<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Analysis of the Possibilities of Unauthorized Access in Content Management Systems Using Attack Trees</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Artem Tetskyi</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Vyacheslav Kharchenko</string-name>
          <email>v.kharchenko@csn.khai.edu</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Dmytro Uzun</string-name>
          <email>d.uzun@csn.khai.edu</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>National Aerospace University “KhAI”</institution>
          ,
          <addr-line>Kharkiv</addr-line>
          ,
          <country country="UA">Ukraine</country>
        </aff>
      </contrib-group>
      <fpage>16</fpage>
      <lpage>25</lpage>
      <abstract>
        <p>The reasons for attacks on content management systems are considered. Frequent attack scenarios for obtaining unauthorized access are investigated. The method for assessing the probability of a successful attack on a content management system is proposed. Described method uses the attack tree, audit results, source code analysis results, and statistical data. Combinations of basic events for high probability of successful attack are defined. The differences of the proposed method from existing methods of security assessment are shown.</p>
      </abstract>
      <kwd-group>
        <kwd>attack</kwd>
        <kwd>content management system</kwd>
        <kwd>attack tree</kwd>
        <kwd>unauthorized access</kwd>
        <kwd>cyber security</kwd>
        <kwd>web applications</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>-</title>
      <p>1.1</p>
    </sec>
    <sec id="sec-2">
      <title>Introduction</title>
      <sec id="sec-2-1">
        <title>Motivation</title>
        <p>
          Demand for modern organizations to provide information in order to increase sales or
provide services implies the creation of information resources on the Internet. Content
management systems are often used to create sites [
          <xref ref-type="bibr" rid="ref1">1</xref>
          ].
        </p>
        <p>
          Content management system (CMS) is software that allows to edit web pages and
to create websites based on them. Examples of such systems are Wordpress, Joomla
and others. Similar systems have found application in education, for example,
MOODLE – a management system for learning content. Such systems have become
widely known due to ease of use, the number of installations can be measured in
millions of copies. A particular feature of such systems is the modular architecture,
which makes it possible to manage the functionality of the site by installing the
necessary modules. A critical vulnerability in the module can endanger all sites that use this
module, so attackers can hack many of these sites in the same scenario [
          <xref ref-type="bibr" rid="ref2">2</xref>
          ]. The
growing popularity of content management systems makes them an interesting target for
intruders. Among the features of using content management systems in the aspect of
information security are the following:
─ Regular updates of the kernel and system modules, in which previously discovered
vulnerabilities can be eliminated but it may contain new vulnerabilities.
─ Not all site administrators install updates. One of the reasons for this is the possible
incompatibility of the kernel and the new version of the module or the
incompatibility of the modules with each other.
─ A wide range of applications is due to the diverse functionality of the modules that
can be installed. Any developer can create his own module and make it available
for installation to the entire community. It is not known what vulnerabilities this
module can contain.
─ The use of content management systems in electronic business also attracts
intruders. Hacking an online store, an attacker gets access to information that he can sell
to a competing online store. Having cracked the online exchanger of electronic
money, an attacker can access the accounts of various payment systems and
transfer money to arbitrary accounts.
        </p>
        <p>
          Thus, content management systems provide a wide field for information security
activities [
          <xref ref-type="bibr" rid="ref3">3</xref>
          ].
1.2
        </p>
      </sec>
      <sec id="sec-2-2">
        <title>Related Works Analysis</title>
        <p>
          To investigate attack scenarios of web applications, it is suggested to use attack tree
analysis. The method of analysis of trees (failures, attacks) is applied in such spheres
as aviation, nuclear industry, military industry, etc. In the field of information
technology, attack trees can be used to visualize possible ways of attacking various
components of a computer system. In [
          <xref ref-type="bibr" rid="ref4">4</xref>
          ] the attack tree was used to analyze attacks in the
corporate network. The proposed method was based on system log files analysis. In
source [
          <xref ref-type="bibr" rid="ref5">5</xref>
          ] attack-defense tree based security assessment method for vehicular ad hoc
network was described. The analysis of attack trees has found application in the
rapidly developing Internet-of-Things area. In the paper [
          <xref ref-type="bibr" rid="ref6">6</xref>
          ] an approach to characterizing
malicious and unintentional insider threats on the Internet-of-Things was presented.
An example of the attack tree was provided in [
          <xref ref-type="bibr" rid="ref7">7</xref>
          ] to access the victim's email. In [
          <xref ref-type="bibr" rid="ref8">8</xref>
          ]
security issues specific to web applications, possible causes of attacks and their
consequences were discussed. As the information was provided in text form, rather than
in graphic form, the visibility of such information was lower. The proposed approach
is to apply a known method of analysis to real-world scenarios of web application
attacks.
1.3
        </p>
      </sec>
      <sec id="sec-2-3">
        <title>Goal</title>
        <p>Understanding attack scenarios allows to apply the necessary methods for protecting a
web application. The results of the web audit give understanding of how much the
administrator takes care of the security of his account. Analyzing the source code,
unlike testing for black box penetration, allows to detect much more possible
vulnerabilities. Statistics provides information about how often specific attack scenarios have
been successful. Proceeding from the foregoing, the problem of determining the
probability of a successful attack P based on investigation of possible attack scenarios,
audit results, source code analysis and statistical data arises.</p>
        <p>P  f  s c e n a r io s , a u d it , s r c , s ta ts 
(1)
Based on research, a method for assessing the probability of the successful attack of a
particular site is developing. Conducting either an audit or a penetration testing can’t
answer this question, because penetration testing does not cover the problem of
noncompliance with security policies, and the audit does not cover the vulnerabilities of
the source code. Combining the results of these processes can give a more objective
assessment, because the attacks are covered, which can be successful not only
because of the exploitation of the vulnerabilities but also because of the violation of
security policies.
2</p>
      </sec>
    </sec>
    <sec id="sec-3">
      <title>Investigation of Possible Attack Scenarios</title>
      <p>First, you need to determine the main event and investigate possible attack scenarios.</p>
      <p>The main event is a successful web application attack. A successful attack involves
gaining unauthorized access to functions that are only available to the administrator
from the control panel. The attack options are divided into groups and are presented
below:
─ attacks with password stealing;
─ attacks with the brute force of password;
─ attacks on vulnerabilities in the content management system.</p>
      <p>A fragment of the tree that displays the main event and three ways to achieve it is
shown in the Fig. 1.
The event "Find out the login and password of the current administrator" means
attacking with stealing or selecting a password, i.e. the attacker recognized the
administrator credentials. Events "Create new account with privileges" and "Authorization
Bypass" are based on the exploitation of vulnerabilities in the content management
system.</p>
      <p>Attacks with password stealing. The presence of critical vulnerabilities in the
content management system increases the likelihood of a successful attack, but in
some cases, attackers do not use these vulnerabilities. This is due to the fact that there
are several ways to find out the administrator's login and password. For example, an
attacker can spy on them while authorizing, being close to the administrator. They can
be read on a sticker that lies under the keyboard or is attached to the monitor. They
can be intercepted with an unencrypted connection or kidnapped from a mailbox.
Most of the above options can be implemented due to a low level of knowledge of the
user in the field of information security. To reduce the likelihood of successful use of
these scenarios, the requirements of the security policy that prohibit the storage of the
password in clear form on digital and non-digital media must be observed.</p>
      <p>Attacks with the brute force of a password. An important element of the security
policy is the complexity of the password, the prohibition of the use of dictionary
passwords, the need for periodic password changes, the prohibition of re-use of
passwords, the prohibition of the use of the same passwords on different sites. Attackers
can try to crack a password, the harder the password, the less likely the successful
cracking password. Using the same password on different sites can have negative
consequences – compromising the database of one site reveals the credentials of users
who may be the same on another site.</p>
      <p>A tree fragment that depicts how to compromise credentials is shown in Figure 2.
Attacks on vulnerabilities in the content management system. Defects of the
program code allow attackers to penetrate into those parts of the content management
system, which should be accessible only to the administrator. There are several
classes of vulnerabilities that allow performing administrative functions, among them the
following can be distinguished:
─ incorrect processing of access rights to objects;
─ enabling the remote file;
─ running arbitrary code.</p>
      <p>Some vulnerabilities can be part of a complex hacking scenario. For example, invalid
sanitization of input data allowed to change the logic of the query to the database,
there was a compromise of the login and hash of the password. The next step is to
crack a password for a known hash – this is another way to get the administrator
password.</p>
      <p>The content management system may contain vulnerabilities that allow to bypass
the authorization mechanism and to gain access to administrator functions. It is
difficult to distinguish common cases, so experts will need to assess the possibility of
existence of such vulnerabilities in the system under investigation. The tree fragment
for the "Authorization Bypass" event is shown in Figure 3.
Some vulnerabilities can allow to raise the level of a regular user to an administrator
or add a new administrator to the database directly. There are cases when an attacker
becomes aware of data to connect to the database (user name and password of the
database user). If it is possible to connect directly to the database or access to a
webbased database management interface is present, an attacker will be able to access the
database and make changes. The creation of a new administrator by an attacker is
shown in Figure 4.
Trees were chosen because of their representativeness and the ability to use
quantitative and qualitative values to determine the probabilities of basic events.</p>
      <p>It cannot be said that all possible scenarios were shown above, since some of them
can be partially combined, some are unique to specific content management systems.
The constructed tree does not take into account the possibility of using two-factor
authentication for access to the control panel. It is also assumed that there is no
protection against brute force of logins and passwords.
3</p>
    </sec>
    <sec id="sec-4">
      <title>Determining the Probability of Obtaining Unauthorized</title>
    </sec>
    <sec id="sec-5">
      <title>Access</title>
      <p>
        The next step is to parameterize the attack tree. The sources of the parameters are web
audit data, statistical data, and source code analysis results. To determine the
probability of each initial event, rules should be established, through which the results of
audit and penetration testing [
        <xref ref-type="bibr" rid="ref9">9</xref>
        ] are converted into parameters of the created tree.
Because there is no representative sample of the occurrence of events of attacks on
certain components of the system, and it is practically impossible to determine the
numerical values of probability, therefore it is proposed to use three levels for
assessment – low, medium, high. The probability of events combined by the AND
operation is determined by the minimum probability value, for the OR operation the
maximum value is selected, that is:
      </p>
      <p>P  A A N D B   m in  P  A  , P  B  
P  A O R B   m a x  P  A  , P  B  
Let’s consider the definition of probabilities of events associated with the stealing of
credentials. The first event is "Credentials are stolen from PC". A low level is
assigned by the expert, provided that the credentials are not stored on the computer (in
documents, in the browser, etc.). The middle level is assigned if the login and
password are stored in the file without the appropriate notations explaining the purpose of
these credentials. A high level is assigned when storing credentials in the browser, or
in documents explaining to which system these credentials belong.</p>
      <p>
        In the process of audit, it is need to check the complexity of the used passwords
and verify that commonly used logins are not being used. To assess the complexity of
the password, existing services can be used, for example, www.passwordmeter.com.
An example of password protection policies is shown in [
        <xref ref-type="bibr" rid="ref10">10</xref>
        ].
      </p>
      <p>
        To determine the probability of events associated with the presence and possibility
of exploiting vulnerabilities in the system under consideration, an integrated approach
can be applied. It consists in that, first of all, the system should be checked for known
vulnerabilities. For some vulnerabilities, exploits can be found in open access. At the
next stage, penetration testing [
        <xref ref-type="bibr" rid="ref11">11</xref>
        ] can be performed using various tools [
        <xref ref-type="bibr" rid="ref12">12</xref>
        ]. But the
best way [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ] to find vulnerabilities in the code is to analyze the source code.
      </p>
      <p>Similar rules can be developed for each initial event.</p>
      <p>Define the parameter sets for the high probability of the occurrence of the main
event. As a result of the construction of the tree, there were 16 basic events at the
bottom level, from the probability of which the probability of occurrence of the main
event depends. In Table 1 high probability is denoted by the symbol "1", the symbol
"*" denotes values that do not affect the result of calculations. In some cases, the
probability of the main event is determined by the probability of only one basic event.
This is due to the fact that OR elements dominate in the constructed tree, in particular,
in the upper part of the tree.
lliititiitrrrsssaeaeeazauvpynbnoouhBA ifndnuoSCM liliitititrrsssaaeaezuvpynbnoouhBA ittilaenoopx ttiiltiliitirrrrssssaaa”aeeee“novnbudgRm ifreannduoSCM ttiilltiiitirrrrssssaaa”eaeee“onvunbdgRm iittlaeonpox ttiiltrrfrssceaaaaeceaeebonnondodnC noknw tttttrsceaccaaeaecadobnnonkA
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
C
P
m
o
r
f
n
e
l
o
t
s
e
r
a
s
l
a
i
t
n
e
d
e
r
C
1
*
*
*
*
1
*
*
*
*
1
*
*
*
*
1
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
* * * * 1 1 * * * * * * * * * * 1
* * * * * 1 1 1 * * * * * * * * 1
* * * * * * * * 1 1 * * * * * * 1
* * * * * * * * * * 1 1 * * * * 1
* * * * * * * * * * * * 1 1 * * 1
* * * * * * * * * * * * * 1 1 1</p>
      <p>Using the Table 1, combinations of events that are highly likely to lead to a
successful attack of the web application can be identified.</p>
      <p>
        For high, medium and low levels, membership functions based on statistics can be
described. Let's assume that with a low probability of 10 attacks, success was from 0
to 3 attacks inclusive, with a medium probability from 4 to 7 attacks were successful,
with a high probability 8 or more attacks were successful. Thus, it is possible to
define a linguistic variable [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ] with the name x = " probability of successful attack".
The universal set is U = [
        <xref ref-type="bibr" rid="ref10">0,10</xref>
        ]; the term-set is T = {"low", "medium", "high"} with
such membership functions (u ε U):
 lo w  u  
      </p>
      <p>1</p>
      <p>
        Formulas 4-6 use a generalized bell-shaped function [
        <xref ref-type="bibr" rid="ref15">15</xref>
        ], which is based on three
parameters. A graphical representation of the membership functions described above
is shown in Figure 5.
This approach allows to assess how easily unauthorized access to the administrator
functions of a particular web application can be obtained. A set of activities aimed at
researching the source code and compliance with security policies, allows to
determine the probabilities of the basic events of the constructed tree.
      </p>
      <p>
        The difference from the existing methods of assessing the security of a web
application, examples of which are given in [
        <xref ref-type="bibr" rid="ref16 ref17">16, 17</xref>
        ], is the following:
─ Binding to real attack scenarios. This gives maximum proximity to the actions of
an attacker when attacking a web application.
─ Use of audit results. This allows you to consider attack scenarios that are not
associated with the vulnerabilities of the target system.
─ Lack of binding to detected vulnerabilities. When assessing the probability of a
successful attack, known vulnerabilities (from bases such as NVD) are not taken
into account, but experts can take into account the number and criticality of
vulnerabilities in assessing the probabilities of basic events.
      </p>
      <p>The disadvantage of this approach is the cost of conducting web audit and researching
the source code.
4</p>
    </sec>
    <sec id="sec-6">
      <title>Conclusions and Future Work</title>
      <p>
        The aim of the research, which consists in investigating attack scenarios on the web
application and determining the probability of a successful attack, was achieved by
constructing and analyzing the attack tree. The research was based on the assumption
that only the most common attack scenarios [
        <xref ref-type="bibr" rid="ref18">18</xref>
        ] are collected in the tree, and it is
impossible to predict all attack scenarios that can be exploited by intruders.
      </p>
      <p>The direction of further research is related to the identification of the most
dangerous attacks and the creation of a method for selecting countermeasures.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          1.
          <string-name>
            <surname>López</surname>
            ,
            <given-names>J. M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Pascual</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Masip</surname>
            ,
            <given-names>L.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Granollers</surname>
            ,
            <given-names>T.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Cardet</surname>
            ,
            <given-names>X.</given-names>
          </string-name>
          :
          <article-title>Influence of web content management systems in web content accessibility</article-title>
          .
          <source>In IFIP Conference on HumanComputer Interaction</source>
          (pp.
          <fpage>548</fpage>
          -
          <lpage>551</lpage>
          ). Springer, Berlin, Heidelberg (
          <year>2011</year>
          ). doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>642</fpage>
          -23768-3_
          <fpage>79</fpage>
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          2.
          <string-name>
            <given-names>Slider</given-names>
            <surname>Revolution Plugin Critical Vulnerability Being Exploited</surname>
          </string-name>
          , https://blog.sucuri.net/
          <year>2014</year>
          /09/slider-revolution
          <article-title>-plugin-critical-vulnerability-beingexploited</article-title>
          .html,
          <source>last accessed</source>
          <year>2018</year>
          /01/26.
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          3.
          <string-name>
            <surname>Rehman</surname>
            <given-names>H.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Nazir</surname>
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Mustafa</surname>
            <given-names>K.</given-names>
          </string-name>
          :
          <article-title>Security of Web Application: State of the Art</article-title>
          . In: Kaushik S.,
          <string-name>
            <surname>Gupta</surname>
            <given-names>D.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Kharb</surname>
            <given-names>L.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Chahal</surname>
            <given-names>D</given-names>
          </string-name>
          . (eds) Information, Communication and
          <string-name>
            <given-names>Computing</given-names>
            <surname>Technology</surname>
          </string-name>
          .
          <source>ICICCT 2017. Communications in Computer and Information Science</source>
          , vol.
          <volume>750</volume>
          , pp.
          <fpage>168</fpage>
          -
          <lpage>180</lpage>
          . Springer, Singapore (
          <year>2017</year>
          ). doi:
          <volume>10</volume>
          .1007/
          <fpage>978</fpage>
          -981-10-6544- 6_
          <fpage>17</fpage>
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          4.
          <string-name>
            <surname>Poolsapassit</surname>
            <given-names>N.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Ray</surname>
            <given-names>I.</given-names>
          </string-name>
          :
          <article-title>Investigating Computer Attacks Using Attack Trees</article-title>
          . In: Craiger P.,
          <string-name>
            <surname>Shenoi</surname>
            <given-names>S</given-names>
          </string-name>
          . (eds)
          <article-title>Advances in Digital Forensics III</article-title>
          .
          <article-title>DigitalForensics 2007</article-title>
          . IFIP - The
          <source>International Federation for Information Processing</source>
          , vol.
          <volume>242</volume>
          , pp.
          <fpage>331</fpage>
          -
          <lpage>343</lpage>
          . Springer, New York, NY (
          <year>2007</year>
          ). doi:
          <volume>10</volume>
          .1007/978-0-
          <fpage>387</fpage>
          -73742-3_
          <fpage>23</fpage>
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          5.
          <string-name>
            <surname>Du</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Zhu</surname>
          </string-name>
          , H.:
          <article-title>Security assessment via attack tree model</article-title>
          .
          <source>In Security Assessment in Vehicular Networks</source>
          (pp.
          <fpage>9</fpage>
          -
          <lpage>16</lpage>
          ). Springer, New York, NY (
          <year>2013</year>
          ). doi:
          <volume>10</volume>
          .1007/978-1-
          <fpage>4614</fpage>
          - 9357-
          <issue>0</issue>
          _
          <fpage>2</fpage>
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          6.
          <string-name>
            <surname>Kammüller</surname>
            <given-names>F.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Nurse</surname>
            <given-names>J.R.C.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Probst</surname>
            <given-names>C.W.</given-names>
          </string-name>
          :
          <article-title>Attack Tree Analysis for Insider Threats on the IoT Using Isabelle</article-title>
          . In: Tryfonas T. (
          <article-title>eds) Human Aspects of Information Security, Privacy, and Trust</article-title>
          .
          <source>HAS 2016. Lecture Notes in Computer Science</source>
          , vol.
          <volume>9750</volume>
          , pp.
          <fpage>234</fpage>
          -
          <lpage>246</lpage>
          . Springer, Cham (
          <year>2016</year>
          ). doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>319</fpage>
          -39381-0_
          <fpage>21</fpage>
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          7.
          <string-name>
            <surname>Nagaraju</surname>
            ,
            <given-names>V.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Fiondella</surname>
            ,
            <given-names>L.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Wandji</surname>
            ,
            <given-names>T.</given-names>
          </string-name>
          :
          <article-title>A survey of fault and attack tree modeling and analysis for cyber risk management</article-title>
          .
          <source>In Technologies for Homeland Security (HST)</source>
          ,
          <source>2017 IEEE International Symposium on</source>
          (pp.
          <fpage>1</fpage>
          -
          <lpage>6</lpage>
          ). IEEE (
          <year>2017</year>
          ). doi:
          <volume>10</volume>
          .1109/THS.
          <year>2017</year>
          .7943455
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          8.
          <string-name>
            <surname>Lepofsky</surname>
            ,
            <given-names>R.:</given-names>
          </string-name>
          <article-title>The manager's guide to web application security: a concise guide to the weaker side of the web</article-title>
          .
          <source>Apress</source>
          (
          <year>2014</year>
          ). doi:
          <volume>10</volume>
          .1007/978-1-
          <fpage>4842</fpage>
          -0148-0
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          9.
          <string-name>
            <surname>Messier</surname>
            <given-names>R.</given-names>
          </string-name>
          : What Is Penetration Testing? In: Penetration Testing Basics (pp.
          <fpage>1</fpage>
          -
          <lpage>11</lpage>
          ). Apress, Berkeley, CA (
          <year>2016</year>
          ). doi:
          <volume>10</volume>
          .1007/978-1-
          <fpage>4842</fpage>
          -1857-0_
          <fpage>1</fpage>
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          10. Password Protection Policy, https://www.sans.org/securityresources/policies/general/pdf/password-protection-policy,
          <source>last accessed</source>
          <year>2018</year>
          /01/26.
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          11.
          <string-name>
            <surname>Shah</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Mehtre</surname>
            ,
            <given-names>B. M.:</given-names>
          </string-name>
          <article-title>An overview of vulnerability assessment and penetration testing techniques</article-title>
          .
          <source>Journal of Computer Virology and Hacking Techniques</source>
          , vol.
          <volume>11</volume>
          (
          <issue>1</issue>
          ), pp.
          <fpage>27</fpage>
          -
          <lpage>49</lpage>
          (
          <year>2015</year>
          ). doi:
          <volume>10</volume>
          .1007/s11416-014-0231-x
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          12.
          <string-name>
            <surname>Awang</surname>
            <given-names>N.F.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Manaf</surname>
            <given-names>A.A.</given-names>
          </string-name>
          :
          <article-title>Detecting Vulnerabilities in Web Applications Using Automated Black Box and Manual Penetration Testing</article-title>
          . In:
          <string-name>
            <surname>Awad</surname>
            <given-names>A.I.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Hassanien</surname>
            <given-names>A.E.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Baba</surname>
            <given-names>K</given-names>
          </string-name>
          . (eds)
          <article-title>Advances in Security of Information and Communication Networks</article-title>
          .
          <source>Communications in Computer and Information Science</source>
          , vol.
          <volume>381</volume>
          , pp.
          <fpage>230</fpage>
          -
          <lpage>239</lpage>
          . Springer, Berlin, Heidelberg (
          <year>2013</year>
          ). doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>642</fpage>
          -40597-6_
          <fpage>20</fpage>
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          13.
          <string-name>
            <surname>Doupé</surname>
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Cova</surname>
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Vigna</surname>
            <given-names>G.: Why</given-names>
          </string-name>
          <string-name>
            <surname>Johnny Can't Pentest</surname>
          </string-name>
          :
          <article-title>An Analysis of Black-Box Web Vulnerability Scanners</article-title>
          . In: Kreibich C.,
          <string-name>
            <surname>Jahnke</surname>
            <given-names>M</given-names>
          </string-name>
          .
          <article-title>(eds) Detection of Intrusions and Malware, and Vulnerability Assessment</article-title>
          .
          <source>DIMVA 2010. Lecture Notes in Computer Science</source>
          , vol.
          <volume>6201</volume>
          , pp.
          <fpage>111</fpage>
          -
          <lpage>131</lpage>
          . Springer, Berlin, Heidelberg (
          <year>2010</year>
          ). doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>642</fpage>
          - 14215-
          <issue>4</issue>
          _
          <fpage>7</fpage>
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          14.
          <string-name>
            <surname>Zadeh</surname>
            ,
            <given-names>L. A.</given-names>
          </string-name>
          :
          <article-title>The concept of a linguistic variable and its application to approximate reasoning-I. Information sciences</article-title>
          , vol.
          <volume>8</volume>
          (
          <issue>3</issue>
          ), pp.
          <fpage>199</fpage>
          -
          <lpage>249</lpage>
          (
          <year>1975</year>
          ). doi:
          <volume>10</volume>
          .1016/
          <fpage>0020</fpage>
          -
          <lpage>0255</lpage>
          (
          <issue>75</issue>
          )
          <fpage>90036</fpage>
          -
          <lpage>5</lpage>
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          15.
          <string-name>
            <surname>Zhao</surname>
            <given-names>J.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Bose</surname>
            <given-names>B.K.</given-names>
          </string-name>
          :
          <article-title>Evaluation of membership functions for fuzzy logic controlled induction motor drive</article-title>
          .
          <source>In: Proceeding Annual Conference of the IEEE Industrial Electronics Society</source>
          , vol.
          <volume>1</volume>
          , pp.
          <fpage>229</fpage>
          -
          <lpage>234</lpage>
          (
          <year>2002</year>
          ). doi:
          <volume>10</volume>
          .1109/IECON.
          <year>2002</year>
          .1187512
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          16.
          <string-name>
            <surname>Yu</surname>
            <given-names>X.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Jiang</surname>
            <given-names>G.</given-names>
          </string-name>
          :
          <article-title>A Web Security Testing Method Based on Web Application Structure</article-title>
          . In: Huang Z.,
          <string-name>
            <surname>Sun</surname>
            <given-names>X.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Luo</surname>
            <given-names>J.</given-names>
          </string-name>
          ,
          <source>Wang J. (eds) Cloud Computing and Security. Lecture Notes in Computer Science</source>
          , vol.
          <volume>9483</volume>
          , pp.
          <fpage>244</fpage>
          -
          <lpage>258</lpage>
          . Springer, Cham (
          <year>2015</year>
          ). doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>319</fpage>
          -27051-7_
          <fpage>21</fpage>
        </mixed-citation>
      </ref>
      <ref id="ref17">
        <mixed-citation>
          17.
          <string-name>
            <surname>Zech</surname>
            ,
            <given-names>P.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Felderer</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Breu</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          :
          <article-title>Knowledge-based security testing of web applications by logic programming</article-title>
          .
          <source>International Journal on Software Tools for Technology Transfer</source>
          , pp.
          <fpage>1</fpage>
          -
          <lpage>26</lpage>
          . Springer, Berlin, Heidelberg (
          <year>2017</year>
          ).
          <source>doi:10.1007/s10009-017-0472-3</source>
        </mixed-citation>
      </ref>
      <ref id="ref18">
        <mixed-citation>
          18.
          <string-name>
            <surname>Most Common Attacks Affecting Today's Websites</surname>
          </string-name>
          , https://blog.sucuri.net/
          <year>2014</year>
          /11/mostcommon-attacks
          <article-title>-affecting-todays-websites</article-title>
          .html,
          <source>last accessed</source>
          <year>2018</year>
          /01/26.
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>