D-WAV: A Web Application Vulnerabilities Detection Tool Using Characteristics of Web Forms

Finding effective approaches to detect vulnerabilities is important to guarantee the security of Web applications. Web application security issues are mostly related to malicious input data and Web forms are the main interface to input these data. According to the above observation, we propose a novel approach to detect Web application vulnerabilities. In our approach, given a URL, we get a target Web form. After analyzing characteristics of this Web form, we assign a set of test values to each field in this form. Then we propose a method to generate test suites taking the weight of each test value into account. Finally, we execute these test suites and analyze corresponding result based on HTTP response code and response HTML. We implement our approach into a tool called D-WAV and choose several Web applications as benchmarks to conduct empirical studies. Final results show that our approach can automatically and effectively discover Web application vulnerabilities such as cross-site scripting and SQL injection.