Title :
Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities
Author :
Shar, Lwin Khin ; Tan, Hee Beng Kuan
Author_Institution :
Sch. of Electr. & Electron. Eng., Nanyang Technol. Univ., Singapore, Singapore
Abstract :
Static code attributes such as lines of code and cyclomatic complexity have been shown to be useful indicators of defects in software modules. As web applications adopt input sanitization routines to prevent web security risks, static code attributes that represent the characteristics of these routines may be useful for predicting web application vulnerabilities. In this paper, we classify various input sanitization methods into different types and propose a set of static code attributes that represent these types. Then we use data mining methods to predict SQL injection and cross site scripting vulnerabilities in web applications. Preliminary experiments show that our proposed attributes are important indicators of such vulnerabilities.
Keywords :
Internet; SQL; computational complexity; data mining; pattern classification; program compilers; SQL injection prediction; Web applications; Web security risks; cross site scripting vulnerabilities; cyclomatic complexity; input sanitization methods; mining input sanitization patterns; software modules; static code attributes; Complexity theory; Data mining; Data models; HTML; Predictive models; Security; Software; data mining; defect prediction; input sanitization; static code attributes; web security vulnerabilities;
Conference_Titel :
Software Engineering (ICSE), 2012 34th International Conference on
Conference_Location :
Zurich
Print_ISBN :
978-1-4673-1066-6
Electronic_ISBN :
0270-5257
DOI :
10.1109/ICSE.2012.6227096
