-of-Wallet attacks on serverless application traffic

Kelly,

Glavin,

Barrett

2024

Journal of Cybersecurity

View full text Add to dashboard Cite

Serverless computing is an ever-growing programming paradigm being adopted by developers all over the world. Its highly scalable, automatic load balancing, and pay for what you use design is a powerful tool that can also greatly reduce operational costs. However, these advantages also leave serverless computing open to a unique threat, Denial-of-Wallet (DoW). It is the intentional targeting of serverless function endpoints with request traffic in order to artificially raise the usage bills for the application owner. A subset of these attacks are leeches. They perform DoW at a rate that could go undetected as it is not a sudden violent influx of requests. We devise a means of detecting such attacks by utilizing a novel approach of representing request traffic as heat maps and training an image classification algorithm to distinguish between normal and malicious traffic behaviour. Our classifier utilizes convolutional neural networks and achieves 97.98% accuracy. We then design a system for the implementation of this model that would allow application owners to monitor their traffic in real time for suspicious behaviour.

show abstract

A Scheme to Create Simulated Test Items for Facilitating the Assessment in Web Security Subject

Cited by 4 publications

References 1 publication

Web Application Security Education Platform Based on OWASP API Security Project

Web Application Security Education Platform Based on OWASP API Security Project

DoWTS – Denial-of-Wallet Test Simulator: Synthetic data generation for preemptive defence

DoWNet—classification of Denial-of-Wallet attacks on serverless application traffic

Contact Info

Product

Resources

About