Top

The Journal of Supercomputing

Published in:

13-06-2016

An algorithm to find relationships between web vulnerabilities

Authors: Fernando Román Muñoz, Luis Javier García Villalba

Published in: The Journal of Supercomputing | Issue 3/2018

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Over the past years, there has been a high increase in web sites using cloud computing. Like usual web site, those web applications can have most of the common web vulnerabilities, like SQL injection or cross-site scripting. Therefore, cloud computing has become more attractive to cyber criminals. Besides, in many cases it is necessary to comply with regulations like PCI DSS or standards like ISO/IEC 27001. To face those threats and requirements it is a common task to analyze web applications to detect and correct their vulnerabilities. The most used tools to analyze web applications are automatic scanners. But it is difficult to comparatively decide which scanner is best or at least is best suited to detect a particular vulnerability. To evaluate scanner capabilities some evaluation criteria have been defined. Often a web vulnerability classification is also used to evaluate scanners, but current web vulnerability classifications do not usually include all vulnerabilities. To face evaluation criteria which are not up-to-date and to have the fullest possible classification, in this paper a new method to map web vulnerability classifications is proposed. The result will be the vulnerabilities an automatic scanner has to detect. As classifications change over time, this new method could be executed when the existing classifications change or when new classifications are developed. The vulnerabilities described this way can also be seen as a web vulnerability classification that includes all vulnerabilities in the classifications taken into account.

previous article E2FS: an elastic storage system for cloud computing

next article An efficient distributed mutual exclusion algorithm for intersection traffic control

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Acunetix (2015) Acunetix web vulnerability scanner. http://www.acunetix.com/. Accessed 30 Sept 2015

HP (2015) Hp webinspect. http://www.spidynamics.com/products/. Accessed 30 Sept 2015

IBM (2015) IBM rational appscan. http://www-01.ibm.com/software/awdtools/appscan/. Accessed 30 Sept 2015

Open Web Application Security Project (2015) Owasp zed attack proxy. https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.Accessed 30 Sept 2015

PCI Security Standards Council (2016) PCI SSC data security standards. https://www.pcisecuritystandards.org. Accessed 30 Sept 2015

Akowuah F, Lake J, Yuan X, Nuakoh E, Yu H (2015) Testing the security vulnerabilities of openemr 4.1.1: a case study. J Comput Sci Coll 30(3):26–35

Assad RE, Katter T, Ferraz F, de Lemos Meira S (2010) Security quality assurance on web-based application through security requirements tests based on owasp test document: elaboration, execution and automation. In: Proceedings of the 2nd OWASP Ibero-American Web Applications Security Conference

Austin A, Smith B, Williams L (2010) Towards improved security criteria for certification of electronic health record systems. In: Proceedings of the 2010 ICSE Workshop on Software Engineering in Health Care, SEHC ’10, New York, pp 68–73

Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: automated black-box web application vulnerability testing. In: Proceedings of the IEEE symposium on Security and Privacy (SP), pp 332–345

10.

Bergvall J, Svensson L (2015) Risk analysis review. In: Linkopings universitet

11.

Bhattacharjee J, Sengupta A, Mazumdar C, Barik MS (2012) A two-phase quantitative methodology for enterprise information security risk analysis. In: Proceedings of the CUBE International Information Technology Conference, CUBE ’12, New York, pp 809–815

12.

Black PE, Kass M (2005) Software security assurance tools, techniques and metrics (SSATTM). In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ASE ’05, New York, pp 461–461

13.

Blanco C, Lasheras J, Valencia-García R, Fernández-Medina E, Toval A, Piattini M (2008) A systematic review and comparison of security ontologies. In: Proceedings of the 2008 Third International Conference on Availability, Reliability and Security, ARES ’08. IEEE Computer Society, Washington, DC, pp 813–820

14.

Blei DM, Ng AY, Jordan MI (2003) Latent Dirichlet allocation. J Mach Learn Res 3:993–1022MATH

15.

Chen S (2012) General features comparison—web application scanners. http://www.sectoolmarket.com

16.

Cornel D (2010) Mapping between owasp top 10 (2004, 2007), wasc 24+2 and sans cwe/25. http://blog.denimgroup.com/denim_group/2010/01/mapping-between-owasp-top-10-2004-2007-wasc-242-and-sans-cwe25.html

17.

Corporation TM (2013) Common weakness enumeration. http://cwe.mitre.org

18.

Corporation TM (2013) Cwe. http://cve.mitre.org

19.

Dahbur K, Mohammad B, Tarakji AB (2011) A survey of risks, threats and vulnerabilities in cloud computing. In: Proceedings of the 2011 International Conference on Intelligent Semantic Web-Services and Applications, ISWSA ’11, New York, pp 12:1–12:6

20.

Daz-Lpez D, Dlera-Tormo G, Gmez-Mrmol F, Martnez-Prez G (2014) Dynamic counter-measures for risk-based access control systems: an evolutive approach. Future Generation Computer Systems

21.

Demchenko Y, Gommans L, de Laat C, Oudenaarde B (2005) Web services and grid security vulnerabilities and threats analysis and model. In: Proceedings of the 6th IEEE/ACM International Workshop on Grid Computing, GRID ’05. IEEE Computer Society, Washington, DC, pp 262–267

22.

Doupé A, Cavedon L, Kruegel C, Vigna G (2012) Enemy of the state: a state-aware black-box web vulnerability scanner. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security’12. USENIX Association, Berkeley, p 26

23.

Doupé A, Cova M, Vigna G (2010) Why johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA’10. Springer, Berlin, pp 111–131

24.

Ferreira AM, Klepee H (2011) Effectiveness of automated application penetration testing tools

25.

Fong E, Okun V (2007) Web application scanners: definitions and functions. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences, HICSS ’07, p. 280b. IEEE Computer Society, Washington, DC

26.

Fonseca J, Vieira M, Madeira H (2007) Testing and comparing web vulnerability scanning tools for sql injection and xss attacks. In: Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC ’07. IEEE Computer Society, Washington, DC, pp 365–372

27.

Fonseca J, Vieira M, Madeira H (2014) Evaluation of web security mechanisms using vulnerability & attack injection. IEEE Trans Dependable Secur Comput 11(5):440–453CrossRef

28.

Gonzalez H, Halevy AY, Jensen CS, Langen A, Madhavan J, Shapley R, Shen W, Goldberg-Kidon J (2010) Google fusion tables: web-centered data management and collaboration. Proceedings of the 2010 ACM SIGMOD International Conference on Management of Data, SIGMOD ’10. NY, USA, New York, pp 1061–1066

29.

Grossman J (2013) Wasc threat classification to owasp top ten rc1 mapping . http://jeremiahgrossman.blogspot.com.es/2010/01/wasc-threat-classification-to-owasp-top.html

30.

Gupta S, Sharma L (2011) Analysis and assessment of web application security testing tools. In: Proceedings of the 5th National Conference

31.

Haley C, Laney R, Nuseibeh B (2004) Deriving security requirements from crosscutting threat descriptions, execution and automation. In: Proceedings of the 3rd International Conference on Aspect-Oriented Software Development, pp 112–121

32.

Hashizume K, Rosado DG, Fernández-Medina E, Fernandez EB (2013) An analysis of security issues for cloud computing. J Internet Serv Appl 4(1):1–13CrossRef

33.

Lannacone M, Bohn S, Nakamura G, Gerth J, Huffer K, Bridges R, Ferragut E, Goodall J (2015) Developing an ontology for cyber security knowledge graphs. In: Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISR ’15, New York, pp 12:1–12:4

34.

International Organization for Standardization (2005) International standard iso/iec 27001

35.

Jiang Y, Li X, Meng W (2014) Discword: learning discriminative topics. In: Proceedings of the 2014 IEEE/WIC/ACM International Joint Conferences on Web Intelligence (WI) and Intelligent Agent Technologies (IAT), vol 02, WI-IAT ’14. IEEE Computer Society, Washington, DC, pp 63–70

36.

Jones CL, Bridges RA, Huffer KMT, Goodall JR (2015) Towards a relation extraction framework for cyber-security concepts. In: Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISR ’15, New York, pp. 11:1–11:4

37.

Jurcenoks J (2013) Owasp to wasc to cwe mapping correlating different industry taxonomy. Critical Watch

38.

Khalili A, Sami A, Ghiasi M, Moshtari S, Salehi Z, Azimi M (2014) Software engineering issues regarding securing ics: an industrial case study. In: Proceedings of the 1st International Workshop on Modern Software Engineering Methods for Industrial Automation, MoSEMInA 2014, New York, pp 1–6

39.

Kim H, Choo J, Kim J, Reddy CK, Park H (2015) Simultaneous discovery of common and discriminative topics via joint nonnegative matrix factorization. In: Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’15, New York, pp 567–576

40.

Kumar R, Singh H (2013) A qualitative analysis of effects of security risks on architecture of an information system. SIGSOFT Softw Eng Notes 38(6):1–3CrossRef

41.

Loh P, Subramanian D (2010) Fuzzy classification metrics for scanner assessment and vulnerability reporting. IEEE Trans Inf Forensics Secur 5(4):613–624CrossRef

42.

Martin RA, Barnum S (2008) Common weakness enumeration (cwe) status update. Ada Lett 28(1):88–91CrossRef

43.

Martin RA, Barnum S (2008) Creating the secure software testing target list. In: Proceedings of the 4th Annual Workshop on Cyber Security and Information Intelligence Research: Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges Ahead, CSIIRW ’08, New York, pp 33:1–33:2

44.

Martin RA, Christey S, Jarzombek J (2005) The case for common flaw enumeration. NIST Workshop on Software Security Assurance Tools, Techniques, and Metrics

45.

Martirosyan Y (2013) Security evaluation of web application vulnerability scanners strengths and limitations using custom web application. In: California State University

46.

Mcquade K (2014) Open source web vulnerability scanners: the cost effective choice? In: Proceedings of the Conference for Information Systems Applied Research, Baltimore

47.

Michell S (2013) Programming language vulnerabilities: proposals to include concurrency paradigms. Ada Lett 33(1):101–115MathSciNetCrossRef

48.

Mulwad V, Li W, Joshi A, Finin T, Viswanathan K (2011) Extracting information about security vulnerabilities from web text. In: Proceedings of the 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology, vol 03, WI-IAT ’11. IEEE Computer Society, Washington, DC, pp 257–260

49.

National Institute of Standards and Technology: Software assurance tools: web application security scanner functional specification version 1.0. NIST special publication 500-269

50.

National Institute of Standards and Technology (2011) Nist special publication 800-30 revision 1: guide for conducting risk assessments. NIST special publication, p 95

51.

Njogu HW, Jiawei L, Kiere JN, Hanyurwimfura D (2013) A comprehensive vulnerability based alert management approach for large networks. Future Gener Comput Syst 29(1):27–45CrossRef

52.

Nuno Teodoro CS (2010) Automating web applications security assessments through scanners. In: Proceedings of the OWASP Ibero-American Web Applications Security Conference

53.

Open Web Application Security Project (2008) OWASP testing guide v3.https://www.owasp.org

54.

Open Web Application Security Project (2014) OWASP testing guide v4.https://www.owasp.org

55.

Parmar S (2015) Vulnerability checker for infosecurity. Int J Sci Res (IJSR) 4(3):1593–1596MathSciNet

56.

Prashanth S, Sambasiva N (2015) Vulnerability, threats and its countermeasure in cloud computing. Int J Comput Sci Mobile Comput 4(6):126–130

57.

Project OTT (2013) Open web application security project. https://code.google.com/p/owasptop10

58.

Román Muñoz F, García Villalba LJ (2013) Methods to test web applications scanners. Amman, Jordan

59.

Román Muñoz F, García Villalba LJ (2015) Web from preprocessor for crawling. Multimed Tools Appl 74(19):8559–8570CrossRef

60.

Román Muñoz F, García Villalba LJ (2015) Web vulnerability classification mappings 1. http://vulmappings.esy.es

61.

Saeed FA (2014) Using wassec to evaluate commercial web application security scanners. Int J Soft Comput Eng (IJSCE) 4(1):177–181

62.

SANS (2011) Cwe/sans top 25 most dangerous software errors. http://www.sans.org/top25-software-errors

63.

Srivatsa S, Nagasundaram S (2015) Guidelines for security in cloud computing. Netw Commun Eng 7(7):305–306

64.

Suto L (2010) Analyzing the accuracy and time costs of web application security scanners. In: Beyond Trust

65.

Telligent (2013) Telligent evolution platform. https://community.zimbra.com/documentation/telligentcommunity/w/community7/24580.securing-telligent-evolution

66.

The MITRE Corporation (2013) Common attack patterns enumeration and classfication. http://capec.mitre.org/

67.

Tripp O, Weisman O, Guy L (2013) Finding your way in the testing jungle: A learning approach to web security testing. Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013, New York, pp 347–357

68.

Web Application Security Consortium (2009) Web application security scanner evaluation criteria. http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria

69.

Web Application Security Consortium (2010) The WASC threat classification. http://projects.webappsec.org/w/page/13246978/Threat Classification

70.

Web Application Security Consortium (2012) Threat classification taxonomy cross reference view. http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View

71.

Weber S, Karger PA, Paradkar A (2005) A software flaw taxonomy: aiming tools at security. SIGSOFT Softw Eng Notes 30(4):1–7CrossRef

72.

Weber S, Karger PA, Paradkar A (2005) A software flaw taxonomy: aiming tools at security. In: Proceedings of the 2005 Workshop on Software Engineering for Secure Systems—Building Trustworthy Applications, SESS ’05, New York, pp 1–7

Title: An algorithm to find relationships between web vulnerabilities
Authors: Fernando Román Muñoz
Luis Javier García Villalba
Publication date: 13-06-2016
Publisher: Springer US
Published in: The Journal of Supercomputing / Issue 3/2018
Print ISSN: 0920-8542
Electronic ISSN: 1573-0484
DOI: https://doi.org/10.1007/s11227-016-1770-3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Other articles of this Issue 3/2018

Fusion algorithms and high-performance applications for vehicular cloud computing

Cross-layer design and performance analysis for maximizing the network utilization of wireless mesh networks in cloud computing

A load balancing scheme with Loadbot in IoT networks

E2FS: an elastic storage system for cloud computing

Analysis of performance measures in cloud-based ubiquitous SaaS CRM project systems

An efficient distributed mutual exclusion algorithm for intersection traffic control

Premium Partner