Title: Estado del arte revisión sistemática de la seguridad orientada a Rest
Authors: Corredor Ceballos, Nidia Estefanía
Director(s): Martínez Rojas, Mario, dir.
Keywords: SERVICIOS WEB
REST
SEGURIDAD
SERVICIOS WEB
VULNERABILIDAD
Issue Date: 2017
Citation: Corredor Ceballos, N. E. (2017). Estado del arte revisión sistemática de la seguridad orientada a Rest. Trabajo de Grado. Universidad Católica de Colombia. Facultad de Ingeniería. Programa de Ingeniería Civil. Bogotá, Colombia
Abstract: Se analizaron los principales tipos de ataques informáticos, se describieron las vulnerabilidades más conocidas y los tipos de seguridad recomendados en los servicios Web REST, se hizo la revisión sistemática de las publicaciones que estudian los tipos de vulnerabilidad de Servicios Web REST y se clasificaron con base a una taxonomía de vulnerabilidades con el fin de detallar su estructura.
Description: Trabajo de Investigación
Bibliography References: K. HAUPT, Florian. LEYMANN, Frank. SCHERER, Anton . VUKOJEVIC-HAUPT, “A Framework for the Structural Analysis of REST APIs,” 2017 IEEE International Conference on Software Architecture (ICSA), pp. 55–58, 2017.

B. Mehta, “Arquitectura REST,” RESTful Java Patterns and Best Practices. [Online]. Available: https://www.packtpub.com/mapt/book/Application+Development/9781783287963/3/ch03lvl1sec26/REST+architecture+components. [Accessed: 06-May-2017].

B. S. M. Arezoo, MIRTALEBI, “A Cryptography Approach on Security Layer of Web Service,” 2016 IEEE 10th International Conference on Application of Information and Communication Technologies (AICT), p. 1.5, 2016

J. Y. C. YOUNG Su Jang, “Detecting SQL injection attacks using query result size,” En: Computers & Security, vol. 44, pp. 104–118, Apr-2014.

S. S. KAR Debabrata, PANIGRAHI Suvasini, “SQLiGoT: Detecting SQL injection attacks using graph of tokens and SVM,” En: Computers & Security, vol. 60, pp. 206–225, 2016.

S. A. ZAMANI Mazdak, MANAF Azizah Abd., “A Taxonomy of SQL Injection Detection and Prevention Techniques,” En: IEEE 2013 International Conference on Informatics and Creative Multimedia, pp. 53–56, 2013

R. S. R. S. K. NANHAY SINGH Mohit Dayal, “SQL Injection: Types, Methodology, Attack Queries and Prevention,” En: IEEE 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), pp. 2872–2876, 2016

B. L. APPELT Dennis, NGUYEN Cu D., “Behind an Application Firewall, Are we safe from SQL Injection Attacks?,” En: 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST), pp. 1–10, 2015.

N. P. HANMANTHU B., RAM B. Raghu, “SQL Injection Attacks Prevention Based on Decision Tree Classification,” En: IEEE Sponsored 9th International Conference on Intelligent Systems and Control (ISCO) 2015, pp. 1–5, 2015

SRIVASTAVA Mahima, “Algorithm to Prevent Back End Database against SQL Injection Attacks,” En: IEEE 2014 International Conference on Computing for Sustainable Global Development (INDIACom), pp. 754–757, 2014

P. O. HULUKA Daniel, “Root Cause Analysis of Session Management and Broken Authentication Vulnerabilities,” En: IEEE World Congress on Internet Security (WorldCIS-2012), 2012

T. P. DACOSTA Italo, CHAKRADEO Saurabh, AHAMAD Mustaque, “One time cookies: Preventing session hijacking attacks with stateless authentication tokens,” En: ACM Transactions on Internet Technology (TOIT), vol. 12, 2012.

S. K. R. NAGARAJA Arun, “A Session Key Utilization Based Approach For Memory Management in Wireless Networks,” En: ACM ICEMIS ’15 Proceedings of the The International Conference on Engineering & MIS 2015, 2014.

A. K. G. RAHUL Kumar, INDRAVENI K, “Automated Session Fixation Vulnerability Detection in Web Applications using the Set-Cookie HTTP response header in cookies,” En: ACM SIN ’14 Proceedings of the 7th International Conference on Security of Information and Networks, 2014.

G. S. CHAUDHARY Pooja, GUPTA B.B., “Cross-Site Scripting (XSS) Worms in Online Social Network (OSN): Taxonomy and Defensive Mechanisms,” En: 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), pp. 2131–2136, 2016.

T. H. BAOJIANG Cui, BAOLIAN Long, “Reverse Analysis Method of Static XSS Defect Detection Technique Based on Database Query Language,” En: IEEE 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computin, pp. 487–491, 2014

G. B. B. GUPTA Shashank, “Enhanced XSS Defensive Framework for Web Applications Deployed in the Virtual Machines of Cloud Computing Environment,” En: ScienceDirect Procedia Technology, pp. 1595–1602, 2016.

S. S. V. Sharath Chandra, “BIXSAN: Browser Independent XSS Sanitizer for prevention of XSS attacks,” En: ACM SIGSOFT Software Engineering Notes, pp. 1–7, Sep-2011.

S. S. V. Sharath Chandra, “BIXSAN: Browser Independent XSS Sanitizer for prevention of XSS attacks,” En: ACM SIGSOFT Software Engineering Notes, pp. 1–7, Sep-2011.

S. L. YU You, YANG Yuanyuan, GU Jian, “Analysis and suggestions for the Security of Web Applications,” IEn: EEE 2011 International Conference on Computer Science and Network Technology, 2011.

W. K. ESHETE Birhanu, VILLAFIORITA Adolfo, “Early Detection of Security Misconfiguration Vulnerabilities in Web Applications,” En: IEEE 2011 Sixth International Conference on Availability, Reliability and Security, pp. 169–174, 2011.

F. E. B. SULATYCKI Rohini, “Two threat patterns that exploit ‘Security misconfiguration’ and ‘Sensitive data exposure’ vulnerabilities,” En: ACM EuroPLoP ’15 Proceedings of the 20th European Conference on Pattern Languages of Programs, 2015

R. M. K. BAUER Lujo, GARRISS Scott, “Detecting and Resolving Policy Misconfigurations in Access-Control Systems,” En: ACM Transactions on Information and System Security (TISSEC), 2011.

B. E. SHU Xiaokui, YAO Danfeng, “Privacy-Preserving Detection of Sensitive Data Exposure,” En: Privacy-Preserving Detection of Sensitive Data Exposure, vol. 10, no. 5, pp. 1092–1103, 2015

M. G. TK Ashwin Kumar, LIU Hong, THOMAS Johnson P, “Identifying Sensitive Data Items within Hadoop,” En: 2015 IEEE 12th International Conf on Embedded Software and Systems (ICESS), pp. 1308–1313, 2015.

R. I. HABEEB Omotunde, “Mitigating SQL Injection Attacks Via Hybrid Threat Modelling,” En: 2015 2nd International Conference on Information Science and Security (ICISS), pp. 1–4, 2015

M. A. SADEGHIAN Amirmohammad, ZAMANI Mazdak, “A taxonomy of SQL Injection Attacks,” En IEEE 2013 Int. Conf. Informatics Creat. Multimed., pp. 269–273, 2013

S. T. P. DEEPA G., “Securing Web Applications from injection and Logic Vulnerabilities Approaches and Challenges,” En: ScienceDirect - Information and Software Technology, vol. 74, pp. 160–180, 2016.

B. D. BURSZTEIN Elie, SOMAN Chinmay, “SessionJuggler: Secure Web Login From an Untrusted Terminal Using Session Hijacking,” En: ACM WWW’12 Proceedings of the 21st international conference on World Wide Web, pp. 321–330, 2012.

N. U. T. FAGHANI Mohammad Reza, “A Study of XSS Worm Propagation and Detection Mechanisms in Online Social Networks,” En: IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, pp. 1815–1826, 2013.

G. A. MALVIYA Vikas K., SAURAV Saket, “On Security Issues in Web Applications through Cross Site Scripting (XSS),” En: IEEE 2013 20th Asia-Pacific Software Engineering Conference, pp. 583–588, 2013

Y. P. YING Zhao, “Modeling the Propagation of XSS Worm on Social Networks,” En: 2013 IEEE Globecom Workshops (GC Wkshps), pp. 207–210, 2013.

P. S. RAHUL Johari, “A Survey On Web Application Vulnerabilities (SQLIA,XSS) Exploitation and Security Engine for SQL Injection,” En: IEEE 2012 International Conference on Communication Systems and Network Technologies, 2012

S. M. KOIZUMI Daiki, MATSUDA Takeshi, “On the Automatic Detection Algorithm of Cross Site Scripting (XSS) with the Non-Stationary Bernoulli Distribution,” En: IEEE The 5th International Conference on Communications, Computers and Applications (MIC-CCA2012), pp. 131–135, 2012.

“Ataque referencia insegura a objetos.” [Online]. Available: http://slideplayer.es/slide/5966797/. [Accessed: 06-May-2017].

APLICACIONES WEB DE LA SUPERINTENDENCIA DE BANCOS Y SEGUROS, UTILIZANDO LAS RECOMENDACIONES TOP TEN DE OWASP,” En: Repositorio Institucional de la Universidad de las Fuerzas Armadas ESPE, 2014

S. M. FAHL Sascha, ACAR Yasemin, PERL Henning, “Why eve and mallory (also) love webmasters: a study on the root causes of SSL misconfigurations,” En: ACM ASIA CCS ’14 Proceedings of the 9th ACM symposium on Information, computer and communications security, 2014.

P. S. XU Tianyin, ZHANG Jiaqi, HUANG Peng, ZHENG Jing, SHENG Tianwei, YUAN Ding, ZHOU Yuanyuan, “Do not blame users for misconfigurations,” En: SOSP ’13 Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles, pp. 244–259, 2013.

T. R. CASALINO Matteo Maria, “Refactoring Multi-Layered Access Control Policies Through (De)Composition,” En: IEEE Proceedings of the 9th International Conference on Network and Service Management (CNSM 2013), pp. 243–250, 2013

S. C. BAUER Lujo, LIANG Yuan, REITER Michael K., “Discovering Access-Control Misconfigurations: New Approaches and Evaluation Methodologies,” En: CODASPY ’12 Proceedings of the second ACM conference on Data and Application Security and Privacy, pp. 95–104, 2012.

B. A. R. LIU Fang, SHU Xiaokui, YAO Danfeng, “Privacy-Preserving Scanning of Big Content for Sensitive Data Exposure with MapReduce,” En: CODASPY ’15 Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 195–206, 2015.

O. T. J. A. TOAPANTA TOAPANTA Segundo Moisés, MAFLA GALLEGOS Luis Enrique, “Analysis to define management of identities access control of security processes for the registration civil from Ecuador,” En: 2016 IEEE International Smart Cities Conference (ISC2), pp. 1–4, 2016.

L. J. LI Xiong, NIU Jianwei, KHAN Muhammad Khurram, “Robust biometrics based three-factor remote user authentication scheme with key agreement,” En: Robust biometrics based three-factor remote user authentication scheme with key agreement, pp. 105–110, 2013.

A. D. FARAH Tanjila, SHOJOL Moniruzzaman, HASSAN Maruf, “Assessment of vulnerabilities of web applications of Bangladesh: A case study of XSS & CSRF,” En: 2016 Sixth International Conference on Digital Information and Communication Technology and its Applications (DICTAP), pp. 74–78, 2016

R. J. ALQAHTANI Sultan S., EGHAN Ellis E., “SV-AF – A Security Vulnerability Analysis Framework,” En: 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE), pp. 219–229, 2016.

A. I. F. ALVAREZ E. Danny, CORREA B. Daniel, “An Analysis of XSS, CSRF and SQL Injection In Colombian Software And Web Site Development,” En: 2016 8th Euro American Conference on Telematics and Information Systems (EATIS), pp. 1–5, 2016.

W. H. J. CZESKIS Alexei, MOSHCHUK Alexander, KOHNO Tadayoshi, “Lightweight Server Support for Browser-Based CSRF Protection,” En: ACM WWW ’13 Proceedings of the 22nd international conference on World Wide Web, pp. 273–284, 2013

T. R. KIRCHMAYR Wilhelm, MOSER Michael, NOCKE Ludwig, PICHLER Josef, “Integration of Static and Dynamic Code Analysis for Understanding Legacy Source Code,” En: Integration of Static and Dynamic Code Analysis for Understanding Legacy Source Code, pp. 543–552, 2016

R. N. A. KADAR Rozita, SYED MOHAMAD Sharifah Mashita, “Semantic-Based Extraction Approach for Generating Source Code Summary Towards Program Comprehension,” En: IEEE 2015 9th Malaysian Software Engineering Conference, no. 129–134, 2015.

C. J. CHEN Chen, BAI Lin, YANG Yehua, “Identifying Outdated Requirements Based on Source Code Changes,” En: Requirements Engineering Conference (RE), 2012 20th IEEE International, pp. 61–70, 2012

W. H. WANG Jing, “URFDS: Systematic Discovery of Unvalidated Redirects and Forwards in Web Application,” En: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 697–698, 2015

B. D. CARVAJAL Carlos, “Extensión de taxonomía y tratamiento de valores faltantes sobre un repositorio de incidentes de seguridad informática,” En: Revista Ingeniería, vol. 18, no. 1, Bogotá, pp. 24–49, May-2013

“Capítulo1. Seguridad Informática: Conceptos Básicos.” [Online]. Available: http://catarina.udlap.mx/u_dl_a/tales/documentos/lis/jerez_l_ca/capitulo1.pdf.

“Certsi.” [Online]. Available: https://www.certsi.es/respuesta-incidentes/rediris/taxonomia

J. E. M. Daza, “Revisión Sistemática.” [Online]. Available: http://download.docslide.net/documents/proceso-de-revision-sistematica.html. [Accessed: 19-May-2017].

N.-A. A. ZANDI Javad, “LRBAC: Flexible Function-Level Hierarchical Role Based Access Control for Linux,” En: IEEE 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pp. 29–35, 2015.

Federick B. Cohen, Protection and Security on the Information Superhighway, John Wiley & Sons, New York, Estados Unidos, 1995

Bayona Zulima Ortiz y Galindo Pulido Francisco Hacia una Taxonomía de Incidentes de Seguridad en Internet. [Online]. Disponible http://revistas.udistrital.edu.co/ojs/index.php/reving/article/view/2308/3126

William Stallings, Network and Internetwork Security Principles and Practice, Prentice Hall, Englewood Cliffs, NJ, USA, 1995

Howard, John D and Longstaff, Thomas A. A Common Language for Computer Security Incidents. SANDIA REPORT SAND98-8667 Unlimited Release Printed October 1998

Fielding, Roy Thomas, Architectural Styles and the Design of Network-based Software Architectures DISSERTATION submitted in partial satisfaction of the requirements for the degree of DOCTOR OF PHILOSOPHY in Information and Computer Science. 2000

W3C Consortium. Web Services Architecture. [En línea] 11 de Febrero de 2004. [Citado el: 25 de septiembre de 2017.] https://www.w3.org/TR/ws-arch/#whatis
URI: http://hdl.handle.net/10983/15230
Appears in Collections:ACI. Pregrado Sistemas

Files in This Item:
File Description SizeFormat 
Revisión sistemática de la seguridad orientada a REST.pdf2.61 MBAdobe PDFThumbnail
View/Open
RAE.pdf295.53 kBAdobe PDFThumbnail
View/Open


This item is protected by original copyright



Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.