Predicting common web application vulnerabilities from input validation and sanitization code patterns

Authors:
Lwin Khin Shar;Hee Beng Kuan Tan
Affiliations:
Nanyang Technological University, Singapore;Nanyang Technological University, Singapore
Venue:
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Year:
2012

Citing 11
Cited 2

Program slicing

ICSE '81 Proceedings of the 5th international conference on Software engineering
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Statistical Comparisons of Classifiers over Multiple Data Sets

The Journal of Machine Learning Research
Data Mining Static Code Attributes to Learn Defect Predictors

IEEE Transactions on Software Engineering
Static detection of security vulnerabilities in scripting languages

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
A Complexity Measure

IEEE Transactions on Software Engineering
Benchmarking Classification Models for Software Defect Prediction: A Proposed Framework and Novel Findings

IEEE Transactions on Software Engineering
Automatic generation of XSS and SQL injection attacks with goal-directed model checking

SS'08 Proceedings of the 17th conference on Security symposium
Automatic creation of SQL Injection and cross-site scripting attacks

ICSE '09 Proceedings of the 31st International Conference on Software Engineering
A systematic and comprehensive investigation of methods to build and evaluate fault prediction models

Journal of Systems and Software
Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities

Proceedings of the 34th International Conference on Software Engineering

Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis

Proceedings of the 2013 International Conference on Software Engineering
Automatic detection and correction of web application vulnerabilities using data mining to predict false positives

Proceedings of the 23rd international conference on World wide web

Quantified Score

Hi-index	0.00

Visualization

Abstract

Software defect prediction studies have shown that defect predictors built from static code attributes are useful and effective. On the other hand, to mitigate the threats posed by common web application vulnerabilities, many vulnerability detection approaches have been proposed. However, finding alternative solutions to address these risks remains an important research problem. As web applications generally adopt input validation and sanitization routines to prevent web security risks, in this paper, we propose a set of static code attributes that represent the characteristics of these routines for predicting the two most common web application vulnerabilities—SQL injection and cross site scripting. In our experiments, vulnerability predictors built from the proposed attributes detected more than 80% of the vulnerabilities in the test subjects at low false alarm rates.