Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis

Shar, Lwin Khin; Tan, Hee Beng Kuan; Briand, Lionel C.

doi:10.1109/icse.2013.6606610

Cited by 81 publications

(48 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On several occasions, the usage of static analysis offers a high false positive rate. Shar et al [12] employed the static analysis for addressing the nodes and dynamic analysis for determining the vulnerable nodes. However, the hybrid methodology espoused by them is marred by the false positive rate of the static analysis and the lack of precision in the dynamic analysis results.…”

Section: Related Workmentioning

confidence: 99%

“…Although there are several methodologies employed for detecting XSS vulnerability [7,10,11,12,16,17], the threats of XSS continue to persist. Thus, the aim of this paper is to enhance the detection methodologies by eradicating the infeasible paths, thereby reducing the false positive rate of locating XSS vulnerability.…”

Section: Related Workmentioning

confidence: 99%

“…Dynamic analysis detects vulnerabilities by analyzing the information obtained during program execution [24]. The combination of static and dynamic analyses is a hybrid approach; dynamic analysis techniques improve the false alarms of static analysis approaches and provide accurate results [12]. However, experimental results show that a straightforward hybrid approach is unlikely to be superior to a fully static or a fully dynamic detection [8].…”

Section: Detection Of Xss Vulnerabilitymentioning

confidence: 99%

See 2 more Smart Citations

Web Security: Detection of Cross Site Scripting in PHP Web Application using Genetic Algorithm

Marashdih¹,

Zaaba²,

Omer³

2017

ijacsa

View full text Add to dashboard Cite

Abstract-Cross site scripting (XSS) is one of the major threats to the web application security, where the research is still underway for an effective and useful way to analyse the source code of web application and removes this threat. XSS occurs by injecting the malicious scripts into web application and it can lead to significant violations at the site or for the user. Several solutions have been recommended for their detection. However, their results do not appear to be effective enough to resolve the issue. This paper recommended a methodology for the detection of XSS from the PHP web application using genetic algorithm (GA) and static analysis. The methodology enhances the earlier approaches of determining XSS vulnerability in the web application by eliminating the infeasible paths from the control flow graph (CFG). This aids in reducing the false positive rate in the outcomes. The results of the experiments indicated that our methodology is more effectual in detecting XSS vulnerability from the PHP web application compared to the earlier studies, in terms of the false positive rates and the concrete susceptible paths determined by GA Generator.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Detection Of Xss Vulnerabilitymentioning

confidence: 99%

See 1 more Smart Citation

Web Security: Detection of Cross Site Scripting in PHP Web Application using Genetic Algorithm

Marashdih¹,

Zaaba²,

Omer³

2017

ijacsa

View full text Add to dashboard Cite

show abstract

“…On the other hand, [27] proposed an approach based on static analysis with GA on Java web applications. Their approach combines the detection approach from [26] and the removal approach from [25]. [27] approach detects XSS vulnerabilities with significant results as compared with the approach of [25].…”

Section: ) Crossover and Mutationmentioning

confidence: 99%

“…Hybrid analysis combines static and dynamic analyses as a better approach, but the combined approach was focused on to benefit from the two types of analyses (static and dynamic) [25]; nevertheless, it still has some problems in terms of the accuracy of its result, such as the training data.…”

Section: ) Crossover and Mutationmentioning

confidence: 99%

Cross Site Scripting: Detection Approaches in Web Application

Wasef¹,

Fitri²

2016

ijacsa

View full text Add to dashboard Cite

Abstract-Web applications have become one of the standard platforms for service releases and representing information and data over the World Wide Web. Thus, security vulnerabilities headed to various type of attacks in web applications. Amongst those is Cross Site Scripting also known as XSS. XSS can be considered as one of the most popular type of threat in web security application. XSS occurs by injecting the malicious scripts into web application, and it can lead to significant violations at the site or for the user. This paper highlights the issues (i.e. security and vulnerability) in web application specifically in regards to XSS. In addition, the future direction of research within this domain is highlighted.

show abstract

SQLPIL: SQL injection prevention by input labeling

Masri

Sleiman

2015

Security Comm Networks

View full text Add to dashboard Cite

SQL injection attacks (SQLIAs) aim at exploiting vulnerabilities in web applications in order to execute malicious SQL commands. It is established that prepared statements are resilient to SQLIAs, and thus, developers are advised to use them when constructing SQL queries as opposed to applying string concatenation operations. Unfortunately, this recommended programming practice is not as pervasive as it should be. This paper addresses this shortcoming by presenting SQL injection Prevention by Input Labeling (SQLPIL), an effective, light, and fully automated tool that leverages prepared statements to prevent SQLIAs at runtime. Given a Java program in which SQL queries are built as strings, SQLPIL dynamically transforms the strings into secure prepared statements right before their execution, thus guaranteeing that malicious input will always be treated as data and never as SQL commands. We empirically evaluated our Java implementation of SQLPIL using a benchmark that includes five JSP commercial applications, a number of legitimate queries, and a number of attacks of representative types. The results were promising as all attacks were prevented, and all legitimate runs executed successfully; in other words, the technique exhibited no false alarms when applied on typical applications. Also, the runtime cost was acceptable, assuming typical settings. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis

Cited by 81 publications

References 19 publications

Web Security: Detection of Cross Site Scripting in PHP Web Application using Genetic Algorithm

Web Security: Detection of Cross Site Scripting in PHP Web Application using Genetic Algorithm

Cross Site Scripting: Detection Approaches in Web Application

SQLPIL: SQL injection prevention by input labeling

Contact Info

Product

Resources

About