nach oben

Empirical Software Engineering

Erschienen in:

01.10.2010

An empirical investigation into open source web applications’ implementation vulnerabilities

verfasst von: Toan Huynh, James Miller

Erschienen in: Empirical Software Engineering | Ausgabe 5/2010

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Current web applications have many inherent vulnerabilities; in fact, in 2008, over 63% of all documented vulnerabilities are for web applications. While many approaches have been proposed to address various web application vulnerability issues, there has not been a study to investigate whether these vulnerabilities share any common properties. In this paper, we use an approach similar to the Goal-Question-Metric approach to empirically investigate four questions regarding open source web applications vulnerabilities: What proportion of security vulnerabilities in web applications can be considered as implementation vulnerabilities? Are these vulnerabilities the result of interactions between web applications and external systems? What is the proportion of vulnerable lines of code within a web application? Are implementation vulnerabilities caused by implicit or explicit data flows? The results from the investigation show that implementation vulnerabilities dominate. They are caused through interactions between web applications and external systems. Furthermore, these vulnerabilities only contain explicit data flows, and are limited to relatively small sections of the source code.

Vorheriger Artikel LSEbA: least squares regression and estimation by analogy in a semi-parametric model for software cost estimation

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

http://www.qualys.com/research/rnd/vulnlaws/, last accessed August 16, 2009

http://www4.symantec.com/Vrt/wl?tu_id=gCGG123913789453640802, last accessed January 29, 2010

http://www.ietf.org/rfc/rfc2822.txt, last accessed July 25, 2009

http://www.osvdb.org/, last accessed July 22, 2009

http://www.securityfocus.com/archive/1, last accessed July 22, 2009

http://nvd.nist.gov/statistics.cfm, last accessed July 31, 2009

http://www.kb.cert.org/vuls/, last accessed July 31, 2009

http://xforce.iss.net/, last accessed July 31, 2009

http://www.cerias.purdue.edu/about/history/coast/projects/vdb.html, last accessed July 31, 2009

http://lwn.net/Vulnerabilities/, last accessed July 31, 2009

http://sourcecount.com/, last accessed July 29, 2009

Clearly, this is a simplification of the situation. However, the study has insufficient data to allow the evaluation of more complex models.

http://www.acunetix.com/, last accessed Feb. 7, 2006

Agrawal H, Horgan JR (1990) Dynamic program slicing. Proceedings of the ACM SIGPLAN’90 Conference on Programming Language Design and Implementation, New York, USA, pp 246–256

Alhazmi OH, Malaiya YK, Ray I (2007) Measuring, analyzing and predicting security vulnerabilities in software systems. Comput Secur J 26(3):219–228CrossRef

Basili V, Caldeira G, Rombach HD (1994) The goal question metric approach. Encyclopedia of Software Engineering, Wiley

Baskerville R, Pries-Heje J (2004) Short cycle time systems development. Inf Syst J 14(3):237–264CrossRef

Boyd SW, Keromytis AD (2004) SQLrand: preventing SQL injection attacks. In Proc. of the 2nd Applied Cryptography and Network Security Conf. (ACNS ’04), Yellow Mountain, China pp 292–302

Buehrer GT, Weide BW, Sivilotti PAG (2005) Using parse tree validation to prevent SQL injection attacks. In Proc. of the 5th Intl. Workshop on Software Engineering and Middleware (SEM ’05), Lisbon, Portugal, pp 106–113

Cova M, Balzarotti D, Felmetsger V, Vigna G (2007) Swaddler: an approach for the anomaly-based detection of State violations in web applications, Recent Advance in Intrusion Detection (RAID), pp 63–86

Denning DE, Denning PJ (1997) Certification of programs for secure information flow. Commun ACM 20:504–513, New York, USA, ACMCrossRef

Halfond WG, Orso A (2005) AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Long Beach, CA, USA, pp 174–183

Halfond WG, Orso A, Manolios P (2006) Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proceedings of the 14th ACM SIGSOFT international Symposium on Foundations of Software Engineering, Portland, Oregon, USA, pp 175–185

Halfond WGJ, Orso A, Manolios P (2008) WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans Softw Eng 34(1):65–81CrossRef

Huang YW, Yu F, Hang C, Tsai CH, Lee DT, Kuo SY (2004) Securing web application code by static analysis and runtime protection, in WWW ’04: Proceedings of the 13th International Conference on World Wide Web. New York, NY, USA: ACM Press, pp 40–52

Liu A, Yuan Y, Wijesekera D, Stavrou A (2009) SQLProb: a proxy-based architecture towards preventing SQL injection attacks. Proceedings of the 2009 ACM symposium on Applied Computing, Honolulu, Hawaii, pp 2054–2061

Johnson R, Wagner D (2004) Finding user/kernel pointer bugs with type inference. In Proceedings of the 2004 Usenix Security Conference, San Diego, CA, USA, pp 119–134

Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA, pp 258–263

Kals S, Kirda E, Kruegel C, Jovanovic N (2006) SecuBat: a web vulnerability scanner. The 15th International World Wide Web Conference (WWW 2006), Edinburgh, Scotland, pp 247–256

Kiezun A, Guo PJ, Jayaraman K, Ernst MD (2008) Automatic creation of SQL injection and cross-site scripting attacks. Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, Vancouver, British Columbia, Canada, pp 199–209

Lin J-C, Chen J-M (2006) An automatic revised tool for anti-malicious injection. Sixth IEEE International Conference on Computer and Information Technology (CIT’06), Seoul, South Korea, pp 164–170

Martin M, Lam M (2008) Automatic generation of XSS and SQL injection attacks with goal-directed model checking. Proceedings of the 17th conference on Security symposium, San Jose, CA, pp 31–43

Martin M, Livshits B, Lam MS (2005) Finding application errors and security flaws using PQL: a program query language. In OOPSLA ’05: Proc. of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, San Diego, CA, USA, pp 365–383

Nguyen-Tuong A, Guarnieri S, Greene D, Shirley J, Evans D (2005) Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference, Chiba, Japan, pp 372–382

OWASP (2007) Top 10 2007. http://www.owasp.org/index.php/Top_10_2007, last accessed June 29, 2009

Pietraszek T, Berghe CV (2005) Defending against injection attacks through context-sensitive string evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID2005), Seattle, Washington, USA, pp 124–145

Rapid7 (2005) Vulnerability management trends. (2)1–9

Scambray J, Shema M, Sima C (2006) Hacking exposed: web applications second edition. McGraw-Hill, San Francisco

Scott D, Sharp R (2002) Abstracting application-level web security. In Proc. of the 11th Intl. Conference on the World Wide Web (WWW 2002), Honolulu, Hawaii, USA, pp 396–407

Shankar U, Talwar K, Foster JS, Wagner D (2001) Detecting format string vulnerabilities with type qualifiers. In 10th USENIX Security Symposium, Washington, D.C., pp 201–220

Su Z, Wassermann G (2006) The essence of command injection attacks in web applications. In The 33rd Annual Symposium on Principles of Programming Languages, Charleston, South Carolina, USA, pp 372–382

Swiderski F, Snyder W (2004) Threat modeling. Microsoft Press, Redmond

Tip F (1995) A survey of program slicing techniques. J Program Lang 3(3):121–189

Weiser M (1984) Program slicing. IEEE Trans Softw Eng SE-10(4):352–357CrossRef

Zhang X, Edwards A, Jaeger T (2002) Using CQual for static analysis of authorization hook placement. In the Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, pp 33–48

Titel: An empirical investigation into open source web applications’ implementation vulnerabilities
verfasst von: Toan Huynh
James Miller
Publikationsdatum: 01.10.2010
Verlag: Springer US
Erschienen in: Empirical Software Engineering / Ausgabe 5/2010
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-010-9131-y

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"