An Integrated Approach for Detecting Security Vulnerabilities in Web Applications: A Theoretical Perspective (original) (raw)

Detection of the Security Vulnerabilities in Web Applications

2009

The contemporary organizations develop business processes in a very complex environment. The IT&C technologies are used by organizations to improve their competitive advantages. But, the IT&C technologies are not perfect. They are developed in an iterative process and their quality is the result of the lifecycle activities. The audit and evaluation processes are required by the increased complexity of the business processes supported by IT&C technologies. In order to organize and develop a high-quality audit process, the evaluation team must analyze the risks, threats and vulnerabilities of the information system. The paper highlights the security vulnerabilities in web applications and the processes of their detection. The web applications are used as IT&C tools to support the distributed information processes. They are a major component of the distributed information systems. The audit and evaluation processes are carried out in accordance with the international standards developed for information system security assurance.

WebKure: A Web Vulnerability Auditor

We live in a period of time where Information Security has gained much attention. The core purpose of the paper is to critically study and analyze the trends in information security as far as the Internet is concerned. To counter the ever rising rates of cyber-crimes, the researcher has come up with a system that scans any target website for the most highly exploited security loophole. The system is a web application that is mainly targeted towards web developers so as to reduce the burden of security mechanism enforcement on them, while developing web content. This, in turn, makes the web a much safer and secure place to exist.

A Hybrid Approach to Detect Security Vulnerabilities in Web Applications

International Journal of Computer Science and Mobile Computing

The presence of security flaws allows deceitful operators to exploit web application weaknesses. The researcher brings a novel vulnerability assessment technique in this study that can enhance exposure detection rates while also improving efficiency by lowering the number of test results that reports the presence of a condition wrongly and tests result that implies the absence of a condition when it is actually present. The purpose of the experiment is on a cutting-edge tool that uses a hybrid method that combines white-box and black-box testing practices. The amalgamation in building the hybrid algorithm is not done blindly as it is based on extraordinary aspects like optimization and complexity amid others to make bigger effectivity. The algorithm viably identifies SQL injections, XSS injection and can be utilized in any genuine application that run on a web server, wherever the client and the database interrelates. Crawling and parsing to discover vulnerabilities are part of the ...

A Framework for Web Application Vulnerability Detection

International Journal of Engineering and Advanced Technology

Hardly a facet of human life is not influenced by the Internet due to the continuous proliferation in the Internet facilities, usage, speed, user friendly browsing, global access, etc. At flip side, hackers are also attacking this digital world with new tactics and techniques through exploiting the web application vulnerabilities. The analysis of these vulnerabilities is of paramount importance in direction to secure social digital world. It can be carried out in two ways. First, manual analysis which is error prone due to the human nature of forgiveness, dynamic change in technology and fraudulence attack techniques. Second, through the existing web application vulnerability scanners that sometime may suffer from generating false alarm rate. Hence, there is a need to develop a framework that can detect different levels of vulnerabilities, ranging from client side vulnerabilities, communication side vulnerabilities to server side vulnerabilities. This paper has carried out the liter...

Systematic Review of Web Application Security Vulnerabilities Detection Methods

In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed either to using an inappropriate software development model to guide the development process, or the use of a software development model that does not consider security as a key factor. Therefore, this systematic literature review is conducted to investigate the various security vulnerabilities used to secure the web application layer, the security approaches or techniques used in the process, the stages in the software development in which the approaches or techniques are emphasized, and the tools and mechanisms used to detect vulnerabilities. The study extracted 519 publications from respectable scientific sources, i.e. the IEEE Computer Society, ACM Digital Library, Science Direct, Springer Link. After detailed review process, only 56 key primary studies were considered for this review based on defined inclusion and exclusion criteria. From the review, it appears that no one software is referred to as a standard or preferred software product for web application development. In our SLR, we have performed a deep analysis on web application security vulnerabilities detection methods which help us to identify the scope of SLR for comprehensively investigation in the future research. Further in this SLR considering OWASP Top 10 web application vulnerabilities discovered in 2012, we will attempt to categories the accessible vulnerabilities. OWASP is major source to construct and validate web security processes and standards.

A Hybrid Algorithm for Detecting Web Based Applications Vulnerabilities

Web vulnerability scanners (WVS) are tools for discovering vulnerabilities in a web application. However, they are not 100% accurate. In this paper we develop a hybrid algorithm for detecting web based applications vulnerabilities and compare its performance with other open source WVS. The comparison is based on three metrics namely time taken to scan, detection accuracy and consistency.

Automated Web Vulnerability Scanner

International Journal of Engineering Applied Sciences and Technology

In this era, when the time and internet has evolved, the web application threats have increased by ten folds. The cause of the web vulnerabilities are still due to the lack of input validation. This causes the CIA (Confidentiality Integrity and Availability) Triad Model to break. To solve this, we develop a scanner for finding common vulnerabilities in web applications including SQL Injection, Cross-Site-Scripting (XSS), CRLF Injection, and Open Redirect. It also include a simple port scanner along with a web crawler module which helps to identify other services which may be running on the web server. In this paper, we introduce a simple black-box security test technique for finding these issues. At the end of the paper, we demonstrate how easy it is to scan a complex enterprise-grade web application with our scanner. The main goal of the scanner is to uncover the vulnerabilities and produce a better result/report of each web application in effective manner.

WAP: Automatic detection and correction of web application vulnerabilities

2013

Web application security is an important problem in today’s internet. A major cause of this status is that many program-mers do not have adequate knowledge about secure coding, so they leave applications with vulnerabilities. An approach to solve this problem is to use source code static analysis to find these bugs, but these tools are known to report many false positives that make hard the task of correcting the applica-tion. This paper explores the use of a hybrid of methods to detect vulnerabilities with less false positives. After an initial step that uses taint analysis to flag candidate vulnerabilities, our approach uses data mining to predict the existence of false positives. This approach reaches a trade-off between two ap-parently opposite approaches: humans coding the knowledge about vulnerabilities (for taint analysis) versus automatically obtaining that knowledge (with machine learning, for data mining). Given this more precise form of detection, we do au-tomatic code co...

Investigation of Detection and Mitigation of Web Application Vulnerabilities

International journal of computer applications, 2022

Web applications are the backbone of technology in the global era of information. In this digital world connecting many commercial organizations that utilize the internet for financial transactions, education, and other activities. In recent days, web applications have been exploited by attackers frequently. Most web developers and website owners have limited awareness of the vulnerabilities in their websites,which are prone to web vulnerability attacks. Many researchers are working to detect and mitigate the vulnerability and provide differentmethods to resolve the various types of web vulnerabilities. However, these solutions are insufficient since they often have restrictions and areinefficient to prevent all vulnerabilities. This paper aims to reviewexisting detection and mitigation methodsfor web application vulnerabilities.This will helppractitioners to develop practices and solve issues related to web vulnerabilities.

A hybrid analysis framework for detecting web application vulnerabilities

2009 ICSE Workshop on Software Engineering for Secure Systems, 2009

Increasingly, web applications handle sensitive data and interface with critical back-end components, but are often written by poorly experienced programmers with low security skills. The majority of vulnerabilities that affect web applications can be ascribed to the lack of proper validation of user's input, before it is used as argument of an output function. Several program analysis techniques were proposed to automatically spot these vulnerabilities. One particularly effective is dynamic taint analysis. Unfortunately, this approach introduces a significant run-time penalty.