Vulnerability Testing in Web Applications External Entities XML

Aleksandr ?. Osincev

Olga R. Laponina

Resumen

The paper considers the concept of external entities in the XML language, provides the most popular scenarios for executing attacks on web applications using external XML entities. A brief comparative review of dynamic testing tools for XXE-vulnerabilities has been performed. Described the process of deploying the stand for testing web applications for the presence of XXE vulnerability and implemented various testing scenarios both manually and using the OWASP ZAP scanner. There are also improvements to the OWASP ZAP software that were implemented during the course of the work. XXE testing was performed on two applications: OWASP Multillidae and XXELab. A module has been implemented that allows you to configure ZAP through the REST API, run the scanner to actively scan XXE vulnerabilities and get a report on the work. Vulnerability search automation is implemented using the REST API and Qt.

Acceso

P�GINAS

pp. 71 - 79

N�MERO

Volumen: 7 N�mero: 10 Parte: 0 (2019)

MATERIAS

INGENIER�A Y CONSTRUCCI�N CIVIL
TECNOLOG�A

REVISTAS SIMILARES

Applied Sciences
Information
Water

Art�culos similares

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

Acceso

Francesc Mateo Tudela, Juan-Ram�n Bermejo Higuera, Javier Bermejo Higuera, Juan-Antonio Sicilia Montalvo and Michael I. Argyros

This document provides a complete comparative study of how different types of security analysis tools, (static, interactive and dynamic) can combine to obtain the best performance results in terms of true and false positive ratios taking into account dif... ver m�s

Revista: Applied Sciences

A Study on Cyber Security Threats in a Shipboard Integrated Navigational System

Acceso

Boris Svilicic, Igor Rudan, Alen Jugovic and Damir Zec

The integrated navigational system (INS) enhances the effectiveness and safety of ship navigation by providing multifunctional display on the basis of integration of at least two navigational functions, the voyage route monitoring with Electronic Chart D... ver m�s

Revista: Journal of Marine Science and Engineering

Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration

Acceso

Michael Lescisin, Qusay H. Mahmoud and Anca Cioraca

Software security is a component of software development that should be integrated throughout its entire development lifecycle, and not simply as an afterthought. If security vulnerabilities are caught early in development, they can be fixed before the s... ver m�s

Revista: Computers

An Approach to Predict Debris Flow Average Velocity

Acceso

Chen Cao, Shengyuan Song, Jianping Chen, Lianjing Zheng, Yuanyuan Kong P�g. 1 - 17

Debris flow is one of the major threats for the sustainability of environmental and social development. The velocity directly determines the impact on the vulnerability. This study focuses on an approach using radial basis function (RBF) neural network a... ver m�s

Revista: Water

Groundwater Risk Assessment Model (GRAM): Groundwater Risk Assessment Model for Wellfield Protection

Acceso

Nara Somaratne, Hajrudin Zulfic, Glyn Ashman, Hayley Vial, Brooke Swaffer and Jacqueline Frizenschaf

A groundwater risk assessment was carried out for 30 potable water supply systems under a framework of protecting drinking water quality across South Australia. A semi-quantitative Groundwater Risk Assessment Model (GRAM) was developed based on a ?multi-... ver m�s

Revista: Water

Revistas destacadas

Acceso directo a los n�meros publicados en la revista Infrastructures

Infrastructures

Acceso directo a los n�meros publicados en la revista Informed Infraestructure

Informed Infraestructure

Acceso directo a los n�meros publicados en la revista BiT

Acceso directo a los n�meros publicados en la revista Revista de la Construcci�n

Revista de la Construcci�n

Ver todas las revistas disponibles