Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns

Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns

ContextSQL injection (SQLI) and cross site scripting (XSS) are the two most common and serious web application vulnerabilities for the past decade. To mitigate these two security threats, many vulnerability detection approaches based on static and dynamic taint analysis techniques have been proposed...

Full description

Saved in:
Bibliographic Details
Main Authors: SHAR, Lwin Khin, TAN, Hee Beng Kuan
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2013
Subjects:
Vulnerability prediction
Data mining
Web application vulnerability
Input sanitization
Static code attributes
Empirical study
Data Storage Systems
Software Engineering
Online Access:https://ink.library.smu.edu.sg/sis_research/4896
https://ink.library.smu.edu.sg/context/sis_research/article/5899/viewcontent/Predicting___PV.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-5899
record_format dspace
spelling sg-smu-ink.sis_research-58992020-02-13T08:17:11Z Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns SHAR, Lwin Khin TAN, Hee Beng Kuan ContextSQL injection (SQLI) and cross site scripting (XSS) are the two most common and serious web application vulnerabilities for the past decade. To mitigate these two security threats, many vulnerability detection approaches based on static and dynamic taint analysis techniques have been proposed. Alternatively, there are also vulnerability prediction approaches based on machine learning techniques, which showed that static code attributes such as code complexity measures are cheap and useful predictors. However, current prediction approaches target general vulnerabilities. And most of these approaches locate vulnerable code only at software component or file levels. Some approaches also involve process attributes that are often difficult to measure.ObjectiveThis paper aims to provide an alternative or complementary solution to existing taint analyzers by proposing static code attributes that can be used to predict specific program statements, rather than software components, which are likely to be vulnerable to SQLI or XSS.MethodFrom the observations of input sanitization code that are commonly implemented in web applications to avoid SQLI and XSS vulnerabilities, in this paper, we propose a set of static code attributes that characterize such code patterns. We then build vulnerability prediction models from the historical information that reflect proposed static attributes and known vulnerability data to predict SQLI and XSS vulnerabilities.ResultsWe developed a prototype tool called PhpMinerI for data collection and used it to evaluate our models on eight open source web applications. Our best model achieved an averaged result of 93% recall and 11% false alarm rate in predicting SQLI vulnerabilities, and 78% recall and 6% false alarm rate in predicting XSS vulnerabilities.ConclusionThe experiment results show that our proposed vulnerability predictors are useful and effective at predicting SQLI and XSS vulnerabilities. 2013-04-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4896 info:doi/10.1016/j.infsof.2013.04.002 https://ink.library.smu.edu.sg/context/sis_research/article/5899/viewcontent/Predicting___PV.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Vulnerability prediction Data mining Web application vulnerability Input sanitization Static code attributes Empirical study Data Storage Systems Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Vulnerability prediction
Data mining
Web application vulnerability
Input sanitization
Static code attributes
Empirical study
Data Storage Systems
Software Engineering
spellingShingle Vulnerability prediction
Data mining
Web application vulnerability
Input sanitization
Static code attributes
Empirical study
Data Storage Systems
Software Engineering
SHAR, Lwin Khin
TAN, Hee Beng Kuan
Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns
description ContextSQL injection (SQLI) and cross site scripting (XSS) are the two most common and serious web application vulnerabilities for the past decade. To mitigate these two security threats, many vulnerability detection approaches based on static and dynamic taint analysis techniques have been proposed. Alternatively, there are also vulnerability prediction approaches based on machine learning techniques, which showed that static code attributes such as code complexity measures are cheap and useful predictors. However, current prediction approaches target general vulnerabilities. And most of these approaches locate vulnerable code only at software component or file levels. Some approaches also involve process attributes that are often difficult to measure.ObjectiveThis paper aims to provide an alternative or complementary solution to existing taint analyzers by proposing static code attributes that can be used to predict specific program statements, rather than software components, which are likely to be vulnerable to SQLI or XSS.MethodFrom the observations of input sanitization code that are commonly implemented in web applications to avoid SQLI and XSS vulnerabilities, in this paper, we propose a set of static code attributes that characterize such code patterns. We then build vulnerability prediction models from the historical information that reflect proposed static attributes and known vulnerability data to predict SQLI and XSS vulnerabilities.ResultsWe developed a prototype tool called PhpMinerI for data collection and used it to evaluate our models on eight open source web applications. Our best model achieved an averaged result of 93% recall and 11% false alarm rate in predicting SQLI vulnerabilities, and 78% recall and 6% false alarm rate in predicting XSS vulnerabilities.ConclusionThe experiment results show that our proposed vulnerability predictors are useful and effective at predicting SQLI and XSS vulnerabilities.
format text
author SHAR, Lwin Khin
TAN, Hee Beng Kuan
author_facet SHAR, Lwin Khin
TAN, Hee Beng Kuan
author_sort SHAR, Lwin Khin
title Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns
title_short Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns
title_full Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns
title_fullStr Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns
title_full_unstemmed Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns
title_sort predicting sql injection and cross site scripting vulnerabilities through mining input sanitization patterns
publisher Institutional Knowledge at Singapore Management University
publishDate 2013
url https://ink.library.smu.edu.sg/sis_research/4896
https://ink.library.smu.edu.sg/context/sis_research/article/5899/viewcontent/Predicting___PV.pdf
_version_ 1770575089036689408

Similar Items