Vulnerabilities in UMBC’s Incident Management System

Cyrus Bonyadi and Enis Golaszewski
CSEE Department

Friday, January 29, 2021
remotely via WebEx:

A recording of the talk can be found here.


January 11–15, 2020, UMBC scholars in the CyberCorps: Scholarship for Service (SFS) and the DoD Cybersecurity Scholarship (CySP) programs collaboratively analyzed the security of UMBC’s Incident Management System (IMS). Students found numerous serious issues, including race conditions, code-injection and cross-site scripting attacks, improper API implementation, and denial-of-service attacks. We present findings, recommendations, and details of these vulnerabilities.

UMBC’s Incident Management System (IMS) is a web application under development by UMBC’s DoIT to supplement their RequestTracker (RT). IMS allows DoIT security staff to supplement the information in RT by linking IMS incidents to RT tickets. IMS incidents store additional information and files regarding existing and potential security campaigns. Using the information in IMS and RT, DoIT generates executive reports, which can influence decisions related to budget, training, and other security concerns. Our study is helping to improve the architecture and implementation of IMS.

Participants comprised BS, MS, MPS, and PhD students studying computer science, computer engineering, information systems, and cybersecurity, including SFS scholars who transferred from Montgomery College (MC) and Prince George’s Community College (PGCC) to complete their four-year degrees at UMBC.

About the Speakers:

Cyrus Jian Bonyadi is a PhD Student at UMBC working on distributed computing consensus theory. He is an alumnus of the varsity CyberDawgs team.

Enis Golaszewski is a PhD Student at UMBC working on protocol analysis. He is a leading member of the Protocol Analysis Lab under Dr. Sherman.


Alan T. Sherman,


Support for this event was provided in part by the National Science Foundation under SFS grant DGE-1753681.