EFFECTIVENESS OF SECURITY THROUGH OBSCURITY METHODS TO AVOID WEB APPLICATION VULNERABILITY SCANNERS
Abstract
The concept of security through obscurity is not recommended by the National Institute of Standards and Technology (NIST) as a form of system security. Basically this concept hides assets as difficult as possible so that it is not easy for attackers to find them, so that it can be used to avoid vulnerability scanner applications that are widely used by attackers to find out web system weaknesses. This research was conducted by modifying the web application firewall (WAF) and testing using the SQLMap and OWASP Zed Attack Proxy (ZAP) vulnerability scanner applications. The results of the study show that SQLMap takes up to 1238 times longer to complete a scan on a modified web application firewall than without modification, while OWASP ZAP cannot complete a scan on the same treatment. Thus the concept of security through obscurity can be applied to web security to extend vulnerability scanning time.
Downloads
References
P. Kühn, D. N. Relke dan C. Reuter, “Common Vulnerability Scoring System Prediction based on Open Source Intelligence Information Sources,” ArXiv.Org, 5 10 2022.
MITRE Corporation, “CVE Details,” MITRE Corporation, [Online]. Available: https://www.cvedetails.com/. [Diakses 17 Desember 2022].
Amankwah, Richard, J. Chen, Kudjo, Patrick Kwaku, Agyemang, Beatrice Korkor dan Amponsah, Alfred Adutwum, “An automated framework for evaluating open-source web scanner vulnerability severity,” Service Oriented Computing and Applications, vol. 14, no. 4, p. 297–307, 2020.
S. Bisson, “Add Security to Azure Applications with Azure WAF.,” InfoWorld.com; San Mateo, 2022.
N. M. Thang, “Improving Efficiency of Web Application Firewall to Detect Code Injection Attacks with Random Forest Method and Analysis Attributes HTTP Request,” Program Comput Soft, vol. 46, p. 351–361, 2020.
Bhatt, N., Kaur, J., Anand, A. dan Alhazmi, O. H., “Selecting best software vulnerability scanner using intuitionistic fuzzy set TOPSIS,” Computers, Materials, & Continua, vol. 72, no. 2, pp. 3613-3629, 2022.
A. C. Izumi dan I. R. Widiasari, ““SIASAT” UKSW (UNIVERSITAS KRISTEN SATYA WACANA) WEBSITE SECURITY ANALYSIS USING OWASP (OPEN WEB APPLICATION SECURITY PROJECT),” Jurnal Teknik Informatika (Jutif), vol. 3, no. 3, pp. 763-770, 2022.
W. Guo, Q. Wang, K. Z. A. G. Ororbia, S. Huang, X. Liu, C. L. Giles, L. Lin dan X. Xing, “Defending Against Adversarial Samples Without Security through Obscurity,” 2018 IEEE International Conference on Data Mining (ICDM), vol. 10.1109/ICDM.2018.00029., pp. 137-146, 2018.
A. D. Dakhnovich, D. A. Moskvin dan D. P. Zegzhda, Using Security-through-Obscurity Principle in an Industrial Internet of Things, Russia: ISSN, 2021.
M. Amouei, M. Rezvani dan M. Fateh, “RAT: Reinforcement-Learning-Driven and Adaptive Testing for Vulnerability Discovery in Web Application Firewalls,” IEEE Transactions on Dependable and Secure Computing, vol. 19, pp. 3371-3386, 2022.
A. van der Stock, B. Glas, N. Smithline dan T. Gigler, “OWASP Top Ten,” OWASP, 2021. [Online]. Available: https://owasp.org/www-project-top-ten/. [Diakses 17 12 2022].
Zhuo, Z., Cai, T., Zhang, X. dan Lv, F., “Long short-term memory on abstract syntax tree for SQL injection detection,” IET Software, vol. 15, no. 2, pp. 188-197, 2021.
M. N. Halgamuge, “Estimation of the success probability of a malicious attacker on blockchain-based edge network,” Computer Networks, vol. 219, 2022.
Z. Jiang, W. Zhenhua, J. Wang, L. Hua dan Z. Ming, “State Intellectual Property Office of China Receives Shenzhen Open Source Internet Security Tech Limited and Shenzhen Suzhou Andomain Science and Tech's Patent Application for SQL (Structured Query Language) Injection Vulnerability Detection Method and De”. CN Paten CN114297662, 9 12 2022.
E. Computer, “Prevention against Bot-Driven SQL Injection Attacks,” Express Computer, 6 12 2022.
B. Zhang, J. Li, J. Ren dan G. , “Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review,” ACM Computing Surveys, vol. 54, no. 9, pp. 1-35, 2022.
S. Ruikun, L. Sen, W. Qiwei, Y. Zhijie dan C. , “Shanghai Pudong Development Bank Seeks Patent for Injection Attack Detection Method and Device, Computer Equipment and Readable Storage Medium”. CN Paten CN114244558, 26 11 2022.
H. Zhaoyang, R. Yukun, . X. Xin, H. Xiaogang, X. Chaoxu dan W. Junqiang, “Nanjing Ink Net Yunrei Science and Tech Submits Patent Application for SQL Injection Attack Identification Method Based on Deep Learning”. CN Paten CN114169431 (A), 9 11 2022.
S. H. N. Harip, I. R. A. Hamid, N. Murli dan N. Hassan, “Classification of SQL injection attack using K-Means clustering algorithm,” dalam AIP Conference Proceedings 2644, 040004 (2022), 2022.
M. D. Junior a dan N. F. Ebecken, “A new WAF architecture with machine learning for resource-efficient use,” Computers & Security, vol. 106, 2021.
Copyright (c) 2023 Azis Kurniawan, Kalamullah Ramli
This work is licensed under a Creative Commons Attribution 4.0 International License.