Securing a Grant Proposal Workflow Management System
Faculty Mentor Information
Dianxiang Xu
Abstract
GPMS (Grant Proposal Management System) is a workflow application developed to utilize newer technologies such as ABAC (Attribute-based Access Control) and XACML (eXtensible Access Control Markup Language). The application, while designed to have secure authorization rules, is actually susceptible to many malicious attacks that were found during testing. These attacks are achieved through using such techniques as XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery). They lead to violations of security requirements such as unauthorized access and denial of service. This paper will present different methods for preventing attacks such as whitelisting/blacklisting with regular expressions, back-end validation on the server, front-end validation on the client-side, reCAPTCHA (re-Completely Automated Public Turing Test to Tell Humans and Computers Apart) to prevent automated attacks, and HTTPS/Encryption (Hyper Text Transfer Protocol Secure) for securing the transfer of data from client to server.
Securing a Grant Proposal Workflow Management System
GPMS (Grant Proposal Management System) is a workflow application developed to utilize newer technologies such as ABAC (Attribute-based Access Control) and XACML (eXtensible Access Control Markup Language). The application, while designed to have secure authorization rules, is actually susceptible to many malicious attacks that were found during testing. These attacks are achieved through using such techniques as XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery). They lead to violations of security requirements such as unauthorized access and denial of service. This paper will present different methods for preventing attacks such as whitelisting/blacklisting with regular expressions, back-end validation on the server, front-end validation on the client-side, reCAPTCHA (re-Completely Automated Public Turing Test to Tell Humans and Computers Apart) to prevent automated attacks, and HTTPS/Encryption (Hyper Text Transfer Protocol Secure) for securing the transfer of data from client to server.