Title :
D-WAV: A Web Application Vulnerabilities Detection Tool Using Characteristics of Web Forms
Author :
Zhang, Lijiu ; Gu, Qing ; Peng, Shushen ; Chen, Xiang ; Zhao, Haigang ; Chen, Daoxu
Author_Institution :
Dept. of Comput. Sci. & Technol., Nanjing Univ., Nanjing, China
Abstract :
Finding effective approaches to detect vulnerabilities is important to guarantee the security of Web applications. Web application security issues are mostly related to malicious input data and Web forms are the main interface to input these data. According to the above observation, we propose a novel approach to detect Web application vulnerabilities. In our approach, given a URL, we get a target Web form. After analyzing characteristics of this Web form, we assign a set of test values to each field in this form. Then we propose a method to generate test suites taking the weight of each test value into account. Finally, we execute these test suites and analyze corresponding result based on HTTP response code and response HTML. We implement our approach into a tool called D-WAV and choose several Web applications as benchmarks to conduct empirical studies. Final results show that our approach can automatically and effectively discover Web application vulnerabilities such as cross-site scripting and SQL injection.
Keywords :
Internet; SQL; hypermedia markup languages; security of data; D-WAV; HTML; HTTP response code; SQL; URL; Web application; Web form; Web security; Computer hacking; HTML; Testing; Unified modeling language; Web pages; Web server; SQL Injection; cross-site scripting; web application vulnerability detection;
Conference_Titel :
Software Engineering Advances (ICSEA), 2010 Fifth International Conference on
Conference_Location :
Nice
Print_ISBN :
978-1-4244-7788-3
Electronic_ISBN :
978-0-7695-4144-0
DOI :
10.1109/ICSEA.2010.85
