Predicting common web application vulnerabilities from input validation and sanitization code patterns

Author

Lwin Khin Shar ; Hee Beng Kuan Tan

Author_Institution

Sch. of Electr. & Electron. Eng., Nanyang Technol. Univ., Singapore, Singapore

fYear

2012

Firstpage

310

Lastpage

313

Abstract

Software defect prediction studies have shown that defect predictors built from static code attributes are useful and effective. On the other hand, to mitigate the threats posed by common web application vulnerabilities, many vulnerability detection approaches have been proposed. However, finding alternative solutions to address these risks remains an important research problem. As web applications generally adopt input validation and sanitization routines to prevent web security risks, in this paper, we propose a set of static code attributes that represent the characteristics of these routines for predicting the two most common web application vulnerabilities-SQL injection and cross site scripting. In our experiments, vulnerability predictors built from the proposed attributes detected more than 80% of the vulnerabilities in the test subjects at low false alarm rates.

Keywords

Internet; security of data; SQL injection vulnerability; Web application vulnerability prediction; Web security risk; cross site scripting vulnerability; false alarm rate; input validation routing; sanitization code pattern; sanitization routine; software defect prediction; static code attribute; vulnerability detection approach; Defect prediction; empirical study; input validation and sanitization; static code attributes; web application vulnerabilities;

fLanguage

English

Publisher

ieee

Conference_Titel

Automated Software Engineering (ASE), 2012 Proceedings of the 27th IEEE/ACM International Conference on

Print_ISBN

978-1-4503-1204-2

Type

conf

DOI

10.1145/2351676.2351733

Filename

6494943