Analysis of Field Data on Web Security Vulnerabilities

Most web applications have critical bugs (faults) affecting their security, which makes them vulnerable to attacks by hackers and organized crime. To prevent these security problems from occurring it is of utmost importance to understand the typical software faults. This paper contributes to this body of knowledge by presenting a field study on two of the most widely spread and critical web application vulnerabilities: SQL Injection and XSS. It analyzes the source code of security patches of widely used Web applications written in weak and strong typed languages. Results show that only a small subset of software fault types, affecting a restricted collection of statements, is related to security. To understand how these vulnerabilities are really exploited by hackers, this paper also presents an analysis of the source code of the scripts used to attack them. The outcomes of this study can be used to train software developers and code inspectors in the detection of such faults and are also the foundation for the research of realistic vulnerability and attack injectors that can be used to assess security mechanisms, such as intrusion detection systems, vulnerability scanners, and static code analyzers.

[1]  Henrique Madeira,et al.  Emulation of Software Faults: A Field Data Study and a Practical Approach , 2006, IEEE Transactions on Software Engineering.

[2]  M. Merkow,et al.  2010 CWE/SANS Top 25 Most Dangerous Programming Errors , 2010 .

[3]  Giovanni Vigna,et al.  Static Enforcement of Web Application Integrity Through Strong Typing , 2009, USENIX Security Symposium.

[4]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[5]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[6]  Les Hatton The Chimera of Software Quality , 2007, Computer.

[7]  Roland Siegwart,et al.  "May you have a strong (-typed) foundation" why strong-typed programming languages do matter , 2004, IEEE International Conference on Robotics and Automation, 2004. Proceedings. ICRA '04. 2004.

[8]  P. Lachenbruch Statistical Power Analysis for the Behavioral Sciences (2nd ed.) , 1989 .

[9]  Robin Berthier,et al.  A Statistical Analysis of Attack Data to Separate Attacks , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[10]  John Viega,et al.  19 deadly sins of software security : programming flaws and how to fix them , 2005 .

[11]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[12]  James Walden,et al.  Security of open source web applications , 2009, 2009 3rd International Symposium on Empirical Software Engineering and Measurement.

[13]  Claire Le Goues,et al.  A systematic study of automated program repair: Fixing 55 out of 105 bugs for $8 each , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[14]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[15]  Gonzalo Álvarez,et al.  A new taxonomy of Web attacks suitable for efficient encoding , 2003, Comput. Secur..

[16]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[17]  Thomas Zimmermann,et al.  Security Trend Analysis with CVE Topic Models , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[18]  Marco Vieira,et al.  Vulnerability & attack injection for web applications , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[19]  Laurie A. Williams,et al.  Preliminary results on using static analysis tools for software inspection , 2004, 15th International Symposium on Software Reliability Engineering.

[20]  Inderpal S. Bhandari,et al.  Orthogonal Defect Classification - A Concept for In-Process Measurements , 1992, IEEE Trans. Software Eng..

[21]  Steven M. Christey Unforgivable Vulnerabilities , 2007 .

[22]  William K. Robertson,et al.  An empirical analysis of input validation mechanisms in web applications and languages , 2012, SAC '12.

[23]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[24]  Robert G. Mays,et al.  Experiences with Defect Prevention , 1990, IBM Syst. J..

[25]  Fred Long Software Vulnerabilities in Java , 2005 .

[26]  James Andrew Ozment,et al.  Vulnerability discovery & software security , 2007 .

[27]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[28]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[29]  Dafydd Stuttard,et al.  The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws , 2007 .

[30]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[31]  Marco Vieira,et al.  Training Security Assurance Teams Using Vulnerability Injection , 2008, 2008 14th IEEE Pacific Rim International Symposium on Dependable Computing.

[32]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[33]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[34]  Sadie Creese,et al.  Conceptual Model and Architecture of MAFTIA , 2003 .

[35]  Ram Chillarege,et al.  Generation of an error set that emulates software faults based on field data , 1996, Proceedings of Annual Symposium on Fault Tolerant Computing.

[36]  Mladen A. Vouk,et al.  Towards a Unifying Approach in Understanding Security Problems , 2009, 2009 20th International Symposium on Software Reliability Engineering.