Abstract
Most existing surveys and reviews on web application vulnerability detection (WAVD) approaches focus on comparing and summarizing the approaches’ technical details. Although some studies have analyzed the efficiency and effectiveness of specific methods, there is a lack of a comprehensive and systematic analysis of the efficiency and effectiveness of various WAVD approaches. We conducted a systematic literature review (SLR) of WAVD approaches and analyzed their efficiency and effectiveness. We identified 105 primary studies out of 775 WAVD articles published between January 2008 and June 2019. Our study identified 10 categories of artifacts analyzed by the WAVD approaches and 8 categories of WAVD meta-approaches for analyzing the artifacts. Our study’s results also summarized and compared the effectiveness and efficiency of different WAVD approaches on detecting specific categories of web application vulnerabilities and which web applications and test suites are used to evaluate the WAVD approaches. To our knowledge, this is the first SLR that focuses on summarizing the effectiveness and efficiencies of WAVD approaches. Our study results can help security engineers choose and compare WAVD tools and help researchers identify research gaps.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review
- OWASP TOP. 2010–2017. The Ten Most Critical Web Application Security Risks. Retrieved on 30 June, 2021 from https://owasp.org/www-project-top-ten/2017/Top_10.Google Scholar
- F. Yu and Y. Y. Tung. 2014. Patcher: An online service for detecting, viewing and patching web application vulnerabilities. In Proceedings of the Hawaii International Conference on System Sciences. 4878–4886.Google Scholar
- Vandana Dwivedi, H. Yadav, and A. Jain. 2014. Web application vulnerabilities: A survey. Int. J. Comput. Applic. 108, 1 (2014), 25–31.Google ScholarCross Ref
- Xiaowei Li and Y. Xue. 2014. A survey on server-side approaches to securing web applications. ACM Comput. Surv. 46, 4 (2014), 29.Google ScholarDigital Library
- G. McGraw. 2006. Software security: Building security. In Proceedings of the 17th International Symposium on Software Reliability Engineering.Google ScholarDigital Library
- Julian Thomé, L. K. Shar, D. Bianculli, and L. Briand. 2018. Security slicing for auditing common injection vulnerabilities. J. Syst. Softw. 137 (Mar. 2018), 766–783.Google Scholar
- Iberia Medeiros, N. Neves, and M. Correia. 2016. Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Trans. Reliab. 65, 1 (Mar. 2016), 54–69.Google ScholarCross Ref
- Inger A. Tøndel, J. Jensen, and L. Røstad. 2010. Combining misuse cases with attack trees and security activity models. In Proceedings of the International Conference on Availability, Reliability and Security. 438–445.Google Scholar
- D. Muthukumaran, D. O’Keeffe, C. Priebe, and D. Eyers. 2015. FlowWatcher: Defending against data disclosure vulnerabilities in web applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.Google Scholar
- Taeseung Lee, G. Won, S. Cho, N. Park, and D. Won. 2012. Experimentation and validation of web application’s vulnerability using security testing method. Lecture Notes in Electrical Engineering, Computer Science and its Applications, Springer Dordrecht, 203(2012), 723–731Google Scholar
- A. Amira, A. Ouadjaout, A. Derhab, and N. Badache. 2017. Sound and static analysis of session fixation vulnerabilities in PHP web applications. In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy. 139–141.Google Scholar
- Xuexiong X. Yan, H. T. Ma, and Q. X. Wang. 2017. A static backward taint data analysis method for detecting web application vulnerabilities. In Proceedings of the IEEE 9th International Conference on Communication Software and Networks (ICCSN). IEEE, 1138–1141.Google Scholar
- J. Miller and T. Huynh. 2010. Practical elimination of external interaction vulnerabilities in web applications. J. Web Eng. 9, 1 (2010), 1–24.Google ScholarDigital Library
- Cagatay Catal, A. Akbulut, E. Ekenoglu, and M. Alemdaroglu. 2017. Development of a software vulnerability prediction web service based on artificial neural networks. U. Kang, (Ed.) Springer International Publishing AG, 59–67.Google Scholar
- Shuo Wen, Y. Xue, J. Xu, H. Yang, X. Li, W. Song, and G. Si. 2016. Toward exploiting access control vulnerabilities within MongoDB backend web applications. In Proceedings of the 40th Computer Software and Applications Conference.IEEE, 143–153.Google Scholar
- M. N. Khalid, M. Iqbal, M. T. Alam, V. Jain, H. Mirza, and K. Rasheed. 2017. Web unique method (WUM): An open source blackbox scanner for detecting web vulnerabilities. Int. J. Adv. Comput. Sci. Applic. 8, 12 (Dec. 2017), 411–417.Google Scholar
- C. Wang, L. Liu, and Q. Liu. 2014. Automatic fuzz testing of web service vulnerability. In Proceedings of the International Conference on Information and Communications Technologies (ICT).Google Scholar
- Nor F. Awang and A. A. Manaf. 2015. Automated security testing framework for detecting SQL injection vulnerability in web application. In Proceedings of the International Conference on Global Security, Safety, and Sustainability, Springer, Cham, 160–171.Google Scholar
- N. Antunes and M. Vieira. 2011. Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In Proceedings of the IEEE International Conference Services Computing (SCC’11), IEEE CS, 104–111.Google Scholar
- Angelo Ciampa, C. A. Visaggio, and M. D. Penta. 2010. A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. 43–49.Google Scholar
- O. Olivo, I. Dillig, and C. Lin. 2015. Detecting and exploiting second order denial-of-service vulnerabilities in web applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 616–628.Google Scholar
- Jian Chang, K. K. Venkatasubramanian, A. G. West, and I. Lee. 2013. Analyzing and defending against web-based malware. ACM Comput. Surv. 45, 4 (Aug. 2013), 1–35.Google ScholarDigital Library
- M. K. Gupta, M. C. Govil, G. Singh, and P. Sharma. 2015. XSSDM: Towards detection and mitigation of cross-site scripting vulnerabilities in web applications. In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI). 2010–2015.Google Scholar
- M. Debbabi, M. Girard, and L. Poulin. 2001. Dynamic monitoring of malicious activity in software systems. In Proceedings of the Symposium on Requirements Engineering for Information Security.Google Scholar
- E. A. Oladimeji, S. Supakkul, and L. Chung. 2006. Security threat modeling and analysis: A Goal-oriented approach. In Proceedings of the 10th IASTED International Conference on Software Engineering and Applications. 178–18.Google Scholar
- W. Linda. 2020. Software risk management. Proceedings of the American Society for Quality ControlAnnual Quality Congress. 32–39.Google Scholar
- Priya Jyotiyana and S. Maheshwari. 2018. Techniques to detect clickjacking vulnerability in web pages. In Optical and Wireless Technologies, Vol. 472, Springer Singapore, 615–624.Google Scholar
- M. I. Ahmed, M. M. Hassan, and T. Bhuyian. 2018. Local file disclosure vulnerability: A case study of public-sector web applications. J. Phys. Conf. Ser. 933 (2018), 12011.Google ScholarCross Ref
- Isatou Hydara et al. 2015. Current state of research on cross-site scripting (XSS)—A systematic literature review. Inf. Softw. Technol. 58 (2015), 170–186.Google ScholarCross Ref
- L. K. Seng, N. Ithnin, and S. Z. M. Said. 2018. The approaches to quantify web application security scanner quality, a review. Int. J. Adv. Comput. Res. 8, 38 (2018).Google ScholarCross Ref
- Sandeep Kumar, R. Mahajan, N. Kumar, and S. K. Khatri. 2017. A study on web application security and detecting security vulnerabilities. In Proceedings of the 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO). IEEE, 451–455.Google Scholar
- Mukesh K. Gupta, M. C. Govil, and G. Singh. 2014. Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications: A survey. In Proceedings of the IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE’14).Google Scholar
- Rahul Johari and P. Sharma. 2012. A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In Proceedings of the International Conference on Communication Systems and Network Technologies. IEEE, 453–458.Google Scholar
- Stefano Calzavara, R. Focardi, M. Squarcina, and M. Tempesta. 2017. Surviving the web: A Journey into websession security. ACM Comput. Surv. 50, 1 (Mar. 2017).Google ScholarDigital Library
- C. Vlsaggio. 2010. Session management vulnerabilities in today’s web. In Proc. IEEE Secur. Privacy Mag. 8, 5 (2010), 48–56.Google ScholarDigital Library
- Shashank Gupta and B. B. Gupta. 2017. Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: Present and future challenges. Int. J. Cloud Applic. Comput. 7, 3 (2017), 1–43.Google ScholarDigital Library
- G. Deepa and P. S. Thilagam. 2016. Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Inf. Softw. Technol. 74 (June 2016), 160–180.Google Scholar
- V. Prokhorenko, K. K. R. Choo, and H. Ashman. 2016. Web application protection techniques: A taxonomy. J. Netw. Comput. Applic. 60 (Jan. 2016), 95–112.Google ScholarDigital Library
- H. Atashzar, A. Torkaman, M. Bahrololum, and M. H. Tadayon. 2011. A survey on web application vulnerabilities and countermeasures. In Proceedings of the 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT). 647–652.Google Scholar
- Ana L. Hernández-Saucedo and J. Mejía. 2015. Proposal of a hybrid process to manage vulnerabilities in web applications. In Advances in Intelligent Systems and Computing, Trends and Applications in Software Engineering. Vol. 405. Springer Cham, 59–69.Google Scholar
- Theodoor Scholte, D. Balzarotti, and E. Kirda. 2012. Have things changed now? An empirical study on input validation vulnerabilities in web applications. Comput. Secur. 31, 3 (2012), 344–356.Google ScholarDigital Library
- T. Huynh and J. Miller. 2010. An empirical investigation into open source web applications’ implementation vulnerabilities. Empir. Softw. Eng. 15, 5 (2010), 556–576.Google ScholarDigital Library
- Xiaoguang Qi and B. D. Davison. 2009. Web page classification: Features and algorithms. ACM Comput. Surv. 41, 2 (2009), 1–31.Google ScholarDigital Library
- David Budgen and P. Brereton. 2006. Performing systematic literature reviews in software engineering. In Proceedings of the 28th International Conference on Software Engineering. ACM. New York, NY, 1051–1052.Google Scholar
- Kai Petersen, R. Feldt, S. Mujtaba, and M. Mattsson. 2008. Systematic mapping studies in software engineering. In Proceedings of the 12th International Conference on Evaluation and Assessment in Software Engineering (EASE). 71–8.Google Scholar
- B. Kitchenham, S. D. Budgen, and P. Brereton. 2015. Evidence-based Software Engineering and Systematic Reviews. CRC Press.Google Scholar
- Xin Huang, H. Zhang, X. Zhou, et al. 2018. Synthesizing qualitative research in software engineering. In Proceedings of the 40th International Conference on Software Engineering. ACM, 1207–1218.Google ScholarDigital Library
- D. S. Cruzes and T. Dyba. 2011. Recommended steps for thematic synthesis in software engineering. In Proceedings of the International Symposium on Empirical Software Engineering and Measurement. IEEE, 275–284.Google Scholar
- Shashank Gupta, B. B. Gupta, and P. Chaudhary. 2018. Hunting for DOM-based XSS vulnerabilities in mobile cloud-based online social network. Fut. Gener. Comput. Syst. 79 (2018), 319–336.Google ScholarCross Ref
- B. Eshete, A. Villafiorita, K. Weldemariam, and M. Zulkernine. 2013. Confeagle: Automated analysis of configuration vulnerabilities in web applications. In Proceedings of the IEEE 7th International Conference on Software Security and Reliability (SERE). 188–197.Google Scholar
- R. Akrout, E. Alata, M. Kaaniche, and V. Nicomette. 2014. An automated black box approach for web vulnerability identification and attack scenario generation. J. Braz. Comput. Sci. 20, 1 (2014), 4.Google ScholarCross Ref
- I. Medeiros, N. Neves, and M. Correia. 2016. DEKANT: A static analysis tool that learns to detect web application vulnerabilities. In Proceedings of the 25th International Symposium on Software Testing and Analysis. 1–1.Google Scholar
- T. Jensen, H. Pedersen, M. C. Olesen, and R. R. Hansen. 2012. THAPS: Automated vulnerability scanning of PHP applications. In Proceedings of the Nordic Conference on Secure IT Systems. 31–46.Google Scholar
- Mattia Monga, R. Paleari, and E. Passerini. 2009. A hybrid analysis framework for detecting web application vulnerabilities. In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. IEEE, 25–32.Google Scholar
- Gary Wassermann and Z. Su. 2008. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 13th International Conference on Software Engineering. 171–180.Google Scholar
- Lwin K. Shar, L. C. Briand, and H. Beng Kuan Tan. 2015. Web application vulnerability prediction using hybrid program analysis and machine learning. IEEE Trans. Depend. Secure Comput. 12, 6 (Dec. 2015), 688–707.Google ScholarDigital Library
- Yunhui H. Zheng and X. Y. Zhang. 2013. Path sensitive static analysis of web applications for remote code execution vulnerability detection. In Proceedings of the 35th International Conference on Software Engineering (ICSE). 652–66.Google Scholar
- Shashank Gupta and B. B. Gupta. 2016. Enhanced XSS defensive framework for web applications deployed in the virtual machines of cloud computing environment. Procedia Technol. 24 (Jan. 2016), 1595–1602.Google Scholar
- Shashank Gupta and B. B. Gupta. 2015. PHP-sensor: A prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In Proceedings of the 12th ACM International Conference on Computing Frontiers. 1–8.Google Scholar
- J. Dahse and T. Holz. 2014. Static detection of second-order vulnerabilities in web applications. In Proceedings of the 23rd USENIX Security Symposium.Google Scholar
- Johannes Dahse. 2014. Simulation of built-in PHP features for precise static code analysis. In Proceedings of the Network & Distributed System Security Symposium (NDSS).Google ScholarCross Ref
- X. Li and Y. Xue. 2011. BLOCK: A black-box approach for detection of state violation attacks towards web applications. In Proceedings of the 27th Computer Security Applications Conference. 247–256.Google Scholar
- Fang Yu, M. Alkhalaf, T. Bultan, and O. H. Ibarra. 2013. Automata-based symbolic string analysis for vulnerability detection. Form. Meth. Syst. Des. 44, 1 (2014), 44–70.Google ScholarDigital Library
- Adam Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. 2009. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the IEEE 31st International Conference on Software Engineering. 199–20.Google Scholar
- Lwin K. Shar and H. Beng Kuan Tan. 2013. Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55, 10 (Oct. 2013), 1767–1780.Google ScholarDigital Library
- Xiaowei Li and Y. Xue. 2013. LogicScope: Automatic discovery of logic vulnerabilities within web applications. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 481–486.Google Scholar
- S. Sooel, K. S. Mckinley, and S. Vitaly. 2013. Fix me up: Repairing access-control bugs in web applications. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- F. Q. Sun, L. Xu, and Z. D. Su. 2011. Static detection of access control vulnerabilities in web applications. In Proceedings of the 20th USENIX Security Symposium.Google ScholarDigital Library
- S. S. V. Shmatikov. 2011. SAFERPHP: Finding semantic vulnerabilities in PHP applications. In Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, 1–13.Google Scholar
- Xiaowei Li, W. Yan, and Y. Xue. 2012. SENTINEL: securing database from logic flaws in web applications. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 25–3.Google Scholar
- Anders Moller and M. Schwarz. 2012. Automated detection of client-state manipulation vulnerabilities. In Proceedings of the 34th International Conference on Software Engineering (ICSE). 749–759.Google Scholar
- W. G. J. Halfond, A. Orso, and P. Manolios. 2008. WASP: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans. Softw. Eng. 34, 1 (2008), 65–81.Google ScholarDigital Library
- William G. J. Halfond and A. Orso. 2005. Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering. 174–183.Google Scholar
- G. Deepa, P. S. Thilagam, A. Praseed, and A. R. Pais. 2018. DetLogic: A black-box approach for detecting logic vulnerabilities in web applications. J. Netw. Comput. Applic. 109 (May 2018), 89–109.Google ScholarDigital Library
- G. Deepa, P. S. Thilagam, F. A. Khan, A. Praseed, A. R. Pais, and N. Palsetia. 2017. Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications. Int. J. Inf. Secur. 17, 1 (Feb. 2018), 105–120.Google Scholar
- Lwin K. Shar and H. Beng Kuan Tan. 2012. Automated removal of cross site scripting vulnerabilities in web applications. Inf. Softw. Technol. 54, 5 (May 2012), 467–478.Google ScholarDigital Library
- L. K. Shar and H. B. K. Tan. 2012. Auditing the XSS defence features implemented in web application programs. IEEE Softw. 6, 4 (Aug. 2012).Google Scholar
- Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. 2010. Candid. ACM Trans. Inf. Syst. Secur. 13, 2 (Feb. 2010).Google ScholarDigital Library
- M. Martin and M. S. Lam. 2008. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In Proceedings of the 17th USENIX Security Symposium. USENIX Association, 31–43.Google Scholar
- M. Alkhalaf, S. R. Choudhary, M. Fazzini, T. Bultan, A. Orso, and C. Kruegel. 2012. Viewpoints: Differential string analysis for discovering client- and server-side input validation inconsistencies. In Proceedings of the International Symposium on Software Testing and Analysis. 56–66.Google Scholar
- Q. Binbin, L. Beihai, J. Sheng, and Y. Chutian. 2013. Design of automatic vulnerability detection system for web application program. In Proceedings of the IEEE 4th International Conference on Software Engineering and Service Science. 89–92.Google Scholar
- Minh-Thai T. Trinh, D.-H. H. Chu, and J. Jaffar. 2014. S3: A symbolic string solver for vulnerability detection in web applications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1232–1243.Google Scholar
- Young-Su S. Jang and J.-Y. Y. Choi. 2014. Detecting SQL injection attacks using query result size. Comput. Secur. 44 (2014), 104–118.Google ScholarCross Ref
- L. Lei, X. Jing, L. Minglei, and Y. Jufeng. 2013. A dynamic SQL injection vulnerability test case generation model based on the multiple phases detection approach. In Proceedings of IEEE 37th Computer Software and Applications Conference.256–261.Google Scholar
- H. He, L. L. Chen, and W. P. Guo. 2017. Research on web application vulnerability scanning system based on fingerprint feature. In Proceedings of International Conference on Mechanical, Electronic, Control and Automation Engineering. 150–155.Google Scholar
- Van-Giap G. Le, H.-T. T. Nguyen, D.-N. N. Lu, and N.-H. T. Nguyen. 2016. A solution for automatically malicious web shell and web application vulnerability detection. In Proceedings of the International Conference on Computational Collective Intelligence. Springer, Cham, 367–378.Google ScholarCross Ref
- Hossain Shahriar and H. Haddad. 2016. Object injection vulnerability discovery based on latent semantic indexing. In Proceedings of the 31st ACM Symposium on Applied Computing. 801–807.Google Scholar
- V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. 2010. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX Conference on Security.Google Scholar
- Giancarlo Pellegrino and D. Balzarotti. 2014. Toward black-box detection of logic flaws in web applications. In Network and Distributed System Security Symposium. SanDiego, CA, USA.Google Scholar
- D. Kavitha, S. Chandrasekaran, and S. K. Rani. 2016. HDTCV: Hybrid detection technique for clickjacking vulnerability. In Advances in Intelligent Systems and Computing, Artificial Intelligence and Evolutionary Computations in Engineering Systems, Vol. 394. Springer New Delhi, 607–620.Google Scholar
- Venkatramulu Sunkari and C. V. Guru Rao. 2014. Preventing input type validation vulnerabilities using network based intrusion detection systems. In Proceedings of the International Conference on Contemporary Computing and Informatics (IC3I). 702–706.Google Scholar
- L. Lei, X. Jing, G. Chenkai, K. Jiehui, X. Sihan, and Z. Biao. 2016. Exposing SQL injection vulnerability through penetration test based on finite state machine. In Proceedings of the 2nd IEEE International Conference on Computer and Communications (ICCC). 1171–1175.Google Scholar
- Lei Liuet al. 2016. An effective penetration test approach based on feature matrix for exposing SQL injection vulnerability. In Proceedings of the IEEE 40th Computer Software and Applications Conference (COMPSAC). 123–132.Google Scholar
- Michelle E. Ruse and S. Basu. 2013. Detecting cross-site scripting vulnerability using concolic testing. In Proceedings of the 10th International Conference on Information Technology: New Generations. IEEE, 633–638.Google Scholar
- T. Scholte, W. Robertson, D. Balzarotti, and E. Kirda. 2012. Preventing input validation vulnerabilities in web applications through automated type analysis. In Proceedings of the IEEE 36th Computer Software and Applications Conference. 233–243.Google Scholar
- Inyong Lee, S. Jeong, S. Yeo, and J. Moon. 2012. A novel method for SQL injection attack detection based on removing SQL query attribute values. Math. Comput. Modell. 55, 1 (2012), 58–68.Google ScholarCross Ref
- Corrado A. Vlsaggio and L. C. Blasio. 2010. Session management vulnerabilities in today’s web. IEEE Secur. Privacy Mag. 8, 5 (2010), 48–56.Google ScholarDigital Library
- Xiaowei Li, X. Si, and Y. Xue. 2014. Automated black-box detection of access control vulnerabilities in web applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. 49–60.Google Scholar
- Cheng Huang, J. Y. Liu, Y. Fang, and Z. Zuo. 2016. A study on web security incidents in China by analyzing vulnerability disclosure platforms. Comput. Secur. 58 (May 2016), 47–62.Google Scholar
- Nisal M. Vithanage and N. Jeyamohan. 2016. Webguardia—An integrated penetration testing system to detect web application vulnerabilities. In Proceedings of the IEEE International Conference on Wireless Communications, Signal Processing and Networking (Wispnet). 221–227.Google Scholar
- K. H. Zhang, Z. Li, R. Wang, X. F. Wang, and S. Chen. 2010. SideBuster: Automated detection and quantification of side-channel leaks in web application development. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10). 595–606.Google Scholar
- Peter Chapman and D. Evans. 2011. Automated black-box detection of side-channel vulnerabilities in web applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security. 263–274.Google Scholar
- Vahid Garousiet al. 2013. A systematic mapping study of web application testing. Inf. Softw. Technol. 55, 8 (Aug.2013), 1374–1396.Google Scholar
- Manar H. Alalfi, J. R. Cordy, and T. R. Dean. 2009. Modelling methods for web application verification and testing: State of the art. Softw. Test. Verif. Reliab. 19, 4 (2009), 265–296.Google ScholarDigital Library
- Maliheh Monshizadeh, P. Naldurg, and V. N. Venkatakrishnan. 2014. MACE: Detecting privilege escalation vulnerabilities in web applications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 690–701.Google Scholar
- Andrea Avancini and M. Ceccato. 2013. Comparison and integration of genetic algorithms and dynamic symbolic execution for security testing of cross-site scripting vulnerabilities. Inf. Softw. Technol. 55, 12 (2013), 2209–2222.Google ScholarDigital Library
- Lwin K. Shar, H. Beng Kuan Tan, and L. C. Briand. 2013. Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. In Proceedings of the 35th International Conference on Software Engineering (ICSE). IEEE, 642–651.Google Scholar
- Adam Doupé, B. Boe, C. Kruegel, and G. Vigna. 2011. Fear the EAR. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). 251–261.Google Scholar
- Prithvi Bisht, T. Hinrichs, N. Skrupsky, and V. N. Venkatakrishnan. 2011. WAPTEC: Whitebox analysis of web applications for parameter tampering exploit construction. In Proceedings of the 18th ACM Conference on Computer & Communications Security (CCS’11). 575–586.Google Scholar
- Nuno Antunes and M. Vieira. 2016. Designing vulnerability testing tools for web services: Approach, components, and tools. Int. J. Inf. Secur. 16, 4 (2016), 435–457.Google ScholarDigital Library
- Xiaobing Guo, S. Jin, and Y. Zhang. 2015. XSS vulnerability detection using optimized attack vector repertory. In Proceedings of the International Conference on Cyber-enabled Distributed Computing and Knowledge Discovery. 29–36.Google Scholar
- Muhammmad S. Aliero, and I. Ghani. 2015. A component based SQL injection vulnerability detection tool. In Proceedings of the 9th Malaysian Software Engineering Conference (MySEC). 224–22.Google Scholar
- Z. Djuric. 2013. A black-box testing tool for detecting SQL injection vulnerabilities. In Proceedings of the 2nd International Conference on Informatics & Applications (ICIA). 216–221.Google ScholarCross Ref
- A. K. Singh and S. Roy. 2012. A network based vulnerability scanner for detecting SQLI attacks in web applications. In Proceedings of the 1st International Conference on Recent Advances in Information Technology (RAIT). 585–590.Google Scholar
- V. Shanmughaneethi, R. Y. Pravin, C. E. Shyni, and S. Swamynathan. 2011. SQLIVD—AOP: Preventing SQL injection vulnerabilities using aspect oriented Programming through web services. High-perform. Archit. Grid Comput. 169 (2011), 327–337.Google Scholar
- H. Y. Wu, G. Z. Gao, and C. Y. Miao. 2011. Test SQL injection vulnerabilities in web applications based on structure matching. In Proceedings of the International Conference on Computer Science and Network Technology. 935–938.Google Scholar
- L. Zhang, Q. Gu, S. Peng, X. Chen, H. Zhao, and D. Chen. 2010. D-WAV: A web application vulnerabilities detection tool using characteristics of web forms. In Proceedings of the 5th International Conference on Software Engineering Advances. 501–507.Google Scholar
- Nuo Li, T. Xie, M. Jin, and C. Liu. 2010. Perturbation-based user-input-validation testing of web applications. J. Syst. Softw. 83, 11 (2010), 2263–2274.Google ScholarDigital Library
- Jan-Min M. Chen and C.-L. L. Wu. 2010. An automated vulnerability scanner for injection attack based on injection point. In Proceedings of the International Computer Symposium (ICS’10). 113–118.Google ScholarCross Ref
- M. Balduzzi, C. Gimenez, D. Balzarotti, and E. Kirda. 2011. Automated discovery of parameter pollution vulnerabilities in web applications. In Proceedings of the NDSS Symposium.Google Scholar
- Prithvi Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. 2010. NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10). 607–618.Google Scholar
- Davide Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the IEEE Symposium on Security and Privacy. 387–401.Google Scholar
- Abdalla W. Marashdih and Z. F. Zaaba. 2017. Detection and removing cross site scripting vulnerability in PHP web application. In Proceedings of the International Conference on Promising Electronic Technologies (ICPET). IEEE, 26–31.Google Scholar
- W. E. Wong, V. Debroy, and B. Choi. 2010. A family of code coverage-based heuristics for effective fault localization. J. Syst. Softw. 83, 2 (2010), 188–208.Google ScholarDigital Library
- Nuno Antunes and M. Vieira. 2011. Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In Proceedings of the IEEE International Conference on Services Computing. 104–111.Google Scholar
- Yunhui Zheng, X. Zhang, and V. Ganesh. 2013. Z3-Str: A Z3-based string solver for web application analysis. In Proceedings of the 9th Joint Meeting on Foundations of Software Engineering. 114–124.Google Scholar
- Yunhui Zheng, V. Ganesh, S. Subramanian, et al. 2015. Effective search-space pruning for solvers of string equations, regular expressions and length constraints. In Proceedings of the International Conference on Computer-aided VerificationSpringer, Cham, 235–254.Google ScholarCross Ref
- Parosh A. Abdulla, M. F. Atig, Y.-F. F. Chen, et al. 2015. Norn: An SMT solver for string constraints. In Proceedings of the International Conference on Computer-aided Verification. Springer, Cham, 462–469.Google ScholarCross Ref
- S. Gupta and B. B. Gupta. 2018. RAJIVE: Restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications. Int. J. Innov. Comput. Appl. 9, (2018), 13–36.Google Scholar
- Hira Asghar, Z. Anwar, and K. Latif. 2016. A deliberately insecure RDF-based semantic web application framework for teaching sparql/sparul injection attacks and defense mechanisms. Comput. Secur. 58 (2016), 63–82.Google ScholarDigital Library
- Moataz A. Ahmed and F. Ali. 2016. Multiple-path testing for cross site scripting using genetic algorithms. J. Syst. Archit. 64 (2016), 50–62.Google ScholarDigital Library
- Nency Patel and N. Shekokar. 2015. Implementation of pattern matching algorithm to defend sqlia. Procedia Comput. Sci. 45 (2015), 453–459.Google ScholarCross Ref
- Caitlin Sadowskiet al. 2015. Tricorder: Building a program analysis ecosystem. In Proceedings of the IEEE/ACM 37th IEEE International Conference on Software Engineering. 598–608.Google Scholar
- Brittany Johnson, Y. Song, E. Murphy-Hill, and R. Bowdidge. 2013. Why don’t software developers use static analysis tools to find bugs? In Proceedings of the 35th International Conference on Software Engineering (ICSE). 672–681.Google Scholar
- S. Ali, S. K. Shahzad, and H. Javed. 2009. SQLIPA: An authentication mechanism against SQL injection. Eur. J. Sci. Res. 38 (2009), 604–611.Google Scholar
- Anyi Liu, Y. Yuan, D. Wijesekera, and A. Stavrou. 2009. SQLProb. In Proceedings of the ACM Symposium on Applied Computing. 2054–2061.Google Scholar
- M. Junjin. 2009. An approach for SQL injection vulnerability detection. In Proceedings of the 6th International Conference on Information Technology: New Generations. 1411–1414.Google ScholarDigital Library
- Philipp Zech, M. Felderer, and R. Breu. 2017. Knowledge-based security testing of web applications by logic programming. Int. J. Softw. Tools Technol. Trans. 21, 2 (2019), 221–246.Google ScholarDigital Library
- Muhammad N. Khalid, H. Farooq, M. Iqbal, M. T. Alam, and K. Rasheed. 2019. Predicting web vulnerabilities in web applications based on machine learning. Commun. Comput. Inf. Sci. 932 (2019), 473–484.Google Scholar
- Iberia Medeiros, M. Beatriz, N. Neves, and M. Correia. 2019. SEPTIC: Detecting injection attacks and vulnerabilities inside the dbms. IEEE Trans. Reliab. 68, 3 (2019), 1168–1188.Google ScholarCross Ref
- D. Ying, Z. Yuqing, M. Hua, W. Qianru, L. Qixu, W. Kai, and W. Wenjie. 2018. An adaptive system for detecting malicious queries in web attacks. Sci. China Inf. Sci. 61, 3 (2018).Google Scholar
- Julian Thome, L. K. Shar, D. Bianculli, and L. Briand. 2018. An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving. IEEE Trans. Softw, Eng. 46, 2 (2018), 163–195.Google ScholarCross Ref
- Shashank Gupta and B. B. Gupta. 2018. XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud. Multimedia Tools Applic. 77 (2018), 4829–4861.Google ScholarCross Ref
- Vaibhav Patil, P. Thakkar, C. Shah, T. Bhat, and S. P. Godse. 2018. Detection and prevention of phishing websites using machine learning approach. In Proceedings of the 4th International Conference on Computing Communication Control and Automation (ICCUBEA). 1–5.Google Scholar
- Aditya Kurniawan, B. S. Abbas, A. Trisetyarso, and S. M. Isa. 2018. Static taint analysis traversal with object oriented component for web file injection vulnerability pattern detection. Procedia Comput. Sci. 135 (2018), 596–605.Google ScholarCross Ref
- Mukesh K. Gupta, M. C. Govil, and G. Singh. 2018. Text-mining and pattern-matching based prediction models for detecting vulnerable files in web applications. Journal of Web Engineering. 171&2 (2018), 28–44.Google Scholar
- S. Anil, S. G. Manoj, L. Vijay, and C. Mauro. 2019. You click, I steal: Analyzing and detecting click hijacking attacks in web pages. Int. J. Inf. Secur. 18 (2019), 481–504.Google ScholarDigital Library
- P. Li, L. Liu, J. Xu, H. Yang, L. Yuan, C. Guo, and X. Ji. 2017. Application of hidden Markov model in SQL injection detection. In Proceedings of the IEEE 41st Computer Software and Applications Conference (COMPSAC). 578–583.Google Scholar
- Debabrata Kar, S. Panigrahi, and Sundararajan Srikanth. 2016. SQLiDDS: SQL injection detection using document similarity measure. J. Comput. Secur. 24, 4 (2016), 507–539.Google ScholarCross Ref
- Giovanni Agosta, A. Barenghi, A. Parata, and G. Pelosi. 2012. Automated security analysis of dynamic web applications through symbolic code execution. In Proceedings of the 9th International Conference on Information Technology: New Generations. 189–194.Google Scholar
- Y. Zhong, H. Asakura, H. Takakura, and Y. Oshima. 2015. Detecting malicious inputs of web application parameters using character class sequences. In Proceedings of the IEEE 39th Computer Software and Applications Conference. 525–532.Google Scholar
- Hossain Shahriar, V. K. Devendran, and H. Haddad. 2013. Proclick. In Proceedings of the 6th International Conference on Security of Information and Networks. 144–151.Google Scholar
- M. Ceccato, C. D. Nguyen, D. Appelt, and L. C. Briand. 2016. SOFIA: An automated security oracle for black-box testing of SQL-injection vulnerabilities. In Proceedings of the 6th International Conference on Security of Information and Networks. 167–177.Google Scholar
- Shashank Gupta and B. B. Gupta. 2015. XSS-safe: A server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript code. Arab J. Sci. Eng. 41, 3 (2015), 897–920.Google ScholarCross Ref
- Z. Long. 2019. ART4SQLi: The art of SQL injection vulnerability discovery. IEEE Trans. Reliab. 68 (2019), 1470–1489.Google ScholarCross Ref
- T. Hall, S. Beecham, D. Bowes, et al. 2012. A systematic literature review on fault prediction performance in software engineering. IEEE Trans. Softw. Eng. 38, 6 (2011), 1276–1304.Google ScholarDigital Library
- S. Bertrand and E. Fong. 2016. Large scale generation of complex and faulty PHP test cases. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation. 409–415.Google Scholar
- Fang Yu, M. Alkhalaf, and T. Bultan. 2010. Stranger: An automata-based string analysis tool for PHP. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation (ICST). 154–157.Google Scholar
- Takaaki Tateishi, M. Pistoia, and O. Tripp. 2013. Path- and index-sensitive string analysis based on monadic second-order logic. ACM Trans. Softw. Eng. Methodol. 22, 4 (2013), 1–33.Google ScholarDigital Library
- NVD. 2019. The U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). Retrieved from https://nvd.nist.gov/.Google Scholar
- Bugzilla. 2019. A software to manage software development. Retrieved from https://www.bugzilla.org/.Google Scholar
- NIST. 2019. National Institute of Standards and Technology. Retrieved from http://www.nist.gov/.Google Scholar
- S. B. Psiinon. 2020. Bodgeit. The BodgeIt Store. Retrieved on 17 February, 2020 from https://github.com/psiinon/bodgeit.Google Scholar
- Kanakiya P.2021. Openmrs-module-legacyui. OpenMRS Platform. Retrieved on 30 June, 2021 from https://github.com/openmrs/openmrs-module-legacyui/blob/master/omod/src/main/webapp/login.jsp.Google Scholar
- Regain. 2019. A search engine. Retrieved from http://regain.sourceforge.net/.Google Scholar
- HTTP dataset CSIC 2010. 2021. A testbed. Retrieved on 30 June, 2021 fromhttps://www.kaggle.com/ispangler/csic-2010-web-application-attacks.Google Scholar
- B. Stivalet. Suite-9408 PHP source code. 2019. A test suite. Retrieved on 12 August, 2019 from https://github.com/stivalet/PHP-Vulnerability-test-suite.Google Scholar
- IBM Security AppScan. 2021. An enterprise scanner Retrieved from https://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_sm/9/897/ENUS5724-T59/index.html.Google Scholar
- NIST. 2019. Juliet Test Suite. Retrieved from https://samate.nist.gov/SRD/testsuite.php.Google Scholar
- M. Gegick and S. Barnum. 2013. Securing the Weakest Link Retrieved from https://us-cert.cisa.gov/bsi/articles/knowledge/principles/securing-the-weakest-link.Google Scholar
- Tore Dybå and T. Dingsøyr. 2008. Empirical studies of agile software development: A systematic review. Information and Software Technology 50, 9–10 (2008), 833–859.Google ScholarDigital Library
- Software development blogs. 2020. Top 10 Programming Languages for Web Development in 2020. Retrieved on 12 August, 2020 from https://intersog.com/blog/top-10-programming-languages-for-web-development-in-2020/.Google Scholar
- Javinpaul. 2021. Top 5 programming languages for web development in 2021 Retrieved on 30 June, 2021 from https://medium.com/javarevisited/top-5-programming-languages-for-web-development-in-2021-f6fd4f564eb6.Google Scholar
Index Terms
- Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review
Recommendations
Android Source Code Vulnerability Detection: A Systematic Literature Review
The use of mobile devices is rising daily in this technological era. A continuous and increasing number of mobile applications are constantly offered on mobile marketplaces to fulfil the needs of smartphone users. Many Android applications do not ...
A Review on 0-day Vulnerability Testing in Web Application
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive StrategiesIn recent year a lot of web applications have been released in the world. At the same time, Zero-Day attacks against web application vulnerabilities have also increased. In such a scenario, it is necessary to make web applications more secure. However ...
Web application testing: A systematic literature review
Context: The web has had a significant impact on all aspects of our society. As our society relies more and more on the web, the dependability of web applications has become increasingly important. To make these applications more dependable, for the ...
Comments