Josť Fonseca , UDI of the Institute Polytechnic of Guarda, Guarda and the CISUC
Marco Vieira , University of Coimbra, Coimbra
Henrique Madeira , University of Coimbra, Coimbra
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2013.45
In this paper we propose a methodology and a prototype tool to evaluate web application security mechanisms. The methodology is based on the idea that injecting realistic vulnerabilities in a web application and attacking them automatically can be used to support the assessment of existing security mechanisms and tools in custom setup scenarios. To provide true to life results, the proposed vulnerability and attack injection methodology relies on the study of a large number of vulnerabilities in real web applications. In addition to the generic methodology, the paper describes the implementation of the Vulnerability & Attack Injector Tool (VAIT) that allows the automation of the entire process. We used this tool to run a set of experiments that demonstrate the feasibility and the effectiveness of the proposed methodology. The experiments include the evaluation of coverage and false positives of an Intrusion Detection System for SQL Injection attacks and the assessment of the effectiveness of two top commercial web application vulnerability scanners. Results show that the injection of vulnerabilities and attacks is indeed an effective way to evaluate security mechanisms and to point out not only their weaknesses but also ways for their improvement.
Databases, Internet Applications, Security
Josť Fonseca, Marco Vieira, Henrique Madeira, "Evaluation of Web Security Mechanisms using Vulnerability and Attack Injection", IEEE Transactions on Dependable and Secure Computing, , no. 1, pp. 1, PrePrints PrePrints, doi:10.1109/TDSC.2013.45