| fullrecord |
[{"key": "dc.contributor.advisor", "value": "Frantti, Tapio", "language": null, "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Ruohoniemi, Miikka", "language": null, "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2025-06-11T11:17:46Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2025-06-11T11:17:46Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2025", "language": null, "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/103412", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "The identification of vulnerabilities is increasingly being automated as much as possible. While this can help detect vulnerabilities more comprehensively, it may also give users a false sense of security and expose them to cyber threats. This thesis explores whether users can identify vulnerabilities in web applications without the use of automated tools. The study first examined how vulnerabilities are typically assessed, followed by an analysis of the most common web application vulnerabilities based on the OWASP Top 10 categories and the MITRE Top 25 Most Dangerous Software Weaknesses list.\n\nNext, methods for detecting vulnerabilities without automated tools were identified from previous literature, and based on these, a criteria-based artifact was developed. The criteria were validated through usability testing conducted in three iterations: first by the author of the study, then by one external tester, and finally by four testers in the last iteration. During the validation phase, vulnerabilities were successfully identified in four OWASP Top 10 categories using the criteria. These categories included cryptographic failures, injection, insecure design, and identification and authentication failures.\n\nAlthough the criteria enabled the identification of some vulnerabilities in the tested web applications, it was not particularly user-friendly or easy to understand during the course of this study. For this reason, the criteria were significantly revised based on feedback from the final testers and would require further testing to confirm whether the criteria meet the defined goals and requirements. Nevertheless, this study succeeded in creating a set of criteria that allows to identify some of the most common web application vulnerabilities without the use of automated tools.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Haavoittuvuuksien tunnistamista yritet\u00e4\u00e4n nyky\u00e4\u00e4n automatisoida mahdollisimman paljon. T\u00e4m\u00e4 voi auttaa tunnistamaan laajemmin haavoittuvuuksia, mutta se voi my\u00f6s antaa k\u00e4ytt\u00e4j\u00e4lle liiallisen turvallisuuden tunteen ja altistaa kyberuhille. T\u00e4ss\u00e4 tutkielmassa selvitet\u00e4\u00e4n voiko k\u00e4ytt\u00e4j\u00e4 tunnistaa haavoittuvuuksia verkkosovelluksista ilman automaattisia ty\u00f6kaluja. Tutkielmassa selvitettiin ensin, miten haavoittuvuuksia arvioidaan ja sen j\u00e4lkeen selvitettiin yleisimm\u00e4t verkkosovellusten haavoittuvuudet OWASP Top 10 haavoittuvuusluokkien sek\u00e4 MITRE:n 25 vaarallisinta heikkoutta -listan perusteella. \n\nSeuraavana etsittiin aiemmasta kirjallisuudesta menetelmi\u00e4 haavoittuvuuksien havaitsemiseksi ilman automaattisia ty\u00f6kaluja ja luotiin niiden perusteella artefaktina kriteerist\u00f6. Kriteerist\u00f6\u00e4 validoitiin k\u00e4ytett\u00e4vyystestauksen avulla kolmessa iteraatiossa. Ensin tutkimuksen tekij\u00e4n testaamana, seuraavaksi yhden tutkimuksen ulkopuolisen testaajan testattavana ja lopuksi viel\u00e4 nelj\u00e4ll\u00e4 testaajalla viimeisess\u00e4 iteraatiossa. Validoinnin aikana kriteerist\u00f6n avulla onnistuttiin tunnistamaan haavoittuvuuksia nelj\u00e4st\u00e4 OWASP Top 10:n haavoittuvuusluokasta. N\u00e4it\u00e4 haavoittuvuusluokkia olivat salausvirheet, injektiot, puutteellinen suunnittelu ja tunnistautumis- ja todennusvirheet.\n\nVaikka kriteerist\u00f6n avulla onnistuttiin l\u00f6yt\u00e4m\u00e4\u00e4n joitakin haavoittuvuuksia testatuilta verkkosovelluksilta, se ei ollut viel\u00e4 kovinkaan k\u00e4ytett\u00e4v\u00e4 ja ymm\u00e4rrett\u00e4v\u00e4 t\u00e4m\u00e4n tutkimuksen aikana. T\u00e4st\u00e4 syyst\u00e4 kriteerist\u00f6\u00e4 muokattiin reilusti viimeisten testausten palautteiden osalta ja vaatisi viel\u00e4 lis\u00e4\u00e4 testausta, jotta voitaisiin todentaa kriteerist\u00f6n t\u00e4ytt\u00e4v\u00e4n sille m\u00e4\u00e4ritellyt tavoitteet ja kriteerit. Kuitenkin t\u00e4m\u00e4n tutkimuksen aikana saatiin luotua kriteerist\u00f6, jonka avulla on mahdollista tunnistaa joitain yleisimpi\u00e4 haavoittuvuuksia verkkosovelluksista ilman automaattisia ty\u00f6kaluja.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by jyx lomake-julkaisija (jyx-julkaisija.group@korppi.jyu.fi) on 2025-06-11T11:17:46Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2025-06-11T11:17:46Z (GMT). No. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "92", "language": null, "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "fin", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "CC BY 4.0", "language": null, "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.title", "value": "Verkkosovellusten haavoittuvuuksien tunnistaminen k\u00e4yt\u00f6n aikana", "language": null, "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202506115211", "language": null, "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Ohjelmistokehityksen opintosuunta", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Specialisation in Software Development", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.copyright", "value": "\u00a9 The Author(s)", "language": null, "element": "rights", "qualifier": "copyright", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://creativecommons.org/licenses/by/4.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.description.accessibilityfeature", "value": "ei tietoa saavutettavuudesta", "language": "fi", "element": "description", "qualifier": "accessibilityfeature", "schema": "dc"}, {"key": "dc.description.accessibilityfeature", "value": "unknown accessibility", "language": "en", "element": "description", "qualifier": "accessibilityfeature", "schema": "dc"}]
|