survey

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

Authors:
Bing Zhang

School of Information Science and Engineering, Yanshan University, Hebei Province, China

School of Information Science and Engineering, Yanshan University, Hebei Province, China
View Profile

,
Jingyue Li

Norwegian University of Science and Technology, Trondheim, Norway

Norwegian University of Science and Technology, Trondheim, Norway
View Profile

,
Jiadong Ren

School of Information Science and Engineering, Yanshan University, Hebei Province, China

School of Information Science and Engineering, Yanshan University, Hebei Province, China
View Profile

,
Guoyan Huang

School of Information Science and Engineering, Yanshan University, Hebei Province, China

School of Information Science and Engineering, Yanshan University, Hebei Province, China
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 54 Issue 9Article No.: 190pp 1–35https://doi.org/10.1145/3474553

Published:08 October 2021Publication History

ACM Computing Surveys

Abstract

Most existing surveys and reviews on web application vulnerability detection (WAVD) approaches focus on comparing and summarizing the approaches’ technical details. Although some studies have analyzed the efficiency and effectiveness of specific methods, there is a lack of a comprehensive and systematic analysis of the efficiency and effectiveness of various WAVD approaches. We conducted a systematic literature review (SLR) of WAVD approaches and analyzed their efficiency and effectiveness. We identified 105 primary studies out of 775 WAVD articles published between January 2008 and June 2019. Our study identified 10 categories of artifacts analyzed by the WAVD approaches and 8 categories of WAVD meta-approaches for analyzing the artifacts. Our study’s results also summarized and compared the effectiveness and efficiency of different WAVD approaches on detecting specific categories of web application vulnerabilities and which web applications and test suites are used to evaluate the WAVD approaches. To our knowledge, this is the first SLR that focuses on summarizing the effectiveness and efficiencies of WAVD approaches. Our study results can help security engineers choose and compare WAVD tools and help researchers identify research gaps.

Supplemental Material

Available for Download

zip

zhang.zip (93.5 KB)

Supplemental movie, appendix, image and software files for, Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

References

OWASP TOP. 2010–2017. The Ten Most Critical Web Application Security Risks. Retrieved on 30 June, 2021 from https://owasp.org/www-project-top-ten/2017/Top_10.Google Scholar
F. Yu and Y. Y. Tung. 2014. Patcher: An online service for detecting, viewing and patching web application vulnerabilities. In Proceedings of the Hawaii International Conference on System Sciences. 4878–4886.Google Scholar
Vandana Dwivedi, H. Yadav, and A. Jain. 2014. Web application vulnerabilities: A survey. Int. J. Comput. Applic. 108, 1 (2014), 25–31.Google ScholarCross Ref
Xiaowei Li and Y. Xue. 2014. A survey on server-side approaches to securing web applications. ACM Comput. Surv. 46, 4 (2014), 29.Google ScholarDigital Library
G. McGraw. 2006. Software security: Building security. In Proceedings of the 17th International Symposium on Software Reliability Engineering.Google ScholarDigital Library
Julian Thomé, L. K. Shar, D. Bianculli, and L. Briand. 2018. Security slicing for auditing common injection vulnerabilities. J. Syst. Softw. 137 (Mar. 2018), 766–783.Google Scholar
Iberia Medeiros, N. Neves, and M. Correia. 2016. Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Trans. Reliab. 65, 1 (Mar. 2016), 54–69.Google ScholarCross Ref
Inger A. Tøndel, J. Jensen, and L. Røstad. 2010. Combining misuse cases with attack trees and security activity models. In Proceedings of the International Conference on Availability, Reliability and Security. 438–445.Google Scholar
D. Muthukumaran, D. O’Keeffe, C. Priebe, and D. Eyers. 2015. FlowWatcher: Defending against data disclosure vulnerabilities in web applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.Google Scholar
Taeseung Lee, G. Won, S. Cho, N. Park, and D. Won. 2012. Experimentation and validation of web application’s vulnerability using security testing method. Lecture Notes in Electrical Engineering, Computer Science and its Applications, Springer Dordrecht, 203(2012), 723–731Google Scholar
A. Amira, A. Ouadjaout, A. Derhab, and N. Badache. 2017. Sound and static analysis of session fixation vulnerabilities in PHP web applications. In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy. 139–141.Google Scholar
Xuexiong X. Yan, H. T. Ma, and Q. X. Wang. 2017. A static backward taint data analysis method for detecting web application vulnerabilities. In Proceedings of the IEEE 9th International Conference on Communication Software and Networks (ICCSN). IEEE, 1138–1141.Google Scholar
J. Miller and T. Huynh. 2010. Practical elimination of external interaction vulnerabilities in web applications. J. Web Eng. 9, 1 (2010), 1–24.Google ScholarDigital Library
Cagatay Catal, A. Akbulut, E. Ekenoglu, and M. Alemdaroglu. 2017. Development of a software vulnerability prediction web service based on artificial neural networks. U. Kang, (Ed.) Springer International Publishing AG, 59–67.Google Scholar
Shuo Wen, Y. Xue, J. Xu, H. Yang, X. Li, W. Song, and G. Si. 2016. Toward exploiting access control vulnerabilities within MongoDB backend web applications. In Proceedings of the 40th Computer Software and Applications Conference.IEEE, 143–153.Google Scholar
M. N. Khalid, M. Iqbal, M. T. Alam, V. Jain, H. Mirza, and K. Rasheed. 2017. Web unique method (WUM): An open source blackbox scanner for detecting web vulnerabilities. Int. J. Adv. Comput. Sci. Applic. 8, 12 (Dec. 2017), 411–417.Google Scholar
C. Wang, L. Liu, and Q. Liu. 2014. Automatic fuzz testing of web service vulnerability. In Proceedings of the International Conference on Information and Communications Technologies (ICT).Google Scholar
Nor F. Awang and A. A. Manaf. 2015. Automated security testing framework for detecting SQL injection vulnerability in web application. In Proceedings of the International Conference on Global Security, Safety, and Sustainability, Springer, Cham, 160–171.Google Scholar
N. Antunes and M. Vieira. 2011. Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In Proceedings of the IEEE International Conference Services Computing (SCC’11), IEEE CS, 104–111.Google Scholar
Angelo Ciampa, C. A. Visaggio, and M. D. Penta. 2010. A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. 43–49.Google Scholar
O. Olivo, I. Dillig, and C. Lin. 2015. Detecting and exploiting second order denial-of-service vulnerabilities in web applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 616–628.Google Scholar
Jian Chang, K. K. Venkatasubramanian, A. G. West, and I. Lee. 2013. Analyzing and defending against web-based malware. ACM Comput. Surv. 45, 4 (Aug. 2013), 1–35.Google ScholarDigital Library
M. K. Gupta, M. C. Govil, G. Singh, and P. Sharma. 2015. XSSDM: Towards detection and mitigation of cross-site scripting vulnerabilities in web applications. In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI). 2010–2015.Google Scholar
M. Debbabi, M. Girard, and L. Poulin. 2001. Dynamic monitoring of malicious activity in software systems. In Proceedings of the Symposium on Requirements Engineering for Information Security.Google Scholar
E. A. Oladimeji, S. Supakkul, and L. Chung. 2006. Security threat modeling and analysis: A Goal-oriented approach. In Proceedings of the 10th IASTED International Conference on Software Engineering and Applications. 178–18.Google Scholar
W. Linda. 2020. Software risk management. Proceedings of the American Society for Quality ControlAnnual Quality Congress. 32–39.Google Scholar
Priya Jyotiyana and S. Maheshwari. 2018. Techniques to detect clickjacking vulnerability in web pages. In Optical and Wireless Technologies, Vol. 472, Springer Singapore, 615–624.Google Scholar
M. I. Ahmed, M. M. Hassan, and T. Bhuyian. 2018. Local file disclosure vulnerability: A case study of public-sector web applications. J. Phys. Conf. Ser. 933 (2018), 12011.Google ScholarCross Ref
Isatou Hydara et al. 2015. Current state of research on cross-site scripting (XSS)—A systematic literature review. Inf. Softw. Technol. 58 (2015), 170–186.Google ScholarCross Ref
L. K. Seng, N. Ithnin, and S. Z. M. Said. 2018. The approaches to quantify web application security scanner quality, a review. Int. J. Adv. Comput. Res. 8, 38 (2018).Google ScholarCross Ref
Sandeep Kumar, R. Mahajan, N. Kumar, and S. K. Khatri. 2017. A study on web application security and detecting security vulnerabilities. In Proceedings of the 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO). IEEE, 451–455.Google Scholar
Mukesh K. Gupta, M. C. Govil, and G. Singh. 2014. Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications: A survey. In Proceedings of the IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE’14).Google Scholar
Rahul Johari and P. Sharma. 2012. A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In Proceedings of the International Conference on Communication Systems and Network Technologies. IEEE, 453–458.Google Scholar
Stefano Calzavara, R. Focardi, M. Squarcina, and M. Tempesta. 2017. Surviving the web: A Journey into websession security. ACM Comput. Surv. 50, 1 (Mar. 2017).Google ScholarDigital Library
C. Vlsaggio. 2010. Session management vulnerabilities in today’s web. In Proc. IEEE Secur. Privacy Mag. 8, 5 (2010), 48–56.Google ScholarDigital Library
Shashank Gupta and B. B. Gupta. 2017. Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: Present and future challenges. Int. J. Cloud Applic. Comput. 7, 3 (2017), 1–43.Google ScholarDigital Library
G. Deepa and P. S. Thilagam. 2016. Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Inf. Softw. Technol. 74 (June 2016), 160–180.Google Scholar
V. Prokhorenko, K. K. R. Choo, and H. Ashman. 2016. Web application protection techniques: A taxonomy. J. Netw. Comput. Applic. 60 (Jan. 2016), 95–112.Google ScholarDigital Library
H. Atashzar, A. Torkaman, M. Bahrololum, and M. H. Tadayon. 2011. A survey on web application vulnerabilities and countermeasures. In Proceedings of the 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT). 647–652.Google Scholar
Ana L. Hernández-Saucedo and J. Mejía. 2015. Proposal of a hybrid process to manage vulnerabilities in web applications. In Advances in Intelligent Systems and Computing, Trends and Applications in Software Engineering. Vol. 405. Springer Cham, 59–69.Google Scholar
Theodoor Scholte, D. Balzarotti, and E. Kirda. 2012. Have things changed now? An empirical study on input validation vulnerabilities in web applications. Comput. Secur. 31, 3 (2012), 344–356.Google ScholarDigital Library
T. Huynh and J. Miller. 2010. An empirical investigation into open source web applications’ implementation vulnerabilities. Empir. Softw. Eng. 15, 5 (2010), 556–576.Google ScholarDigital Library
Xiaoguang Qi and B. D. Davison. 2009. Web page classification: Features and algorithms. ACM Comput. Surv. 41, 2 (2009), 1–31.Google ScholarDigital Library
David Budgen and P. Brereton. 2006. Performing systematic literature reviews in software engineering. In Proceedings of the 28th International Conference on Software Engineering. ACM. New York, NY, 1051–1052.Google Scholar
Kai Petersen, R. Feldt, S. Mujtaba, and M. Mattsson. 2008. Systematic mapping studies in software engineering. In Proceedings of the 12th International Conference on Evaluation and Assessment in Software Engineering (EASE). 71–8.Google Scholar
B. Kitchenham, S. D. Budgen, and P. Brereton. 2015. Evidence-based Software Engineering and Systematic Reviews. CRC Press.Google Scholar
Xin Huang, H. Zhang, X. Zhou, et al. 2018. Synthesizing qualitative research in software engineering. In Proceedings of the 40th International Conference on Software Engineering. ACM, 1207–1218.Google ScholarDigital Library
D. S. Cruzes and T. Dyba. 2011. Recommended steps for thematic synthesis in software engineering. In Proceedings of the International Symposium on Empirical Software Engineering and Measurement. IEEE, 275–284.Google Scholar
Shashank Gupta, B. B. Gupta, and P. Chaudhary. 2018. Hunting for DOM-based XSS vulnerabilities in mobile cloud-based online social network. Fut. Gener. Comput. Syst. 79 (2018), 319–336.Google ScholarCross Ref
B. Eshete, A. Villafiorita, K. Weldemariam, and M. Zulkernine. 2013. Confeagle: Automated analysis of configuration vulnerabilities in web applications. In Proceedings of the IEEE 7th International Conference on Software Security and Reliability (SERE). 188–197.Google Scholar
R. Akrout, E. Alata, M. Kaaniche, and V. Nicomette. 2014. An automated black box approach for web vulnerability identification and attack scenario generation. J. Braz. Comput. Sci. 20, 1 (2014), 4.Google ScholarCross Ref
I. Medeiros, N. Neves, and M. Correia. 2016. DEKANT: A static analysis tool that learns to detect web application vulnerabilities. In Proceedings of the 25th International Symposium on Software Testing and Analysis. 1–1.Google Scholar
T. Jensen, H. Pedersen, M. C. Olesen, and R. R. Hansen. 2012. THAPS: Automated vulnerability scanning of PHP applications. In Proceedings of the Nordic Conference on Secure IT Systems. 31–46.Google Scholar
Mattia Monga, R. Paleari, and E. Passerini. 2009. A hybrid analysis framework for detecting web application vulnerabilities. In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. IEEE, 25–32.Google Scholar
Gary Wassermann and Z. Su. 2008. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 13th International Conference on Software Engineering. 171–180.Google Scholar
Lwin K. Shar, L. C. Briand, and H. Beng Kuan Tan. 2015. Web application vulnerability prediction using hybrid program analysis and machine learning. IEEE Trans. Depend. Secure Comput. 12, 6 (Dec. 2015), 688–707.Google ScholarDigital Library
Yunhui H. Zheng and X. Y. Zhang. 2013. Path sensitive static analysis of web applications for remote code execution vulnerability detection. In Proceedings of the 35th International Conference on Software Engineering (ICSE). 652–66.Google Scholar
Shashank Gupta and B. B. Gupta. 2016. Enhanced XSS defensive framework for web applications deployed in the virtual machines of cloud computing environment. Procedia Technol. 24 (Jan. 2016), 1595–1602.Google Scholar
Shashank Gupta and B. B. Gupta. 2015. PHP-sensor: A prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In Proceedings of the 12th ACM International Conference on Computing Frontiers. 1–8.Google Scholar
J. Dahse and T. Holz. 2014. Static detection of second-order vulnerabilities in web applications. In Proceedings of the 23rd USENIX Security Symposium.Google Scholar
Johannes Dahse. 2014. Simulation of built-in PHP features for precise static code analysis. In Proceedings of the Network & Distributed System Security Symposium (NDSS).Google ScholarCross Ref
X. Li and Y. Xue. 2011. BLOCK: A black-box approach for detection of state violation attacks towards web applications. In Proceedings of the 27th Computer Security Applications Conference. 247–256.Google Scholar
Fang Yu, M. Alkhalaf, T. Bultan, and O. H. Ibarra. 2013. Automata-based symbolic string analysis for vulnerability detection. Form. Meth. Syst. Des. 44, 1 (2014), 44–70.Google ScholarDigital Library
Adam Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. 2009. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the IEEE 31st International Conference on Software Engineering. 199–20.Google Scholar
Lwin K. Shar and H. Beng Kuan Tan. 2013. Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55, 10 (Oct. 2013), 1767–1780.Google ScholarDigital Library
Xiaowei Li and Y. Xue. 2013. LogicScope: Automatic discovery of logic vulnerabilities within web applications. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 481–486.Google Scholar
S. Sooel, K. S. Mckinley, and S. Vitaly. 2013. Fix me up: Repairing access-control bugs in web applications. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
F. Q. Sun, L. Xu, and Z. D. Su. 2011. Static detection of access control vulnerabilities in web applications. In Proceedings of the 20th USENIX Security Symposium.Google ScholarDigital Library
S. S. V. Shmatikov. 2011. SAFERPHP: Finding semantic vulnerabilities in PHP applications. In Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, 1–13.Google Scholar
Xiaowei Li, W. Yan, and Y. Xue. 2012. SENTINEL: securing database from logic flaws in web applications. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 25–3.Google Scholar
Anders Moller and M. Schwarz. 2012. Automated detection of client-state manipulation vulnerabilities. In Proceedings of the 34th International Conference on Software Engineering (ICSE). 749–759.Google Scholar
W. G. J. Halfond, A. Orso, and P. Manolios. 2008. WASP: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans. Softw. Eng. 34, 1 (2008), 65–81.Google ScholarDigital Library
William G. J. Halfond and A. Orso. 2005. Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering. 174–183.Google Scholar
G. Deepa, P. S. Thilagam, A. Praseed, and A. R. Pais. 2018. DetLogic: A black-box approach for detecting logic vulnerabilities in web applications. J. Netw. Comput. Applic. 109 (May 2018), 89–109.Google ScholarDigital Library
G. Deepa, P. S. Thilagam, F. A. Khan, A. Praseed, A. R. Pais, and N. Palsetia. 2017. Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications. Int. J. Inf. Secur. 17, 1 (Feb. 2018), 105–120.Google Scholar
Lwin K. Shar and H. Beng Kuan Tan. 2012. Automated removal of cross site scripting vulnerabilities in web applications. Inf. Softw. Technol. 54, 5 (May 2012), 467–478.Google ScholarDigital Library
L. K. Shar and H. B. K. Tan. 2012. Auditing the XSS defence features implemented in web application programs. IEEE Softw. 6, 4 (Aug. 2012).Google Scholar
Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. 2010. Candid. ACM Trans. Inf. Syst. Secur. 13, 2 (Feb. 2010).Google ScholarDigital Library
M. Martin and M. S. Lam. 2008. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In Proceedings of the 17th USENIX Security Symposium. USENIX Association, 31–43.Google Scholar
M. Alkhalaf, S. R. Choudhary, M. Fazzini, T. Bultan, A. Orso, and C. Kruegel. 2012. Viewpoints: Differential string analysis for discovering client- and server-side input validation inconsistencies. In Proceedings of the International Symposium on Software Testing and Analysis. 56–66.Google Scholar
Q. Binbin, L. Beihai, J. Sheng, and Y. Chutian. 2013. Design of automatic vulnerability detection system for web application program. In Proceedings of the IEEE 4th International Conference on Software Engineering and Service Science. 89–92.Google Scholar
Minh-Thai T. Trinh, D.-H. H. Chu, and J. Jaffar. 2014. S3: A symbolic string solver for vulnerability detection in web applications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1232–1243.Google Scholar
Young-Su S. Jang and J.-Y. Y. Choi. 2014. Detecting SQL injection attacks using query result size. Comput. Secur. 44 (2014), 104–118.Google ScholarCross Ref
L. Lei, X. Jing, L. Minglei, and Y. Jufeng. 2013. A dynamic SQL injection vulnerability test case generation model based on the multiple phases detection approach. In Proceedings of IEEE 37th Computer Software and Applications Conference.256–261.Google Scholar
H. He, L. L. Chen, and W. P. Guo. 2017. Research on web application vulnerability scanning system based on fingerprint feature. In Proceedings of International Conference on Mechanical, Electronic, Control and Automation Engineering. 150–155.Google Scholar
Van-Giap G. Le, H.-T. T. Nguyen, D.-N. N. Lu, and N.-H. T. Nguyen. 2016. A solution for automatically malicious web shell and web application vulnerability detection. In Proceedings of the International Conference on Computational Collective Intelligence. Springer, Cham, 367–378.Google ScholarCross Ref
Hossain Shahriar and H. Haddad. 2016. Object injection vulnerability discovery based on latent semantic indexing. In Proceedings of the 31st ACM Symposium on Applied Computing. 801–807.Google Scholar
V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. 2010. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX Conference on Security.Google Scholar
Giancarlo Pellegrino and D. Balzarotti. 2014. Toward black-box detection of logic flaws in web applications. In Network and Distributed System Security Symposium. SanDiego, CA, USA.Google Scholar
D. Kavitha, S. Chandrasekaran, and S. K. Rani. 2016. HDTCV: Hybrid detection technique for clickjacking vulnerability. In Advances in Intelligent Systems and Computing, Artificial Intelligence and Evolutionary Computations in Engineering Systems, Vol. 394. Springer New Delhi, 607–620.Google Scholar
Venkatramulu Sunkari and C. V. Guru Rao. 2014. Preventing input type validation vulnerabilities using network based intrusion detection systems. In Proceedings of the International Conference on Contemporary Computing and Informatics (IC3I). 702–706.Google Scholar
L. Lei, X. Jing, G. Chenkai, K. Jiehui, X. Sihan, and Z. Biao. 2016. Exposing SQL injection vulnerability through penetration test based on finite state machine. In Proceedings of the 2nd IEEE International Conference on Computer and Communications (ICCC). 1171–1175.Google Scholar
Lei Liuet al. 2016. An effective penetration test approach based on feature matrix for exposing SQL injection vulnerability. In Proceedings of the IEEE 40th Computer Software and Applications Conference (COMPSAC). 123–132.Google Scholar
Michelle E. Ruse and S. Basu. 2013. Detecting cross-site scripting vulnerability using concolic testing. In Proceedings of the 10th International Conference on Information Technology: New Generations. IEEE, 633–638.Google Scholar
T. Scholte, W. Robertson, D. Balzarotti, and E. Kirda. 2012. Preventing input validation vulnerabilities in web applications through automated type analysis. In Proceedings of the IEEE 36th Computer Software and Applications Conference. 233–243.Google Scholar
Inyong Lee, S. Jeong, S. Yeo, and J. Moon. 2012. A novel method for SQL injection attack detection based on removing SQL query attribute values. Math. Comput. Modell. 55, 1 (2012), 58–68.Google ScholarCross Ref
Corrado A. Vlsaggio and L. C. Blasio. 2010. Session management vulnerabilities in today’s web. IEEE Secur. Privacy Mag. 8, 5 (2010), 48–56.Google ScholarDigital Library
Xiaowei Li, X. Si, and Y. Xue. 2014. Automated black-box detection of access control vulnerabilities in web applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. 49–60.Google Scholar
Cheng Huang, J. Y. Liu, Y. Fang, and Z. Zuo. 2016. A study on web security incidents in China by analyzing vulnerability disclosure platforms. Comput. Secur. 58 (May 2016), 47–62.Google Scholar
Nisal M. Vithanage and N. Jeyamohan. 2016. Webguardia—An integrated penetration testing system to detect web application vulnerabilities. In Proceedings of the IEEE International Conference on Wireless Communications, Signal Processing and Networking (Wispnet). 221–227.Google Scholar
K. H. Zhang, Z. Li, R. Wang, X. F. Wang, and S. Chen. 2010. SideBuster: Automated detection and quantification of side-channel leaks in web application development. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10). 595–606.Google Scholar
Peter Chapman and D. Evans. 2011. Automated black-box detection of side-channel vulnerabilities in web applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security. 263–274.Google Scholar
Vahid Garousiet al. 2013. A systematic mapping study of web application testing. Inf. Softw. Technol. 55, 8 (Aug.2013), 1374–1396.Google Scholar
Manar H. Alalfi, J. R. Cordy, and T. R. Dean. 2009. Modelling methods for web application verification and testing: State of the art. Softw. Test. Verif. Reliab. 19, 4 (2009), 265–296.Google ScholarDigital Library
Maliheh Monshizadeh, P. Naldurg, and V. N. Venkatakrishnan. 2014. MACE: Detecting privilege escalation vulnerabilities in web applications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 690–701.Google Scholar
Andrea Avancini and M. Ceccato. 2013. Comparison and integration of genetic algorithms and dynamic symbolic execution for security testing of cross-site scripting vulnerabilities. Inf. Softw. Technol. 55, 12 (2013), 2209–2222.Google ScholarDigital Library
Lwin K. Shar, H. Beng Kuan Tan, and L. C. Briand. 2013. Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. In Proceedings of the 35th International Conference on Software Engineering (ICSE). IEEE, 642–651.Google Scholar
Adam Doupé, B. Boe, C. Kruegel, and G. Vigna. 2011. Fear the EAR. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). 251–261.Google Scholar
Prithvi Bisht, T. Hinrichs, N. Skrupsky, and V. N. Venkatakrishnan. 2011. WAPTEC: Whitebox analysis of web applications for parameter tampering exploit construction. In Proceedings of the 18th ACM Conference on Computer & Communications Security (CCS’11). 575–586.Google Scholar
Nuno Antunes and M. Vieira. 2016. Designing vulnerability testing tools for web services: Approach, components, and tools. Int. J. Inf. Secur. 16, 4 (2016), 435–457.Google ScholarDigital Library
Xiaobing Guo, S. Jin, and Y. Zhang. 2015. XSS vulnerability detection using optimized attack vector repertory. In Proceedings of the International Conference on Cyber-enabled Distributed Computing and Knowledge Discovery. 29–36.Google Scholar
Muhammmad S. Aliero, and I. Ghani. 2015. A component based SQL injection vulnerability detection tool. In Proceedings of the 9th Malaysian Software Engineering Conference (MySEC). 224–22.Google Scholar
Z. Djuric. 2013. A black-box testing tool for detecting SQL injection vulnerabilities. In Proceedings of the 2nd International Conference on Informatics & Applications (ICIA). 216–221.Google ScholarCross Ref
A. K. Singh and S. Roy. 2012. A network based vulnerability scanner for detecting SQLI attacks in web applications. In Proceedings of the 1st International Conference on Recent Advances in Information Technology (RAIT). 585–590.Google Scholar
V. Shanmughaneethi, R. Y. Pravin, C. E. Shyni, and S. Swamynathan. 2011. SQLIVD—AOP: Preventing SQL injection vulnerabilities using aspect oriented Programming through web services. High-perform. Archit. Grid Comput. 169 (2011), 327–337.Google Scholar
H. Y. Wu, G. Z. Gao, and C. Y. Miao. 2011. Test SQL injection vulnerabilities in web applications based on structure matching. In Proceedings of the International Conference on Computer Science and Network Technology. 935–938.Google Scholar
L. Zhang, Q. Gu, S. Peng, X. Chen, H. Zhao, and D. Chen. 2010. D-WAV: A web application vulnerabilities detection tool using characteristics of web forms. In Proceedings of the 5th International Conference on Software Engineering Advances. 501–507.Google Scholar
Nuo Li, T. Xie, M. Jin, and C. Liu. 2010. Perturbation-based user-input-validation testing of web applications. J. Syst. Softw. 83, 11 (2010), 2263–2274.Google ScholarDigital Library
Jan-Min M. Chen and C.-L. L. Wu. 2010. An automated vulnerability scanner for injection attack based on injection point. In Proceedings of the International Computer Symposium (ICS’10). 113–118.Google ScholarCross Ref
M. Balduzzi, C. Gimenez, D. Balzarotti, and E. Kirda. 2011. Automated discovery of parameter pollution vulnerabilities in web applications. In Proceedings of the NDSS Symposium.Google Scholar
Prithvi Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. 2010. NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10). 607–618.Google Scholar
Davide Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the IEEE Symposium on Security and Privacy. 387–401.Google Scholar
Abdalla W. Marashdih and Z. F. Zaaba. 2017. Detection and removing cross site scripting vulnerability in PHP web application. In Proceedings of the International Conference on Promising Electronic Technologies (ICPET). IEEE, 26–31.Google Scholar
W. E. Wong, V. Debroy, and B. Choi. 2010. A family of code coverage-based heuristics for effective fault localization. J. Syst. Softw. 83, 2 (2010), 188–208.Google ScholarDigital Library
Nuno Antunes and M. Vieira. 2011. Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In Proceedings of the IEEE International Conference on Services Computing. 104–111.Google Scholar
Yunhui Zheng, X. Zhang, and V. Ganesh. 2013. Z3-Str: A Z3-based string solver for web application analysis. In Proceedings of the 9th Joint Meeting on Foundations of Software Engineering. 114–124.Google Scholar
Yunhui Zheng, V. Ganesh, S. Subramanian, et al. 2015. Effective search-space pruning for solvers of string equations, regular expressions and length constraints. In Proceedings of the International Conference on Computer-aided VerificationSpringer, Cham, 235–254.Google ScholarCross Ref
Parosh A. Abdulla, M. F. Atig, Y.-F. F. Chen, et al. 2015. Norn: An SMT solver for string constraints. In Proceedings of the International Conference on Computer-aided Verification. Springer, Cham, 462–469.Google ScholarCross Ref
S. Gupta and B. B. Gupta. 2018. RAJIVE: Restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications. Int. J. Innov. Comput. Appl. 9, (2018), 13–36.Google Scholar
Hira Asghar, Z. Anwar, and K. Latif. 2016. A deliberately insecure RDF-based semantic web application framework for teaching sparql/sparul injection attacks and defense mechanisms. Comput. Secur. 58 (2016), 63–82.Google ScholarDigital Library
Moataz A. Ahmed and F. Ali. 2016. Multiple-path testing for cross site scripting using genetic algorithms. J. Syst. Archit. 64 (2016), 50–62.Google ScholarDigital Library
Nency Patel and N. Shekokar. 2015. Implementation of pattern matching algorithm to defend sqlia. Procedia Comput. Sci. 45 (2015), 453–459.Google ScholarCross Ref
Caitlin Sadowskiet al. 2015. Tricorder: Building a program analysis ecosystem. In Proceedings of the IEEE/ACM 37th IEEE International Conference on Software Engineering. 598–608.Google Scholar
Brittany Johnson, Y. Song, E. Murphy-Hill, and R. Bowdidge. 2013. Why don’t software developers use static analysis tools to find bugs? In Proceedings of the 35th International Conference on Software Engineering (ICSE). 672–681.Google Scholar
S. Ali, S. K. Shahzad, and H. Javed. 2009. SQLIPA: An authentication mechanism against SQL injection. Eur. J. Sci. Res. 38 (2009), 604–611.Google Scholar
Anyi Liu, Y. Yuan, D. Wijesekera, and A. Stavrou. 2009. SQLProb. In Proceedings of the ACM Symposium on Applied Computing. 2054–2061.Google Scholar
M. Junjin. 2009. An approach for SQL injection vulnerability detection. In Proceedings of the 6th International Conference on Information Technology: New Generations. 1411–1414.Google ScholarDigital Library
Philipp Zech, M. Felderer, and R. Breu. 2017. Knowledge-based security testing of web applications by logic programming. Int. J. Softw. Tools Technol. Trans. 21, 2 (2019), 221–246.Google ScholarDigital Library
Muhammad N. Khalid, H. Farooq, M. Iqbal, M. T. Alam, and K. Rasheed. 2019. Predicting web vulnerabilities in web applications based on machine learning. Commun. Comput. Inf. Sci. 932 (2019), 473–484.Google Scholar
Iberia Medeiros, M. Beatriz, N. Neves, and M. Correia. 2019. SEPTIC: Detecting injection attacks and vulnerabilities inside the dbms. IEEE Trans. Reliab. 68, 3 (2019), 1168–1188.Google ScholarCross Ref
D. Ying, Z. Yuqing, M. Hua, W. Qianru, L. Qixu, W. Kai, and W. Wenjie. 2018. An adaptive system for detecting malicious queries in web attacks. Sci. China Inf. Sci. 61, 3 (2018).Google Scholar
Julian Thome, L. K. Shar, D. Bianculli, and L. Briand. 2018. An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving. IEEE Trans. Softw, Eng. 46, 2 (2018), 163–195.Google ScholarCross Ref
Shashank Gupta and B. B. Gupta. 2018. XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud. Multimedia Tools Applic. 77 (2018), 4829–4861.Google ScholarCross Ref
Vaibhav Patil, P. Thakkar, C. Shah, T. Bhat, and S. P. Godse. 2018. Detection and prevention of phishing websites using machine learning approach. In Proceedings of the 4th International Conference on Computing Communication Control and Automation (ICCUBEA). 1–5.Google Scholar
Aditya Kurniawan, B. S. Abbas, A. Trisetyarso, and S. M. Isa. 2018. Static taint analysis traversal with object oriented component for web file injection vulnerability pattern detection. Procedia Comput. Sci. 135 (2018), 596–605.Google ScholarCross Ref
Mukesh K. Gupta, M. C. Govil, and G. Singh. 2018. Text-mining and pattern-matching based prediction models for detecting vulnerable files in web applications. Journal of Web Engineering. 171&2 (2018), 28–44.Google Scholar
S. Anil, S. G. Manoj, L. Vijay, and C. Mauro. 2019. You click, I steal: Analyzing and detecting click hijacking attacks in web pages. Int. J. Inf. Secur. 18 (2019), 481–504.Google ScholarDigital Library
P. Li, L. Liu, J. Xu, H. Yang, L. Yuan, C. Guo, and X. Ji. 2017. Application of hidden Markov model in SQL injection detection. In Proceedings of the IEEE 41st Computer Software and Applications Conference (COMPSAC). 578–583.Google Scholar
Debabrata Kar, S. Panigrahi, and Sundararajan Srikanth. 2016. SQLiDDS: SQL injection detection using document similarity measure. J. Comput. Secur. 24, 4 (2016), 507–539.Google ScholarCross Ref
Giovanni Agosta, A. Barenghi, A. Parata, and G. Pelosi. 2012. Automated security analysis of dynamic web applications through symbolic code execution. In Proceedings of the 9th International Conference on Information Technology: New Generations. 189–194.Google Scholar
Y. Zhong, H. Asakura, H. Takakura, and Y. Oshima. 2015. Detecting malicious inputs of web application parameters using character class sequences. In Proceedings of the IEEE 39th Computer Software and Applications Conference. 525–532.Google Scholar
Hossain Shahriar, V. K. Devendran, and H. Haddad. 2013. Proclick. In Proceedings of the 6th International Conference on Security of Information and Networks. 144–151.Google Scholar
M. Ceccato, C. D. Nguyen, D. Appelt, and L. C. Briand. 2016. SOFIA: An automated security oracle for black-box testing of SQL-injection vulnerabilities. In Proceedings of the 6th International Conference on Security of Information and Networks. 167–177.Google Scholar
Shashank Gupta and B. B. Gupta. 2015. XSS-safe: A server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript code. Arab J. Sci. Eng. 41, 3 (2015), 897–920.Google ScholarCross Ref
Z. Long. 2019. ART4SQLi: The art of SQL injection vulnerability discovery. IEEE Trans. Reliab. 68 (2019), 1470–1489.Google ScholarCross Ref
T. Hall, S. Beecham, D. Bowes, et al. 2012. A systematic literature review on fault prediction performance in software engineering. IEEE Trans. Softw. Eng. 38, 6 (2011), 1276–1304.Google ScholarDigital Library
S. Bertrand and E. Fong. 2016. Large scale generation of complex and faulty PHP test cases. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation. 409–415.Google Scholar
Fang Yu, M. Alkhalaf, and T. Bultan. 2010. Stranger: An automata-based string analysis tool for PHP. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation (ICST). 154–157.Google Scholar
Takaaki Tateishi, M. Pistoia, and O. Tripp. 2013. Path- and index-sensitive string analysis based on monadic second-order logic. ACM Trans. Softw. Eng. Methodol. 22, 4 (2013), 1–33.Google ScholarDigital Library
NVD. 2019. The U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). Retrieved from https://nvd.nist.gov/.Google Scholar
Bugzilla. 2019. A software to manage software development. Retrieved from https://www.bugzilla.org/.Google Scholar
NIST. 2019. National Institute of Standards and Technology. Retrieved from http://www.nist.gov/.Google Scholar
S. B. Psiinon. 2020. Bodgeit. The BodgeIt Store. Retrieved on 17 February, 2020 from https://github.com/psiinon/bodgeit.Google Scholar
Kanakiya P.2021. Openmrs-module-legacyui. OpenMRS Platform. Retrieved on 30 June, 2021 from https://github.com/openmrs/openmrs-module-legacyui/blob/master/omod/src/main/webapp/login.jsp.Google Scholar
Regain. 2019. A search engine. Retrieved from http://regain.sourceforge.net/.Google Scholar
HTTP dataset CSIC 2010. 2021. A testbed. Retrieved on 30 June, 2021 fromhttps://www.kaggle.com/ispangler/csic-2010-web-application-attacks.Google Scholar
B. Stivalet. Suite-9408 PHP source code. 2019. A test suite. Retrieved on 12 August, 2019 from https://github.com/stivalet/PHP-Vulnerability-test-suite.Google Scholar
IBM Security AppScan. 2021. An enterprise scanner Retrieved from https://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_sm/9/897/ENUS5724-T59/index.html.Google Scholar
NIST. 2019. Juliet Test Suite. Retrieved from https://samate.nist.gov/SRD/testsuite.php.Google Scholar
M. Gegick and S. Barnum. 2013. Securing the Weakest Link Retrieved from https://us-cert.cisa.gov/bsi/articles/knowledge/principles/securing-the-weakest-link.Google Scholar
Tore Dybå and T. Dingsøyr. 2008. Empirical studies of agile software development: A systematic review. Information and Software Technology 50, 9–10 (2008), 833–859.Google ScholarDigital Library
Software development blogs. 2020. Top 10 Programming Languages for Web Development in 2020. Retrieved on 12 August, 2020 from https://intersog.com/blog/top-10-programming-languages-for-web-development-in-2020/.Google Scholar
Javinpaul. 2021. Top 5 programming languages for web development in 2021 Retrieved on 30 June, 2021 from https://medium.com/javarevisited/top-5-programming-languages-for-web-development-in-2021-f6fd4f564eb6.Google Scholar

Index Terms

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review
1. Computer systems organization
  1. Embedded and cyber-physical systems
    1. Embedded systems
2. Networks
  1. Network properties
    1. Network reliability

Recommendations

Android Source Code Vulnerability Detection: A Systematic Literature Review

The use of mobile devices is rising daily in this technological era. A continuous and increasing number of mobile applications are constantly offered on mobile marketplaces to fulfil the needs of smartphone users. Many Android applications do not ...
Read More
A Review on 0-day Vulnerability Testing in Web Application
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies

In recent year a lot of web applications have been released in the world. At the same time, Zero-Day attacks against web application vulnerabilities have also increased. In such a scenario, it is necessary to make web applications more secure. However ...
Read More
Web application testing: A systematic literature review

Context: The web has had a significant impact on all aspects of our society. As our society relies more and more on the web, the dependability of web applications has become increasingly important. To make these applications more dependable, for the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 54, Issue 9
December 2022
800 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3485140
Editor:
Albert Zomaya
University of Sydney, Australia
Issue’s Table of Contents
Copyright © 2021 Association for Computing Machinery.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 October 2021
- Accepted: 1 July 2021
- Revised: 1 June 2021
- Received: 1 March 2020
Published in csur Volume 54, Issue 9

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
WAVD approaches
efficiency and effectiveness
vulnerability test suites
Qualifiers
- survey
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 5
  Total Citations
  View Citations
- 928
  Total Downloads
- Downloads (Last 12 months)289
- Downloads (Last 6 weeks)49
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

ACM Computing Surveys

Abstract

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

Android Source Code Vulnerability Detection: A Systematic Literature Review

A Review on 0-day Vulnerability Testing in Web Application

Web application testing: A systematic literature review