Towards a taxonomy of techniques to detect cross-site scripting and SQL injection vulnerabilities

Since 2002, over half of reported cyber vulnerabilities are caused by input validation vulnerabilities . Over 50 % of input validation vulnerabilities were cross-site scripting and SQL injection vulnerabilities in 2006, based on the (US) National Vulnerability Database. Techniques to mitigate cross-site scripting and SQL injection vulnerabilities have been proposed. However, applying those techniques without precise understanding can result in a false sense of security. Clearly understanding the advantages and disadvantages of each security technique can provide a basis for comparison of those techniques. This survey provides a taxonomy of techniques to detect cross-site scripting and SQL injection vulnerabilities based upon of 21 papers published in the IEEE and ACM databases. Our taxonomy characterizes the detection methods and evaluation criteria of the techniques. The taxonomy provides a foundation for comparison among techniques to detect cross- site scripting and SQL injection vulnerabilities. Organizations can use the comparison results to choose appropriate techniques depending on available resources.

[1]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[2]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[3]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[4]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[5]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[6]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[7]  A.A. Alfantookh,et al.  An automated universal server level solution for SQL injection security flaw , 2004, International Conference on Electrical, Electronic and Computer Engineering, 2004. ICEEC '04..

[8]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[9]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[10]  Suraj C. Kothari,et al.  Preventing SQL injection attacks in stored procedures , 2006, Australian Software Engineering Conference (ASWEC'06).

[11]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[12]  SQL Injection Signatures Evasion , 2004 .

[13]  Yasuhiko Minamide,et al.  Static approximation of dynamically generated Web pages , 2005, WWW '05.

[14]  Youki Kadobayashi,et al.  A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[15]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[16]  Jin-Cherng Lin,et al.  An Automatic Revised Tool for Anti-Malicious Injection , 2006, The Sixth IEEE International Conference on Computer and Information Technology (CIT'06).

[17]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[18]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[19]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[20]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[21]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[22]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[23]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[24]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[25]  Giuseppe A. Di Lucca,et al.  Identifying cross site scripting vulnerabilities in Web applications , 2004, Proceedings. Sixth IEEE International Workshop on Web Site Evolution.

[26]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[27]  Stephen Kost An Introduction to SQL Injection Attacks for Oracle Developers , 2007 .

[28]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[29]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.