Vulnerability & attack injection for web applications

In this paper we propose a methodology to inject realistic attacks in web applications. The methodology is based on the idea that by injecting realistic vulnerabilities in a web application and attacking them automatically we can assess existing security mechanisms. To provide true to life results, this methodology relies on field studies of a large number of vulnerabilities in web applications. The paper also describes a set of tools implementing the proposed methodology. They allow the automation of the entire process, including gathering results and analysis. We used these tools to conduct a set of experiments to demonstrate the feasibility and effectiveness of the proposed methodology. The experiments include the evaluation of coverage and false positives of an Intrusion Detection System for SQL Injection and the assessment of the effectiveness of two Web Application Vulnerability Scanners. Results show that the injection of vulnerabilities and attacks is an effective way to evaluate security mechanisms and tools.

[1]  Ravishankar K. Iyer,et al.  NFTAPE: a framework for assessing dependability in distributed systems with lightweight fault injectors , 2000, Proceedings IEEE International Computer Performance and Dependability Symposium. IPDS 2000.

[2]  Ravishankar K. Iyer,et al.  Experimental evaluation , 1995 .

[3]  Marco Vieira,et al.  On the emulation of software faults by software fault injection , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[4]  Marco Vieira,et al.  Detecting Malicious SQL , 2007, TrustBus.

[5]  Steve McConnell,et al.  Best Practices: Gauging Software Readiness with Defect Tracking , 1997, IEEE Softw..

[6]  Henrique Madeira,et al.  Emulation of Software Faults: A Field Data Study and a Practical Approach , 2006, IEEE Transactions on Software Engineering.

[7]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[8]  Marco Vieira,et al.  Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks , 2007 .

[9]  Sadie Creese,et al.  Conceptual Model and Architecture of MAFTIA , 2003 .

[10]  Marco Vieira,et al.  Training Security Assurance Teams Using Vulnerability Injection , 2008, 2008 14th IEEE Pacific Rim International Symposium on Dependable Computing.

[11]  Miguel Correia,et al.  Using Attack Injection to Discover New Vulnerabilities , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[12]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[13]  Marco Vieira,et al.  Mapping software faults with web security vulnerabilities , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[14]  Toshinori Sato,et al.  Power-Performance Trade-Off of a Dependable Multicore Processor , 2007 .

[15]  Ram Chillarege,et al.  Generation of an error set that emulates software faults based on field data , 1996, Proceedings of Annual Symposium on Fault Tolerant Computing.

[16]  Jean Arlat,et al.  Fault Injection and Dependability Evaluation of Fault-Tolerant Systems , 1993, IEEE Trans. Computers.

[17]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[18]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[19]  Henrique Madeira,et al.  Xception: Software Fault Injection and Monitoring in Processor Functional Units1 , 1995 .