Web Application Security Education Platform Based on OWASP API Security Project
Abstract
The trend of API-based systems in web applications in the last few years keeps steadily growing. API allows web applications to interact with external systems to enable business-to-business or system-to-system integration which leads to multiple application innovations. However, this trend also comes with a different surface of security problems that can harm not only web applications, but also mobile and IoT applications. This research proposed a web application security education platform which is focused on the OWASP API security project. This platform provides different security risks such as excessive data exposure, lack of resources and rate-limiting, mass assignment, and improper asset management which cannot be found in monolithic security learning application like DVWA, WebGoat, and Multillidae II. The development also applies several methodologies such as Capture-The-Flag (CTF) learning model, vulnerability assessment, and container virtualization. Based on our experiment, we are successfully providing 10 API vulnerability challenges to the platform with 3 different levels of severity risk rating which can be exploited using tools like Burp Suite, SQLMap, and JWTCat. In the end, based on our performance experiment, all of the containers on the platform can be deployed in approximately 16 seconds with minimum storage resource and able to serve up to 1000 concurrent users with the average throughput of 50.58 requests per second, 96.35% successful requests, and 15.94s response time.
Downloads
References
2021 State of the API Report [Internet], Postman, 2021 [cited 23 March 2022], Available from: https://www.postman.com/state-of-api/.
API Security Trends [Internet], Salt.security, 2021 [cited 23 November 2021], Available from: https://salt.security/api-security-trends.
Hussain F, Hussain R, Noye B, Sharieh S. Enterprise API Security, and GDPR Compliance: Design and Implementation Perspective. IT Professional, vol. 22, no. 5, pp. 81-89, 2020. DOI: https://doi.org/10.1109/MITP.2020.2973852
UU No. 19 Tahun 2016 [Internet], Kominfo, 2022 [cited 23 March 2022], Available from: https://web.kominfo.go.id.
Conte de Leon D, Goes CE, Haney MA, Krings AW. Adles: Specifying, deploying, and sharing hands-on cyber-exercises. Computers & Security, vol. 74, pp. 12–40, 2018. DOI: https://doi.org/10.1016/j.cose.2017.12.007
OWASP API Security - Top 10 [Internet], OWASP, 2019 [cited 23 March 2022], Available from: https://owasp.org/www-project-api-security/.
Shin S, Seto Y, Kasai Y, Ka R, Kuroki D, Toyoda S et al. Development of Training System and Practice Contents for Cybersecurity Education. 2019 8th International Congress on Advanced Applied Informatics (IIAI-AAI), pp. 172-177, 2019. DOI: https://doi.org/10.1109/IIAI-AAI.2019.00043
Su J, Cheng M, Wang X, Tseng S. A Scheme to Create Simulated Test Items for Facilitating the Assessment in Web Security Subject, Twelfth International Conference on Ubi-Media Computing (Ubi-Media), pp. 306-309, 2019. DOI: https://doi.org/10.1109/Ubi-Media.2019.00067
Ping C, Jinshuang W, Lanjuan Y, Lin P. SQL Injection Teaching Based on SQLi-labs. 2020 IEEE 3rd International Conference on Information Systems and Computer Aided Education (ICISCAE), pp. 191-195, 2020. DOI: https://doi.org/10.1109/ICISCAE51034.2020.9236904
Lehrfeld M, Guest P. Building an ethical hacking site for learning and student engagement, SoutheastCon 2016, pp.1-6, 2016. DOI: https://doi.org/10.1109/SECON.2016.7506746
Oh S, Stickney N, Hawthorne D, and Matthews S. Teaching Web-Attacks on a Raspberry Pi Cyber Range, Proceedings of the 21st Annual Conference on Information Technology Education, pp. 324-329, 2020. DOI: https://doi.org/10.1145/3368308.3415364
Mansurov A. A CTF-Based Approach in Information Security Education: An Extracurricular Activity in Teaching Students at Altai State University, Russia. Modern Applied Science, 2016. DOI: https://doi.org/10.5539/mas.v10n11p159
Aziz N, Shamsuddin S, Hassan N. Inculcating Secure Coding for beginners. 2016 International Conference on Informatics and Computing (ICIC), pp. 164-168, 2016. DOI: https://doi.org/10.1109/IAC.2016.7905709
Baş Seyyar M, Çatak F, Gül E. Detection of attack-targeted scans from the Apache HTTP Server access logs. Applied Computing and Informatics, vol. 14, no. 1, pp. 28-36. 2018. DOI: https://doi.org/10.1016/j.aci.2017.04.002
Kritikos K, Magoutis K, Papoutsakis M, Ioannidis S. A survey on vulnerability assessment tools and databases for cloud-based web applications. Array, vol. 3-4, pp. 100011, 2019. DOI: https://doi.org/10.1016/j.array.2019.100011
Priyanka A, Smruthi S. Web Application Vulnerabilities: Exploitation and Prevention. 2020 Second International Conference on Inventive Research in Computing Applications (ICIRCA), pp. 729-734, 2020. DOI: https://doi.org/10.1109/ICIRCA48905.2020.9182928
Amankwah R, Chen J, Kudjo P, Towey D. An empirical comparison of commercial and open‐source web vulnerability scanners. Software: Practice and Experience, vol. 50, no. 9, pp. 1842-1857, 2020. DOI: https://doi.org/10.1002/spe.2870
Saleem S, Sheeraz M, Hanif M, Farooq U. Web Server Attack Detection using Machine Learning. 2020 International Conference on Cyber Warfare and Security (ICCWS), pp. 1-7. 2020. DOI: https://doi.org/10.1109/ICCWS48432.2020.9292393
Steiner S, de Leon D, Jillepalli A. Hardening web applications using a least privilege DBMS access model. Proceedings of the Fifth Cybersecurity Symposium, Article 4, pp. 1–6, 2018. DOI: https://doi.org/10.1145/3212687.3212863
Alazmi S, De Leon D. A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners. IEEE Access, vol. 10, pp. 33200-33219, 2022. DOI: https://doi.org/10.1109/ACCESS.2022.3161522
Rangnau T, Buijtenen R, Fransen F, Turkmen F. Continuous Security Testing: A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines. 2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC), pp. 145-154, 2020. DOI: https://doi.org/10.1109/EDOC49727.2020.00026
Yang J, Tan L, Peyton J, A Duer K. Towards Better Utilizing Static Application Security Testing. 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), pp. 51-60, 2019. DOI: https://doi.org/10.1109/ICSE-SEIP.2019.00014
Chen P, Zhao M, Wang J, Yu H. Exploration and practice of the experiment teaching of web application security course. 2019 10th International Conference on Information Technology in Medicine and Education (ITME). 2019. DOI: https://doi.org/10.1109/ITME.2019.00092
Ofoeda J, Boateng R, Effah J. Application Programming Interface (API) Research. International Journal of Enterprise Information Systems, vol. 15, no. 3, pp. 76-95, 2019. DOI: https://doi.org/10.4018/IJEIS.2019070105
Kuzminykh I, Ghita B, Sokolov V, Bakhshi T. Information security risk assessment. Encyclopedia, vol. 1, no. 3, pp. 602–17, 2021. DOI: https://doi.org/10.3390/encyclopedia1030050
OWASP Risk Rating Methodology [Internet]. OWASP, 2015 [cited 25 March 2022]. Available from: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology.
Copyright (c) 2022 EMITTER International Journal of Engineering Technology
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
The copyright to this article is transferred to Politeknik Elektronika Negeri Surabaya(PENS) if and when the article is accepted for publication. The undersigned hereby transfers any and all rights in and to the paper including without limitation all copyrights to PENS. The undersigned hereby represents and warrants that the paper is original and that he/she is the author of the paper, except for material that is clearly identified as to its original source, with permission notices from the copyright owners where required. The undersigned represents that he/she has the power and authority to make and execute this assignment. The copyright transfer form can be downloaded here .
The corresponding author signs for and accepts responsibility for releasing this material on behalf of any and all co-authors. This agreement is to be signed by at least one of the authors who have obtained the assent of the co-author(s) where applicable. After submission of this agreement signed by the corresponding author, changes of authorship or in the order of the authors listed will not be accepted.
Retained Rights/Terms and Conditions
- Authors retain all proprietary rights in any process, procedure, or article of manufacture described in the Work.
- Authors may reproduce or authorize others to reproduce the work or derivative works for the author’s personal use or company use, provided that the source and the copyright notice of Politeknik Elektronika Negeri Surabaya (PENS) publisher are indicated.
- Authors are allowed to use and reuse their articles under the same CC-BY-NC-SA license as third parties.
- Third-parties are allowed to share and adapt the publication work for all non-commercial purposes and if they remix, transform, or build upon the material, they must distribute under the same license as the original.
Plagiarism Check
To avoid plagiarism activities, the manuscript will be checked twice by the Editorial Board of the EMITTER International Journal of Engineering Technology (EMITTER Journal) using iThenticate Plagiarism Checker and the CrossCheck plagiarism screening service. The similarity score of a manuscript has should be less than 25%. The manuscript that plagiarizes another author’s work or author's own will be rejected by EMITTER Journal.
Authors are expected to comply with EMITTER Journal's plagiarism rules by downloading and signing the plagiarism declaration form here and resubmitting the form, along with the copyright transfer form via online submission.
