ArticlePDF Available

Figures

Content may be subject to copyright.
International Journal of Applied Information Systems (IJAIS) ISSN : 2249-0868
Foundation of Computer Science FCS, New York, USA
Volume 12 No. 3, June 2017 www.ijais.org
10
Investigating Websites and Web Application
Vulnerabilities: Webmaster’s Perspective
Vincent Appiah
West African Center for Cell
Biology of Infectious Pathogens
Department of Biochemistry,
Cell and Molecular Biology
University of Ghana
Isaac Kofi Nti
Department of Computer
Science
Sunyani Technical University
Sunyani, Ghana
Owusu Nyarko-Boateng
Innerjoy Digital Systems
Sunyani, Ghana
ABSTRACT
The Development in Information Technology (IT) have raised
up a lot of fears about the risk to information concomitant
with feeble IT security, including weakness to malware,
attacks, virus and compromise of network systems and
services. Anyone who goes on the net is vulnerable to
security threats. Inadequate IT security may result in
compromised integrity, confidentiality and the release of
sensitive data to unauthorized persons. In most development
communities and countries, IT vulnerability has become an
important concept employed to guide the evaluation, design
and targeting of programs. Remaining ahead of the ever-
evolving threat of an information break on websites and web
application necessitates conscientiousness on the part
webmasters and heads of IT sections within an organization in
understanding and anticipating the risks. This paper seek to
examine the knowledge of webmasters and heads of IT
sections on threats and vulnerabilities on the cyber world of
selected institutions in Ghana through semi-structured
questioners and one-on-one interview and proposed away
forward in boosting the knowledge base of IT and Webmaster,
hence contribute to the reduction of cyber-crime in the
country and also outline some guidelines on how to surf the
web safely to end-users. The survey showed that, on an
average 47% of the respondent have little or no knowledge in
at least one or more of the existing website vulnerabilities.
General Terms
Websites and web application vulnerabilities
Keywords
Website-Security, Web-application-Security, Security-risk,
SQL-injection, Firewall, Intrusion-Detection-System, Web-
security-vulnerability, Web-Vulnerabilities
1. INTRODUCTION
Most modern website and Web applications are employed to
carry out most major tasks, which includes forms for collect
personal, secret and private info such as health history, debit,
credit and bank account info as well as user satisfaction
criticism. The security of a computer system is important to
offer protection to the systems and the data store in it, this has
made computer security the most discuss topic in the IT world
[1]. An essential fact in web applications and Internet security
is that 100 % assurance that a computer system is reliable and
confident is not possible [1]. Vulnerability on a website or in a
web application on the internet may compromise all the
sensitive data and continuously give report which
consequences is damage of cost [2]. Website and web
applications such as educational website, governments’
website, healthcare application and financial applications
interact with its backend (database) several times upon a
client request and there is a compromised in the security of
such website and web application it results in loss of
information, financial loss, law suits and identity theft [3].
According to Web Application Security Consortium the
security of website that are used to collect users data and web
applications are of most important, a report from Web
Application Security Consortium shows that 49 percent of
web application has a high severity level vulnerabilities and
13 percent are exposed to security vulnerabilities
automatically. This unsecure website and web application
leads to the known security liabilities such as Cross-side
scripting, sql Injection, security misconfiguration, cookie
theft, self-propagating worm’s attacks and session hijacking
[3].
Figure 1 Average number of vulnerabilities within web
application (Source: Chaudhari & Vaidya, 2014)
Figure 1 shows a graph of vulnerabilities within a web
application from 2010 to 2012. From the graph in figure 1 it
can be seen that this vulnerabilities in web applications is in a
rise from year to year. Computer security is now employed in
every field which deals with information processing and data
storage. The use of debit, credit and ATM cards, and
authentication mechanism and information access all
encompasses computer security to safe guard the activities
computer users and system [4].
In other to maintain a productive computing environment,
computer security should be a priority. Cyber-crime is on the
increase across the globe and as such organizations should
International Journal of Applied Information Systems (IJAIS) ISSN : 2249-0868
Foundation of Computer Science FCS, New York, USA
Volume 12 No. 3, June 2017 www.ijais.org
11
also protect their systems against such attacks [5]. In a report
by [6] say that the government of Ghana official portal, which
hosts fifty-Eight (58) websites of bureaus, departments and
agencies was hacked by some unknown hacker and 11
website out of the 58 was under attached and substitute with a
picture bearing a statement which reads “On us, the sword
withdrawal of our homeland, unless entered, unless long
suffering nation, unless anyone of us does damage to our
homeland against our religion a bad idea to have all of the
countries of virtual war will be opened in the Turks and tested
my patience.” The report attributed the hacked a software
failure and vulnerability on the part of some webmaster and
administrators to bring up to date their software. The Reports
further indicated that the attacked was the 2nd time in 3 years
that hackers have taken over the government website. This
disastrous occurrences in Ghana has raised many queries with
regards to the security of country’s cyber space [6]. A
Moroccan jihadist group hacked the websites of the KNUST,
Ghana Post and some websites of the government were
hacked, which included the website of the Registrar General’s
Department, The hacker introduced herself/ him as V3nom X,
and marked the entire site of the registrar department with
some symbol and words inscription “Security is just an
illusion, wake up!!!’ in print below the site [7]. In another
report, shows that the website of the Electoral Commission
(EC) of Ghana was under attacked by unknown hackers with
the intention to change the electoral results with "fake results"
of the just ended election conducted by the commission in
December 2016, but the commission said the attacked did not
materials even though the site went down for some period [8].
One way of ensuring protection is to identify such security
flaws before the attackers does anything, but the increase in
cyber-attacks raise a question whether the webmaster
managing the various website of institutions in the country are
abreast with the various cyber-attacks technologies. In view of
this this research work seek to examine the knowledge of
webmasters of twenty (20) randomly selected institutions in
Ghana through semi-structured questioners and one-on-one
interview and proposed away forward in reducing cyber-crime
in the country.
2. STRUCTURE OF WEBSITE AND
WEB APPLICATIONS
Figure 2, shows the basic business logic of a website and an
internet application which has the client interface and the
server end on a webserver and made known by a uniform
resource locator (URL). The internet server is understood by
its name. The browser (client) and server talk via a transport
protocol TCP. Figure. 3 shows the fundamental architecture of
data flow in website and a web application. The transport
protocol is HTTP; the data format is Cascading style Sheets
(CSS) and hypertext mark-up language (HTML). The user
click or enters a URL to call the application or access the
website [9]. A request via communication protocol is sent to
the server from the clients. A script at the net server removes
input from the consumer knowledge and creates a request to a
backend application server, e.g. a mysql query to a database.
The result is received from the backend by the webserver and
returns a hypertext mark-up language (HTML) result page to
the consumer. The result is displayed as a page by the client’s
browser. To show a page, the browser creates an interior
picture for it. Captions should be Times New Roman 9-point
bold. They should be numbered (e.g., “Table 1” or “Figure
2”), please note that the word for Table and Figure are spelled
out. Figure’s captions should be centered beneath the image or
picture, and Table captions should be centered above the table
body.
Cloud
Backend (Database)
Web server
Brower HTML & CSS Data
Server Side
Static
&
Dynamic
HTML
&
Scripts
Figure 2 Architecture of Website/Web Application
2.1 Website Security Risks
The following section centers on areas that need to be
observed from a technical perspectives by IT practitioners, in
order to increase the reliability and security of all program and
systems involved.
Websites now face a great deal of security risks. These risks
can affect confidentiality, integrity or availability of data.
Negative impact of some of these risks is very low while
others can be very devastating. Some of the security risks are:
Buffer overflows
Denial of service attacks (Dos)
OWASP Top 10
2.1.1 Buffer Overflow
This is the situation where data being written by a program to
a buffer is more than the capacity of the buffer. As a result the
extra data flows to the adjacent memory locations. Buffer
overflows occur due to deficiency in memory management
implementations in a program such as bounds checking
mechanisms. Programs that are written in C usually face this
issue. For example if a program allocates 20 bytes to a
memory buffer and attempts are made to store 25 bytes, the
extra 5 bytes will flood to the adjacent buffer and this might
cause the program to crash. If a data in that adjacent space it
International Journal of Applied Information Systems (IJAIS) ISSN : 2249-0868
Foundation of Computer Science FCS, New York, USA
Volume 12 No. 3, June 2017 www.ijais.org
12
might be overwritten. Buffer overflows can lead to the
crashing of a program (denial of service) or insertion of a
remote shell which can be used to execute arbitrary codes
[10].
2.1.2 Denial of Service
This is an attack that renders an application or network unable
to function properly. This is usually performed by sending
several requests to the application. If the number of requests is
more than it can handle, the application hangs and users will
not be able to use the service. Buffer overflow attacks can also
cause denial of service by flooding the memory with data.
A distributed denial of service is used to describe the situation
where large numbers of computers are used to cause denial of
service [11]. Denial of service attacks can take several forms
which include:
Buffer overflow
Smurf attack
Tear drop attack
Buffer overflow attacks are usually performed by sending
data which is larger than the allocated memory buffer. As a
result the extra bytes flood to adjacent buffers and the
program crashes.
Smurf attack involves the attacker sending packets to a
receiving machine. The request is then sent to all hosts on the
network using the broadcast address. The packet then sent to
the address indicated in the packet headers. This is usually the
address of the target address (IP spoofing). Because this is a
broadcast, all the hosts which received the request also send
their response to the same address. If the packets are
overwhelmingly large, then the target address is unable to
receive all other incoming traffic.
The tear drop attack involves sending large packet data to
the target machine. The Internet Protocol (IP) unable to
handle reassembly of the packet fragments due to a confusing
offset value eventually causes the system to crash.
2.1.3 Weakness of the Web Environment
Organizations have been solely dependent upon security
measure at the perimeter of networks, such as firewalls and
intrusion detection in order to protect IT infrastructures [12].
Nevertheless, now that numerous attacks are been geared
towards security flaws in web design and web application,
such as injection flaws, the traditional way of network
security may not be adequate to safeguard web and web
application and users [12]. Ten security risks has also been
identified by Open Web Application Security Project
(OWASP) as the most critical security risks associated with
web applications. These risks are known to be common forms
of attacks. Aside that they are known to be exploitable and
can have a negative impact on websites when executed hence
their rank as the top 10. The top 10 risks as published by
OWASP are:
Injection flaws
Broken authentication and session management.
Cross site scripting.
Insecure direct object references.
Security misconfiguration.
Sensitive data exposure.
Missing level access control.
Cross site request forgery (CSRF).
Using components with known vulnerabilities.
Unvalidated redirects and forwards.
Injection Flaws: SANS institute explains that injection flaws
occur when an unexpected data is sent by a malicious client.
Injection flaws allow an attacker to inject code into the
vulnerable computer system. If the injected code is executed,
the effect can be disastrous. Aside from the stealing
information, injection attacks can cause denial of service or
multiplication of worms in a system. Injection attacks include
SQL injection, OS injections and LDAP injections. Injection
flaws occur when a user input is not properly filtered for
string escape characters that are often embedded in SQL
statements [13] [12].
Broken Authentication and Session Management: This is
the second most common flaw in the OWASP top 10. This
stems from the fact that flaws exist in session management
implementations in web applications. Misconfigurations such
as storage of passwords in plain texts or weak encryption of
user credentials can lead to this form of attack. According to
OWASP, flaws in the implementation of password
management, logout mechanism, and timeout, remember me,
forgot my password etc can also lead to broken authentication
and session management attacks [11].
Cross-Site Scripting (XSS): This is a type of vulnerability in
which malicious code injected by a client is executed by the
web application. The execution is made possible because the
web application is unable to properly filter input properly.
This can lead to stealing of cookies, website defacement and
session hijacking. XSS is amongst the most common
vulnerabilities of web applications [3] [9] [12]. There are
three main types of XSS and these are; Stored XSS, Reflected
XX and DOM based XSS.
Insecure Direct Object References: This is where
unauthenticated clients are given access to restricted resources
such as directories and configuration files. An example is a
situation where a directory or a password file that should be
available to only administrators on network is exposed to
other users on the network. The absence of access control
check can often result in unauthorized access to such
resources through manipulation of URL parameters [12] [13].
Security Misconfiguration: This flaw exists if web
applications enable certain features by default. For example
default passwords, default accounts, enabled directory listing,
bugs in source codes and other misconfigured settings.
Security misconfigurations can give way to external and
internal attacks and according to OWASP can result in
unauthorized access or complete system compromise. Secure
configuration settings should be used to ensure use of web
applications.
Sensitive data exposure: Sometimes sensitive data is left
unprotected on web applications. These can be stolen or
modified by attackers and used to gain access or perform
unauthorized transactions. Using weak encryption schemes
can also result in sensitive data exposure. Attackers can use
brute-force to obtain the plain text. Also sensitive data can be
International Journal of Applied Information Systems (IJAIS) ISSN : 2249-0868
Foundation of Computer Science FCS, New York, USA
Volume 12 No. 3, June 2017 www.ijais.org
13
used to exploit the web application or find other exploitable
vulnerabilities on the web application.
Missing Level Access Control: This occurs when users are
not properly authenticated but given access to restricted
resources. A web application must be able to limit and control
the access to resources. If the application is unable to do this,
then attackers can leverage this to gain access to restricted
resources and even modify data on the server. This might
affect the integrity of the data. There should be security
checks to ensure that a user is properly authenticated and
given the proper access rights especially if several users with
different roles are exist on the web application [3] [1].
Cross-Site Request Forgery (CSRF): This is a type of attack
where unauthorized HTTP requests are sent from a user’s
browser to a web application in which the user is currently
logged on. In contrast to XSS, CSRF exploits the trust that a
site has in a user's browser. Because there is trust, the web
application is forced to execute these requests [3].
Using Components with Known Vulnerabilities:
Applications with known vulnerabilities are likely to be
compromised because exploits might be available. If such
applications are compromised, an attacker might gain full
access to the network and this will affect confidentiality.
Unvalidated redirects and forwards: This is due to
improper validation / unvalidation of user data. Attackers can
leverage this to redirect victims to malicious webpages as
well. Also forwards can be used to access restricted pages.
This can affect confidentiality of data.
Table 1 Examples of vulnerabilities
Hack attack
What hackers use it for
1. Cookie Poisoning
Session Take-over and
personality theft
2. Hidden Field
Manipulation
E-Shoplifting
3. Parameter Tampering
Scam
4. Buffer Overflow
Denial of Service/ Closure
of Business
5. Cross-Site Scripting
Skyjacking/ Identity Theft
6. Backdoor and Debug
Options
Intruding
7. Forceful Browsing
Entering and
Transgression
8. HTTP Response Splitting
Personality Theft, Phishing
and e-Graffiti
9. Stealth Commanding
Obscuring Weapons
10. 3rd Party
Misconfiguration
Devastating a Site
11. Known Vulnerabilities
Taking control of the site
12. XML & Web Services
Vulnerabilities
New layers of attack
vectors & malicious
use
13. SQL Injection
DB info Manipulation
Table 1 give a summary of some known hack attack executed
by ill-intention personal on website and web application and
what they seek to achieved.
3. TOOL AND METHODS
A non-probability random sample technique was adopted by
this paper to provide a range of alternate techniques
established on researchers’ subjective judgment. Microsoft
Excel and SPSS were used for analysis and interpretation of
the collected data. Twenty (20) webmaster and IT personal
from randomly selected schools, corporates and microfinance
were defined as population of interest. The questions were
characterized into two fragments. The demographic
information (non-technical) of the webmaster’s (respondents)
is acquired in the first section whiles the second section
(Technical) collects knowledge of webmaster’s (respondents)
on the above discussed website and web application
vulnerabilities.
4. RESULTS AND DISCUSSION
The percentile age distributions of the twenty (20) webmasters
and IT sectional heads is as shown in figure 3.
Figure 3. Age distributions of surveyed subjects
To give a good judgment in relation to the respondent years of
practice and knowledge in current and existing website and
web application vulnerabilities, respondents’ years of practice
in the field of IT were as shown in figure 4.
Figure 4 Bar chart of respondents’ year of practice
From figure 4, Eight (8) respondent have been in practice for
six year and above, three respondent in practice for five (5)
year, five respondent in the service for 4 year, three for 3 year,
20 - 29
21%
40 - 49
16%
15 - 19
20 - 29
30 - 39
40 - 49
>= 50
0
5
10
1
2
3
4
5
>=6
Freq.
0
1
3
5
3
8
0
1
3
5
3
8
FREQUENCY
YEARS OF EXPERIENCE
International Journal of Applied Information Systems (IJAIS) ISSN : 2249-0868
Foundation of Computer Science FCS, New York, USA
Volume 12 No. 3, June 2017 www.ijais.org
14
and one for 2 year respectively. Website and web application
vulnerability knowledge by respondents. The knowledge of
the respondent were tested against all the discussed cyber
vulnerabilities.
Figure 5 Website and web application vulnerability
knowledge by respondents
It was overserved 95% representing 19 out of the 20
respondent interviewed had average knowledge on Injection
flaws, with 60% representing 12 respondent hard knowledge
Broken authentication and session management. Security
misconfiguration scored 90%, that is 18 out of 20 respondents
and it came to light that almost 95 % of this 18 people have in
one way or the other encounter a problem with this
vulnerability. Fifteen (15) out of the 20 respondent
representing 75% are aware of Sensitive data exposure, on the
other hand 16 out of 20 are aware of Missing level access
control. Vulnerabilities such as Cross site request forgery
(CSRF), using components with known vulnerabilities,
Invalidated redirects and forwards, Cross site scripting and
Insecure direct object references had 6,9,5,4,3 respectively out
of the 20 respondents. Insecure direct object references
recorded the lowest awareness of 15% implying that 85 % of
webmasters and IT practitioners (respondents) have no
knowledge about what insecure direct object references is.
How to protect yourself while surfing the web.
While end-users enjoys modern website and web application
services, users should take adequate measures to protect
themselves.
Common safety measures for end-users
Don’t use public computer, such café computer to
login to critical or sensitive websites and web
applications.
Never cache your password and username on a
computer
Always do logoff at end of a session
Don not use the same password for different
websites and web application login details.
Do regularly change your password for sensitive
web application and websites.
Immediate report and abnormalities in a website or
web application service to the provider.
Ensures that you have personal firewalls and anti-
virus installed on your computer and they are up to
date.
5. CONCLUSION AND
RECOMMENDATION
The vulnerability assessment was helpful as it provided
information about the level of understanding of webmasters
and IT practitioners on the existing and current security issues
associated with website and web application. It is therefore
important to be abreast with these security issues, so that
respondents will learn and know the techniques to combat
these security threats. The survey showed that on an average
47% of the respondent have little or no knowledge on at least
one or more or the existing website vulnerabilities.
In addition we notice that managerial issues or administration
errors, such as the following contribute immensely to security
threats.
Mangers and webmaster of the institutions do not
recognise that numerous security threats causes
reduction of organization’s reputation.
Mangers of website don’t consider the fact that the
data on their websites is cost money, in addition to
losing the ability of estimate the information cost.
Most Mangers and webmaster depends on off the
shell protection tool and software such as intrusion
discovery system or firewall without doing regular
monitoring them regularly and their websites.
Because most institutions want to launch or re-
launch their website as quickly as possible, well
trained technical men are not given the website
development contract due to cost (cheap labour)
forgotten that there is a saying that says “if you
think education is expensive try ignorance”.
To have an effective and reliable secured website or web
application, an implementation has to be done and it has to be
done with attention, care and monitored and maintained.
Based on the findings, it is recommended that:
Management should organized refresher programs
for their respective webmasters and IT personal to
update their knowledge acquisition on current treats
facing the cyberspace.
Proper and adequate security measures should be in-
place to protect organizational website, data and
clients information from hackers.
Websites owners must get in-line with industry
standards, such as SSL/TLS implementation, and
SHA-2 migration.
6. FEATURE WORK
The survey reveals that, the general knowledge of respondents
(Webmaster and IT heads) on the various vulnerability is low,
hence one can foresees that the websites and web application
managed by these personnel’s are exposed to this numerous
vulnerabilities. In light of this our feature research will focus
on vulnerability assessment for few selected sites to identify
the vulnerability infections and proposed measure to alleviate
these weakness to improve security.
7. ACKNOWLEGEMENTS
We would like to thank the Almighty God for His Grace and
Protection.
Cross site
Insecure
Security
Sensitive
Missing
Cross site
Using
Unvalidate
19
12
4
3
18
15
16
6
9
5
Frequency
Website and Web Application Vulnerabilities
International Journal of Applied Information Systems (IJAIS) ISSN : 2249-0868
Foundation of Computer Science FCS, New York, USA
Volume 12 No. 3, June 2017 www.ijais.org
15
8. REFERENCES
[1] A. Hesham and S. Mohammad, “Survey of Web
Application and Internet Security Threats,” International
Journal of Computer Science and Network Security, vol.
12, no. 12, pp. 67-76, 2012.
[2] K. Durai and k. Priyadharsini, “A Survey on Security
Properties and Web Application Scanner,” International
Journal of Computer Science and Mobile Computing,
vol. 3, no. 10, pp. 517-527, 2014.
[3] X. Chaudhari and M. Vaidya, “A Survey on Security and
Vulnerabilities of Web Application,” International
Journal of Computer Science and Information
Technologies, vol. 5, no. 2, pp. 1856-1860, 2014.
[4] I. K. Nti, J. A. Ansere and A. Appiah, “Investigating
ATM Frauds In Sunyani Municipality: Customer’s
Perspective,” International Journal of Science and
Engineering Applications, vol. 6, no. 02, pp. 59-65,
2017.
[5] F. Twum, K. Nti and M. Asante, “Improving Security
Levels in Automatic Teller Machines (ATM) Using
Multifactor Authentication,” International Journal of
Science and Engineering Applications, vol. V, no. 3, pp.
126-134, 2016.
[6] N. A. Acquaye, “Software vulnerability led to Ghana
govt site hack,” 2015. [Online]. Available:
http://www.biztechafrica.com/article/software-
vulnerability-led-ghana-govt-site-hack/9583/. [Accessed
1 November 2016].
[7] Ghanacelebrities.com, “Website of Registrar General’s
Department Hacked,” 2014. [Online]. Available:
http://www.ghanacelebrities.com/2015/12/15/website-of-
registrar-generals-department-hacked/. [Accessed 03
May 2015].
[8] BBC, “Ghana election commission website hit by cyber-
attack,” 2016. [Online]. Available:
http://www.bbc.com/news/world-africa-38247987.
[Accessed 3 January 2017].
[9] D. Vandana, Y. Himanshu and A. Jain, “Web
Application Vulnerabilities: A Survey,” International
Journal of Computer Applications, vol. 108, no. 1, pp.
25-31, 2014.
[10] H. Nemati, “Information security and ethics: concepts,
methodologies, tools, and applications: concepts,
methodologies, tools, and applications,” IGI Global, pp.
73-75, 2008.
[11] P. Svenhard and A. Radaslic, “A penetration test of an
Internet service provider,” School of Information
Science, Computer and Electrical Engineering, 2012, pp.
5-25.
[12] HKSAR, “Web Application Security,” The Government
of the Hong Kong Special Administrative Region, Hong
Kong, 2008.
[13] R. Johari and P. Sharma, “A Survey on Web Application
Vulnerabilities (SQLIA, XSS) Exploitation and Security
Engine for SQL Injection,” International Conference on
Communication Systems and Network Technologies, pp.
453-458, 2012.
[14] M. E. Whitman and H. Mattord, Principles of
Information Security, Fourth Edition ed., 2012.
[15] J. Vacca, “Computer and Information Security
Handbook,” Elsevier Inc, 2009, pp. 63-70.
[16] BiztechAfrica, “Annual security roundup report, “2016
Security Roundup,” 2017. [Online]. Available:
http://www.biztechafrica.com/article/trend-micro-2016-
security-roundup-reveals-748-incr/12235/. [Accessed 2
March 2017].
[17] R. Lehtinen and G. T. Gangemi, “Computer Security
Basics, 2nd Edition,” O’Reilly, Ed., 2011, pp. 24-26.
... The participants included students, teaching and non-teaching staff. The design phase of the employee clocking system integrated the biometric fingerprint scanner to a web application [20,21]. The web application is a common platform for all the fingerprint devices which connect to a single database [22,23]. ...
... The study has been designed to improve employee attendance at the universities and other related organizations. The employee clocking system comprises of a database, web application [20] and the finger. The fingerprint's Software Development Kit (SDK) we used to design the web application, and the database [22] includes JavaScript, PHP, MySQL and C#. ...
... This allows transaction details to be exchanged between the user and the bank until the service is completed. A session needs to be allocated to every transaction request; the response for this request and the following series of requests and responses in that session all share the same requestacknowledgement-response handshake until the transaction is confirmed (Appiah et al., 2017;Nedjah et al., 2019). The communication can be established even when a call is active because the two services use different communication channels (Owusu et al., 2017). ...
... In this case, the card owner has authority to accept or deny payment. A copy of the confirmation message would be sent to the card owner's email address, including an official receipt of the transaction (Owusu et al., 2017;Appiah et al., 2017). ...
Article
Full-text available
The rapid growth of the internet across the globe has gained attention in the world of business. The internet has become the major driver for business growth in the world; due to several security lapses online; it is necessary to implement measures and standards on the internet to protect transactions online. These security lapses have led to the development of various online payment protocols to ensure the safety of online transactions such as Secure Electronic Transaction (SET), internet Keyed Payment (iKP) and The Secure Socket Layer (SSL). There are several methods of paying for online transactions; these include direct payment with bank accounts and the use of electronic card. The payments are subjected to the verification system, which ensures no one uses someone's card to transact business online. Each card has a security feature known as the Card Verification Value (CVV) number, which is used as authentication for online business. The key feature of the card which validates the card owner as the user is the CVV number, which is found at the back of the card. The problem is that when the card gets lost or falls into the hands of another person, it is likely the person might use the card for a fraudulent activity online. This is because all the information required for e-payment is on the card. In this paper, we propose an optimized conceptual model which ensures the removal of the CVV number from the all-electronic card, the paper also recommended a framework that deployed Unstructured Supplementary Services Data (USSD) technology in the online transaction and payment process. In a real-world implementation, the proposed optimized model shall enhance e-commerce payments, card user participation, reduce threats, improves the security of conducting online business and then offer the card user the opportunity to deny or accepts payment.
... About 24 million malware incidents targeting Africa were observed in 2016 [1]. As the internet community expands, web threats are on the rise and it is difficult to provide patches that aid in solving all security vulnerabilities. ...
... We investigate vulnerabilities and the safety level of students and companies' data on the internship portal of Carnegie Mellon University Africa (CMUA). 1 The internship portal was purposely built to grant access to companies to upload internship vacancies available. Students can access the portal and are able to view company details, see vacancies available and get information on the application procedures. ...
Preprint
Full-text available
Web security has become an important subject; many companies and organizations are becoming more security conscious as they build web applications to render online services and increase web presence. Unfortunately, many of these web applications are still susceptible to threats that can affect the users of the sites and also limit organizational operations as they lack strong immunities to malicious attacks. Educational portals and websites hold vital information whose integrity is important. Taking Carnegie Mellon University Africa's internship portal as case study, we carried out penetration tests and proffered mitigation measures to the vulnerabilities discovered from the tests. The results will inform educational institutions especially in the African domain.
... A critical fact in web applications and Internet security is that a computer and its associated system cannot be 100% reliable and confident . Website or web application Vulnerability on the internet may compromise all the sensitive data and continuously give report on damage and cost (Durai and Priyadharsini, 2014;Appiah and Nyarko-Boateng, 2017). Website and web applications such as educational website, governments' website, healthcare applications and financial applications interact with its backend (database) several times upon a client request and there is a compromised in the security of such website and web application it results in loss of information, financial loss, law suits and identity theft (Chaudhari and Vaidya, 2014). ...
... A critical fact in web applications and Internet security is that a computer and its associated system cannot be 100% reliable and confident . Website or web application Vulnerability on the internet may compromise all the sensitive data and continuously give report on damage and cost (Durai and Priyadharsini, 2014;Appiah and Nyarko-Boateng, 2017). Website and web applications such as educational website, governments' website, healthcare applications and financial applications interact with its backend (database) several times upon a client request and there is a compromised in the security of such website and web application it results in loss of information, financial loss, law suits and identity theft (Chaudhari and Vaidya, 2014). ...
Article
Full-text available
Nowadays information has become anasset to many institutions and as a result these institutions have become targets for people with malicious intents to attack these institutions. The web is now an important means of transacting business and without security, websites cannot thrive in today's complex computer ecosystem as there are new threats emerging as old ones are being tackled. Vulnerability assessment of websites is one of the means by which security can be improved on websites. This research seek to study and use vulnerability assessment as a tool to improve security by identifying vulnerabilities and proposing solutions to solve the security issues. Assessment was done on 5 web hosts belonging to different institutions in Ghana. Nmap, Nikto and Nessus were the tools used for the assessment, the assessment was carried out in four stages, and the first stage in the assessment was planning which involved activities and configurations performed before the actual assessment. The second stage was information gathering which involved obtaining information about the targets necessary to help identify vulnerabilities. This was followed by vulnerability scanning to identify vulnerabilities on the target hosts. The results indicated all the five hosts had security flaws which needed to be addressed. In all 16 vulnerabilities were identified on host 1, 8 vulnerabilities were identified on host 2, 15 vulnerabilities on host 3, 4 vulnerabilities on host 4 and 10 vulnerabilities on host 5. After the vulnerabilities were identified, a solution was proposed to mitigate the security flaws identified.
Article
Students’ complaints have increased recently in tertiary education; hence the manual complaints system has become ineffective to handle the vast number of complaints, making it difficult for school authorities to respond adequately to each complaint made. Nevertheless, the advancement of internet and web technologies has paved the way to addressing this growing challenge electronically. This work sought to design a web-based student complaint system for Sunyani Technical University to help manage students’ complaints efficiency, security, accuracy, and reliability on campus. Based on the waterfall model design approach, we implemented the proposed complaints system with HTML, CSS formatting language and PHP for the frontend, MySQL database management for data keeping and PHP programming language for server-side scripting. The proposed approach was tested based on user-friendliness, robustness, security with both students and staff. The obtained feedback proves that our proposed system is adequate for handling students’ complaints accurately and fast than the conventional method.
Article
A system that is used for time-clocking, creating an all-inclusive electronic record of the process involved in how employees logs in and out of work on working days are referred to as a clocking system. The system has an additional feature of calculating an accurate payroll system, which in turn, can lead to a precise amount the company spent on labour. In essence, an employee clocking system is a process of monitoring the attendance, presence and truancy of employees in a work environment. In this project, the University of Energy and Natural Resources was used as a case study. The existing method of recording the presence of staff to work is by a manual process where employees record their attendance on a paper. The challenge of the current employee attendance system is the difficulty in tracing old records, safekeeping, lack of confidentiality and the chances of other employees logging in for their truant colleagues. This paper sought to introduce a biometric employee clocking system to help overcome the high level of truancy in workplaces. The results of the experiment we conducted indicate a high accuracy in our system with TAR value of 99.7%. This accuracy rate is much better than the results other researchers obtained. The excellent accuracy implies that employees will have difficulty to check-in or out for their truant colleagues. The high accuracy results will help improved security of attendance, improved employee performance, ensures fast and easy retrieval of data, easy monitoring of staff, and prevent impersonation in the attendance logs.
Article
Full-text available
Customers in the banking industries in Ghana have seen a tremendous change in banking activities and deliveries, since the introduction of electronic banking systems. This research seeks to examine the knowledge of Automatic Teller Machine (ATM) card and its service users, educate the general public (Customers) on frauds associated with ATM and how to protect themselves against these fraud. The research also outline strategies and methods that customers and custodians of the ATM can adopt for prevention of some ATM frauds. Questionnaires and semi structure interviews were used as a methodology to collect data. A non-probability sampling technique was adopted by this research to provide a range of alternative techniques based on researchers' subjective judgment. We employed Microsoft Excel and SPSS for analysis and interpretation of the collected data. ATM users of selected banks in the Sunyani Municipality were defined as population of interest. A sample size of 500 ATM users from different banks were used as a case study. The findings showed that, only 57 out of 438 representing (17.76%) of respondents that uses ATM and it service have a little knowledge about frauds associated with ATM in the municipality.
Article
Full-text available
A wide variety of systems need reliable personal recognition system to either authorize or determine the identity of an individual demanding their services. The goal of such system is to warrant that the rendered services are accessed only by a genuine user and no one else. In the absence of robust personal recognition schemes, these systems are vulnerable to the deceits of an imposter. The ATM has suffered a lot over the years against PIN theft and other associated ATM frauds due to its traditional authentication mode (PIN). In this paper, we proposed a multifactor (PIN and Fingerprint) based authentication security arrangement to enhance the security and safety of the ATM and its users. The proposed system demonstrates a three tier design structure. The first tier is the verification module, which concentrates on the enrollment phase, enhancement phase, feature extraction and matching of the fingerprints. The second tier is the database end which acts as a storehouse for storing the fingerprints of all ATM users' preregistered as templates and PIN as text. The last tier presents a system platform to relate banking transactions such as balance inquiries, mini statements and withdrawal. Microsoft windows 8 was used as an operating system platform for the implementation phase, with C# programming language being the front-end development and SQL server 2010 as backend. The application evaluation was based on False Rejection Rate (FAR), False Acceptance Rate (FAR), Average Matching Time (AMT) and the Total Error Rate (TER) conducted, which show the security and reliability of the proposed system for ATM users authentication and verification.
Article
Full-text available
Computer and network security are one of the most challenging topics in the Information Technology research community. Internet security is a significant subject that may affect a wide range of Internet users. People that use Internet to sell, buy and even to communicate needs their communications to be safe and secure. This paper is discussing the different aspects of Internet and networking security and weakness. Main elements of networking security techniques such as the firewalls, passwords, encryption, authentication and integrity are also discussed in this paper. The anatomy of a web applications attack and the attack techniques are also covered in details. The security of high-speed Internet as the growth of its use has stained the limits of existing network security measures. Therefore, other security defense techniques related to securing of high-speed Internet and computer security in the real world are studied as well such as, DNS, One-Time Password and defending the network as a whole. This paper is also surveyed the worm epidemics in the high-speed networks and their unprecedented rates spread.
Article
Full-text available
Information security and ethics has been viewed as one of the foremost areas of concern and interest by academic researchers and industry practitioners. Information security and ethics is defined as an all encompassing term that refers to all activities needed to secure information and systems that support it in order to facilitate its ethical use. In this introductory chapter, this very important field of study is introduced and the fundamental concepts and theories are discussed. A broad discussion of tools and technologies used to achieve the goals of information security and ethics is followed by a discussion of guidelines for the design and development of such tools and technologies. Managerial, organizational and societal implications of information security and ethics are then evaluated. The chapter concludes after an assessment of a number of future developments and activities on the horizon that will have an impact on this field.
Book
This book presents information on how to analyze risks to your networks and the steps needed to select and deploy the appropriate countermeasures to reduce your exposure to physical and network threats. It also imparts the skills and knowledge needed to identify and counter some fundamental security risks and requirements, inlcuding Internet security threats and measures (audit trails IP sniffing/spoofing etc.) and how to implement security policies and procedures. In addition, this book also covers security and network design with respect to particular vulnerabilities and threats. It also covers risk assessment and mitigation and auditing and testing of security systems. From this book, the reader will also learn about applying the standards and technologies required to build secure VPNs, configure client software and server operating systems, IPsec-enabled routers, firewalls and SSL clients. Chapter coverage includes identifying vulnerabilities and implementing appropriate countermeasures to prevent and mitigate threats to mission-critical processes. Techniques are explored for creating a business continuity plan (BCP) and the methodology for building an infrastructure that supports its effective implementation. A public key infrastructure (PKI) is an increasingly critical component for ensuring confidentiality, integrity and authentication in an enterprise. This comprehensive book will provide essential knowledge and skills needed to select, design and deploy a PKI to secure existing and future applications. This book will include discussion of vulnerability scanners to detect security weaknesses and prevention techniques, as well as allowing access to key services while maintaining systems security. Chapters contributed by leaders in the field cover theory and practice of computer security technology, allowing the reader to develop a new level of technical expertise. This book's comprehensive and up-to-date coverage of security issues facilitates learning and allows the reader to remain current and fully informed from multiple viewpoints. Presents methods of analysis and problem-solving techniques, enhancing the readers grasp of the material and ability to implement practical solutions.
A Survey on Security Properties and Web Application Scanner
  • K Durai
  • K Priyadharsini
K. Durai and k. Priyadharsini, "A Survey on Security Properties and Web Application Scanner," International Journal of Computer Science and Mobile Computing, vol. 3, no. 10, pp. 517-527, 2014.
Software vulnerability led to Ghana govt site hack
  • N A Acquaye
N. A. Acquaye, "Software vulnerability led to Ghana govt site hack," 2015. [Online]. Available: http://www.biztechafrica.com/article/softwarevulnerability-led-ghana-govt-site-hack/9583/. [Accessed 1 November 2016].
Website of Registrar General's Department Hacked
  • Ghanacelebrities
Ghanacelebrities.com, "Website of Registrar General's Department Hacked," 2014. [Online]. Available: http://www.ghanacelebrities.com/2015/12/15/website-ofregistrar-generals-department-hacked/. [Accessed 03