The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.02 - March-April (2014 vol.11)
pp: 89-100
Jose Fonseca , Institute Polytechnic of Guarda, Guarda and University of Coimbra, Coimbra
Nuno Seixas , University of Coimbra, Coimbra
Marco Vieira , University of Coimbra, Coimbra
Henrique Madeira , University of Coimbra, Coimbra
ABSTRACT
Most web applications have critical bugs (faults) affecting their security, which makes them vulnerable to attacks by hackers and organized crime. To prevent these security problems from occurring it is of utmost importance to understand the typical software faults. This paper contributes to this body of knowledge by presenting a field study on two of the most widely spread and critical web application vulnerabilities: SQL Injection and XSS. It analyzes the source code of security patches of widely used web applications written in weak and strong typed languages. Results show that only a small subset of software fault types, affecting a restricted collection of statements, is related to security. To understand how these vulnerabilities are really exploited by hackers, this paper also presents an analysis of the source code of the scripts used to attack them. The outcomes of this study can be used to train software developers and code inspectors in the detection of such faults and are also the foundation for the research of realistic vulnerability and attack injectors that can be used to assess security mechanisms, such as intrusion detection systems, vulnerability scanners, and static code analyzers.
INDEX TERMS
Security, Software, Java, Internet, Awards activities, Blogs,review and evaluation, Security, Internet applications, languages
CITATION
Jose Fonseca, Nuno Seixas, Marco Vieira, Henrique Madeira, "Analysis of Field Data on Web Security Vulnerabilities", IEEE Transactions on Dependable and Secure Computing, vol.11, no. 2, pp. 89-100, March-April 2014, doi:10.1109/TDSC.2013.37
REFERENCES
[1] Acunetix Ltd., "Is Your Website Hackable? Do a Web Security Audit with Acunetix Web Vulnerability Scanner," http://www. acunetix.com/security-auditindex /, May 2013.
[2] G. Álvarez and S. Petrovic, "A New Taxonomy of Web Attacks Suitable for Efficient Encoding," Computers and Security, vol. 22, no. 5, pp. 435-449, July 2003.
[3] P. Anbalagan and M. Vouk, "Towards a Unifying Approach in Understanding Security Problems," Proc. Int'l Symp. Software Reliability Eng., pp. 136-145, 2009.
[4] A. Avizienis, J.C. Laprie, B. Randell, and C. Landwehr, "Basic Concepts and Taxonomy of Dependable and Secure Computing," IEEE Trans. Dependable and Secure Computing, vol. 1, no. 1, pp. 11-33, Jan.-Mar. 2004.
[5] US-CERT Vulnerability Notes Database, "Homepage," http://www.kb.cert.orgvuls/, May 2013.
[6] R. Chillarege, I.S. Bhandari, J.K. Chaar, M.J. Halliday, D. Moebus, B. Ray, and M. Wong, "Orthogonal Defect Classification—A Concept for In-Process Measurement," IEEE Trans. Software Eng., vol. 18, no. 11, pp. 943-956, Nov. 1992.
[7] S. Christey, "Unforgivable Vulnerabilities," Proc. Black Hat Briefings, 2007.
[8] J. Christmansson and R. Chillarege, "Generation of an Error Set That Emulates Software Faults," Proc. IEEE Fault Tolerant Computing Symp., pp. 304-313, 1996.
[9] S. Clowes, "A Study in Scarlet, Exploiting Common Vulnerabilities in PHP Applications," http://www.securereality.com.austudyinscarlet.txt , 2013.
[10] T. Manjaly, "C# Coding Standards and Best Practices," http://www.codeproject.com/KB/csc__coding_standards.aspx , May 2013.
[11] J. Cohen, Statistical Power Analysis for the Behavioral Sciences, second ed., Lawrence Erlbaum, 1988.
[12] M. Cukier, R. Berthier, S. Panjwani, and S. Tan, "A Statistical Analysis of Attack Data to Separate Attacks," Proc. Int'l Conf. Dependable Systems and Networks, pp. 383-392, 2006.
[13] A. Adelsbach, D. Alessandri, C. Cachin, S. Creese, Y. Deswarte, K. Kursawe, J.C. Laprie, D. Powell, B. Randell, J. Riordan, P. Ryan, W. Simmonds, R. Stroud, P. Verissimo, M. Waidner, and A. Wespi, "Conceptual Model and Architecture of MAFTIA," Project IST-1999-11583, https://docs.di.fc.ul.pt/jspui/bitstream/ 10455/2978/103-1.pdf, 2003.
[14] Dotnet Spider, "C# Coding Standards and Best Programming Practices," http://www.dotnetspider.com/tutorials BestPractices.aspx , May 2013.
[15] J. Durães and H. Madeira, "Emulation of Software Faults: A Field Data Study and a Practical Approach," Trans. Software Eng., vol. 32, pp. 849-867, 2006.
[16] S. Fogie, J. Grossman, R. Hansen, A. Rager, and P. Pektov, XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress, 2007.
[17] J. Fonseca, M. Vieira, and H. Madeira, "Training Security Assurance Teams Using Vulnerability Injection," Proc. Pacific Rim Dependable Computing Conf., pp. 297-304, 2008.
[18] J. Fonseca, M. Vieira, and H. Madeira, "Vulnerability & Attack Injection for Web Applications," Proc. Int'l Conf. Dependable Systems and Networks, pp. 93-102, 2009.
[19] M. Fossi et al., "Symantec Internet Security Threat Report: Trends for 2010," Symantec Enterprise Security, 2011.
[20] P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, "Modeling Security Requirements through Ownership, Permission and Delegation," Proc. IEEE Int'l Conf. Requirements Eng., pp. 167-176, 2005.
[21] W. Halfond, J. Viegas, and A. Orso, "A Classification of SQL Injection Attacks and Countermeasures," Proc. Black Hat Briefings, 2005.
[22] L. Hatton, "The Chimera of Software Quality," IEEE Software, vol. 40, no. 8, pp. 104-103, Aug. 2007.
[23] M. Howard, D. LeBlanc, and J. Viega, "19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them," McGraw-Hill, 2005.
[24] IBM Global Technology Services "IBM Internet Security Systems X-Force® 2010 Trend & Risk Report," technical report, IBM Corp., 2011.
[25] N. Jovanovic, C. Kruegel, and E. Kirda, "Precise Alias Analysis for Static Detection of Web Application Vulnerabilities," Proc. IEEE Symp. Security and Privacy, pp. 27-36, 2006.
[26] C. Le Gues et al., "A Systematic Study of Automated Program Repair: Fixing 55 Out Of 105 Bugs for ${\$}$ 8 Each," Proc. Int'l Conf. Software Eng., pp. 3-13, 2012.
[27] B. Livshits and S. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis," Proc. USENIX Security Symp., pp. 18-18, 2005.
[28] F. Long, "Software Vulnerabilities in Java," Cert. technical note, Software Eng. Inst., Carnegie Mellon Univ., 2005.
[29] R. Mays, C. Jones, G. Holloway, and D. Strudinsky, "Experiences with Defect Prevention," IBM Systems J., vol. 29, pp. 4-32, 1990.
[30] K. Mitnick and W. Simon, The Art of Deception: Controlling the Human Element of Security, first ed., Wiley, 2002.
[31] S. Christey and R. Martin, "Vulnerability Type Distributions in CVE," http://cwe.mitre.org/documents/vuln-trends index. html, May 2007.
[32] N. Nagappan, L. Williams, J. Hudepohl, W. Snipes, M. Vouk, "Preliminary Results on Using Static Analysis Tools for Software Inspection." Proc. Int'l Symp. Software Reliability Eng., pp. 429-439, 2004.
[33] S. Neuhaus and T. Zimmermann, "Security Trend Analysis with CVE Topic Models" Proc. Int'l Symp. Software Reliability Eng., pp. 111-120, 2010.
[34] NTA, "Tests Show Rise in Number of Vulnerabilities Affecting Web Applications with SQL Injection and XSS Most Common Flaws," http://www.nta-monitor.com/posts/2011/03 01-tests_ show_rise_in_number_of_vulnerabilities_affecting_web_ applications_with_sql_injection_and_xss_most_common_ flaws.html , May 2013.
[35] OSVDB, "Open Sourced Vulnerability Database," http:/osvdb. org, May 2013.
[36] OWASP Foundation, "OWASP Top 10," https://www.owasp. org/index.phpTop_10_2010-Main , July 2010.
[37] A. Ozment, "Vulnerability Discovery & Software Security," PhD thesis, Computer Laboratory Computer Security Group, Univ. of Cambridge, 2007.
[38] J. Pallant, SPSS Survival Manual, fourth ed., Open Univ. Press, 2011.
[39] Packt Publishing Ltd., "Homepage," http:/www.packtpub.com, May 2013.
[40] PCI Security Standards Council, "Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, version 1.2," www.pcidss.ru/files/pub/pdfpadss_ v1.2_english.pdf , 2008.
[41] PHP-Nuke, "Homepage," http:/phpnuke.org, Dec. 2007.
[42] The PHP Group, "Description of Core php.ini Directives," http://pt.php.netregister_globals, May 2013.
[43] The Privacy Rights Clearinghouse, "Chronology of Data Breaches: Security Breaches 2005-Present," http://www.privacyrights.orgdata-breach, May 2013.
[44] W. Robertson and G. Vigna, "Static Enforcement of Web Application Integrity through Strong Typing," Proc. 18th Conf. USENIX Security Symp. (USENIX '09), pp. 283-298, 2009.
[45] SANS Inst., "Top 25 Most Dangerous Programming Errors," http://www.sans.orgtop25errors/, May 2013.
[46] T. Scholte et al., "An Empirical Analysis of Input Validation Mechanisms," Proc. ACM Symp. Applied Computing, pp. 1419-1426, 2012.
[47] Secunia, "Homepage," http:/secunia.com, May 2013.
[48] Sourceforge, "2007 Community Choice Awards," http:// sourceforge.net/blogcca07, May 2013.
[49] D. Stuttard and M. Pinto, The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws. Wiley, 2007.
[50] Symantec, "Symantec Report on the Underground Economy," http://www.symantec.com/threatreporttopic.jsp?id=fraud_ activity_trends&aid=underground_economy_servers . 2008.
[51] N. Tomatis, R. Brega, G. Rivera, and R. Siegwart, "'May You Have a Strong (-Typed) Foundation' Why Strong Typed Programming Languages Do Matter," Proc. IEEE Int'l Conf. Robotics and Automation, 2004.
[52] F. Valeur, D. Mutz, and G. Vigna, "A Learning-Based Approach to the Detection of SQL Attacks," Proc. Second Int'l Conf. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA '05), pp. 123-140, 2005.
[53] Verizon, "2011 Data Breach Investigations Report," http://www.verizonenterprise.com/resources/ reportsrp_data-breach-investigations-report-2011_en_xg.pdf , 2011.
[54] J. Walden, M. Doyle, G. Welch, and M. Whelan, "Security of Open Source Web Applications," Proc. Int'l Symp. Empirical Software Eng. and Measurement, 2009.
[55] "WhiteHat Website Security Statistics Report, ninth ed.," https://www.whitehatsec.com/seekinfostatsSpring10.html, WhiteHat Security Inc., Spring 2010.
[56] S. Zanero, L. Carettoni, and M. Zanchetta, "Automatic Detection of Web Application Security Flaws," Proc. IEEE Int'l Symp. Secure Software Eng., 2005.
65 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool