Wednesday, 23 July 2014

Analysis of Field Data on Web Security Vulnerabilities

Most web applications have critical bugs (faults) affecting their security, which makes them vulnerable to attacks by hackers and organized crime. To prevent these security problems from occurring it is of utmost importance to understand the typical software faults. This paper contributes to this body of knowledge by presenting a field study on two of the most widely spread and critical web application vulnerabilities: SQL Injection and XSS. It analyzes the source code of security patches of widely used web applications written in weak and strong typed languages. Results show that only a small subset of software fault types, affecting a restricted collection of statements, is related to security. To understand how these vulnerabilities are really exploited by hackers, this paper also presents an analysis of the source code of the scripts used to attack them. The outcomes of this study can be used to train software developers and code inspectors in the detection of such faults and are also the foundation for the research of realistic vulnerability and attack injectors that can be used to assess security mechanisms, such as intrusion detection systems, vulnerability scanners, and static code analyzers.
The security of web applications becomes a major concern and it is receiving more and more attention from governments, corporations, and the research community. Attackers also followed the move to the web and as such more than half of current computer security threats and vulnerabilities affect web applications. Not surprisingly, the number of reported attacks that exploit web application vulnerabilities is increasing. In fact, numerous data breach attacks are frequently reported due to web application security problems. Given the preponderant role of web applications in many organizations, one can realize the importance of finding ways to reduce the number of vulnerabilities. This can be helped with a deeper knowledge on software faults behind such vulnerabilities; however, this is a vast field and there is still a lot of work to be done.
v It is vulnerable to attacks.
v Attackers also followed the move to the web and as such more than half of current computer security threats and vulnerabilities affect web applications.
This paper contributes to fill this gap by presenting a study on characteristics of source code defects generating major web application vulnerabilities. The main research goal is to understand the typical software faults that are behind the majority of web application vulnerabilities, taking into account different programming languages. To understand the relevance
 these kinds of vulnerabilities for the attackers, the paper also analyzes the code used to exploit them. The proposed methodology allows gathering the information on common mistakes that developers should avoid. This knowledge is helpful for training, and it is crucial for the specification of guidelines for security code reviewers, for the evaluation of penetration testing tools, as well as for the creation of safer internal policies for programming practices, among others. It can also be used to build a realistic attack injector. In our study, we observed that not every vulnerability is equally important for an attacker, and when not all vulnerabilities can be fixed in due time, these data may be used to select those that should be addressed first.
v Its underlying idea is that knowing the root cause of software defects helps removing their source.
v Each patch was inspected in depth to gather the precise characteristics of the code that was responsible for the security problem and classified them according to an adaptation of the orthogonal defect classification.



Processor             -       Pentium –IV

Speed                  -       1.1 Ghz
RAM                   -       512 MB(min)
Hard Disk            -       40 GB
Key Board           -       Standard Windows Keyboard
Mouse                 -       Two or Three Button Mouse
Monitor               -       LCD/LED
Operating system        :       Windows XP.
Coding Language       :       JAVA
Data Base                    :       MySQL
Tool                            :       Netbeans.

Jose´ Fonseca, Nuno Seixas, Marco Vieira, and Henrique Madeira, “Analysis of Field Data on Web Security Vulnerabilities” IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 11, NO. 2, MARCH/APRIL 2014.

No comments:

Post a Comment