Securing a Grant Proposal Workflow Management System

Faculty Mentor Information

Dianxiang Xu

Abstract

GPMS (Grant Proposal Management System) is a workflow application developed to utilize newer technologies such as ABAC (Attribute-based Access Control) and XACML (eXtensible Access Control Markup Language). The application, while designed to have secure authorization rules, is actually susceptible to many malicious attacks that were found during testing. These attacks are achieved through using such techniques as XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery). They lead to violations of security requirements such as unauthorized access and denial of service. This paper will present different methods for preventing attacks such as whitelisting/blacklisting with regular expressions, back-end validation on the server, front-end validation on the client-side, reCAPTCHA (re-Completely Automated Public Turing Test to Tell Humans and Computers Apart) to prevent automated attacks, and HTTPS/Encryption (Hyper Text Transfer Protocol Secure) for securing the transfer of data from client to server.

This document is currently not available here.

Share

COinS
 

Securing a Grant Proposal Workflow Management System

GPMS (Grant Proposal Management System) is a workflow application developed to utilize newer technologies such as ABAC (Attribute-based Access Control) and XACML (eXtensible Access Control Markup Language). The application, while designed to have secure authorization rules, is actually susceptible to many malicious attacks that were found during testing. These attacks are achieved through using such techniques as XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery). They lead to violations of security requirements such as unauthorized access and denial of service. This paper will present different methods for preventing attacks such as whitelisting/blacklisting with regular expressions, back-end validation on the server, front-end validation on the client-side, reCAPTCHA (re-Completely Automated Public Turing Test to Tell Humans and Computers Apart) to prevent automated attacks, and HTTPS/Encryption (Hyper Text Transfer Protocol Secure) for securing the transfer of data from client to server.