PROTECTION OF USER CREDENTIALS IN WEB APPLICATION

  • Kristijan Kuk Profesor
Keywords: web application security, vulnerabilities, data security, user data protection

Abstract

Protecting user data in web applications is a challenge that developers face. Enabling secure user login and overcoming vulnerabilities without exposing sensitive data to attackers, is based on the application of modern methods and techniques for protection. This paper first reviews the current situation in this area with an emphasis on important security features. Then, the available systems are evaluated and the obtained results are quantified, from where their advantages and disadvantages can be seen. Another goal of the paper is a deeper insight into the field of user data security. Special attention is given to the importance of password protection for access in web applications.

References

Adamović, S., Milenković, M., Šarac, M., & Radovanović, D. (2010). Generators of random sequences and their impact on security. In Proceedings of the INFOTEH 2010 (pp. 820 - 822). Jahorina, BiH: IEEE.
Anis, A. (2018). Securing web applications with secure coding practicies and integrity verification. Ontario, Canada: Queen's University.
Blue, J., Furey, E., & Condell, J. (2017). A Novel Approach for Secure Identity Authentication in Legacy Database Systems. In Proceedings of the XXVIII Irish Signals and Systems Conference (pp. 1-6). Killarney, Ireland: IEEE.
Bonneau, J., Herley, C., Van Oorschot, P. C., & Stajano, F. (2015). Passwords and the Evolution of Imperfect Authentication. Communications of the ACM, 58(7), 78 - 87.
Bursztein, E., Soman, C., Boneh, D., & Mitchell, J. C. (2012). SessionJuggler: Secure Web Login From an Untrusted Terminal Using Session Hijacking. In Proceedings of the XXI International Conference on World Wide Web (pp. 321 - 330). Lyon, France: ACM.
Camath, A., Liscano, R., & El Saddik, A. (2006). User-Credential Based Role Mapping in Multi-domain Environment. In Proceedings of the International Conference on Privacy, Security and Trust (pp. 62 - 69). New York, USA: ACM.
CVE. (2017). Retrieved 2017, from Common Vulnerabilities and Exposures: https://cve.mitre.org/
CVSS. (2017). Retrieved 2017, from Common Vulnerability Scoring System: https://www.first.org/cvss
CWE. (2017). Retrieved 2017, from Common Weakness Enumeration: https://cwe.mitre.org/
Fonseca, J., & Vieira, M. (2008). Mapping software faults with web security vulnerabilities. In Proceedings of the IEEE International Conference on Dependable Systems and Networks (pp. 257-266). Anchorage, Alaska, USA: IEEE.
Fonseca, J., Seixas, N., Vieira, M., & Madeira, H. (2014). Analysis of Field Data on Web Security Vulnerabilities. IEEE Transactions on dependable and secure computing, 11(2), 89 - 100.
Hunt, T. (2020, July). Retrieved from https://www.troyhunt.com/brief-sony-password-analysis/
Maliberan, E. V. (2019). Modified SHA1: A Hashing Solution to Secure Web Applications through Login Authentication. International Journal of Communication Networks and Information Security, 11(1), 36-41.
Milić, P., Kuk, K., Civelek, T., Popović, B., & Kartunov, S. (2016). The Importance of Secure Access to E-government Services. In Proceedings of the International Conference "Archibald Reiss Days" (pp. 307-3016). Belgrade, Serbia: Academy of Criminalistic and Police Studies.
Oprea, A., Balfanz, D., Durfee, G., & Smetters, D. K. (2004). Securing a Remote Terminal Application with a Mobile Trusted Device. In Proceedings of the XX Annual Computer Security Applications Conference (pp. 438 - 447). Tucson, USA: IEEE.
OWASP. (2020). Security by Design Principles - OWASP. Retrieved 06 30, 2020, from https://www.owasp.org/index.php/Security_by_Design_Principles#Principle_of_Least_privilege
Ristić, N., Jevremović, A., & Veinović, M. (2013). System of segment protection of user data in the web applications. In Proceedings of the XII International Conference "INFOTEH". 12, pp. 915 - 918. Jahorina, BiH: IEEE.
Seta, H., Wati, T., & Kusuma, I. C. (2019). Implement Time Based One Time Password and Secure Hash Algorithm 1 for Security of Website Login Authentication. In Proceedings of the International Conference on Informatics, Multimedia, Cyber and Information System (pp. 115 - 120). Jakarta, Indonesia: IEEE.
Sharp, R., Scott, J., & Beresford, A. R. (2006). Secure mobile computing via public terminals. In Proceedings of the International Conference on Pervasive Computing (pp. 238 - 253). Berlin, Germany: Springer.
Wang, D., He, D., Wang, P., & Chu, C.-H. (2014). Anonymous Two-Factor Authentication in DistributedSystems: Certain Goals Are Beyond Attainment. IEEE Transactions on Dependable and Secure Computing, 12(4), 428 - 442.
Wang, D., Jian, G., Huang, X., & Wang, P. (2017). Zipf’s Law in Passwords. IEEE Transactions on Information Forensics and Security, 12(11), 2776 - 2791.
Weir, M., Aggarwal, S., Collins, M., & Stern, H. (2010). Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords. In Proceeding of the XVII ACM Conference on Computer and Communication Security (pp. 162-175). Chicago, USA: ACM.
Wen Chai, C. (2018). Secure login authentication system. Universiti Tunku Abdul Rahman.
Zonenberg, A. (2009). Distributed Hash Cracker: A Cross-Platform GPU-Accelerated Password Recovery System. New York, USA: Rensselaer Polytechnic Institute.
Published
2020-11-27
Section
Informatics and Applied Mathematics in Forensic, Cybercrime and Security Science