CFP last date
20 January 2025
Reseach Article

Web Application Vulnerabilities: A Survey

by Vandana Dwivedi, Himanshu Yadav, Anurag Jain
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 108 - Number 1
Year of Publication: 2014
Authors: Vandana Dwivedi, Himanshu Yadav, Anurag Jain
10.5120/18877-0144

Vandana Dwivedi, Himanshu Yadav, Anurag Jain . Web Application Vulnerabilities: A Survey. International Journal of Computer Applications. 108, 1 ( December 2014), 25-31. DOI=10.5120/18877-0144

@article{ 10.5120/18877-0144,
author = { Vandana Dwivedi, Himanshu Yadav, Anurag Jain },
title = { Web Application Vulnerabilities: A Survey },
journal = { International Journal of Computer Applications },
issue_date = { December 2014 },
volume = { 108 },
number = { 1 },
month = { December },
year = { 2014 },
issn = { 0975-8887 },
pages = { 25-31 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume108/number1/18877-0144/ },
doi = { 10.5120/18877-0144 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T22:41:53.134568+05:30
%A Vandana Dwivedi
%A Himanshu Yadav
%A Anurag Jain
%T Web Application Vulnerabilities: A Survey
%J International Journal of Computer Applications
%@ 0975-8887
%V 108
%N 1
%P 25-31
%D 2014
%I Foundation of Computer Science (FCS), NY, USA
Abstract

In the last few years, the discovery of World Wide Web (WWW) has grown very much. Today, WWW applications are routinely utilized in security critical environments, like e-commerce, medical, financial, and military systems etc. WWW systems are an organization of infrastructure elements, like web databases and servers, and application-specific code, such as HTML scripts and CGI programs etc. While the core elements are usually developed by knowledgeable programmers with valid security skills this ensuing vulnerable web-based applications and accessible to the complete web, creating easily-abusing access points for the conciliation of entire networks. During this paper, we survey the current approaches to internet vulnerability analysis and that we propose a classification along two characterizing: detection and prevention model and study these methods. Furthermore we describe the foremost regular attacks in contrast to web-based applications and explore the effectiveness of sure analysis techniques in characteristic specific categories of flaws.

References
  1. Halfond, W. G. , Jeremy Viegas, and Alessandro Orso. "A classification of SQL-injection attacks and countermeasures" In Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA, pp. 13-15. 2006.
  2. Tajpour, Atefeh, Maslin Masrom, Mohammad Zaman Heydari, and Suhaimi Ibrahim. "SQL injection detection and prevention tools assessment" In Computer Science and Information Technology (ICCSIT), 2010 3rd IEEE International Conference on, vol. 9, pp. 518-522. IEEE, 2010
  3. Top 10 2010-A1-Injection, available at: http://www. owasp. org/index. php/Top_10_2010-A1-Injection, last accessed 11 June, 2013.
  4. A. Klein. "Cross Site Scripting Explained" Technical report, Sanctum Inc. , June 2002.
  5. Gmail CSRF Security Flaw. 2007. http://ajaxian. com/archives/gmail-csrf-security-flaw.
  6. Fangqi Sun, Liang Xu, and Zhendong Su. 2011. Static detection of access control vulnerabilities in web applications. In USENIX'11: Proceedings of the 20th USENIX Security Symposium.
  7. Prithvi Bisht, A. Prasad Sistla, and V. N. Venkatakrishnan. 2010b. Automatically Preparing Safe SQL Queries. In FC'10: Proceedings of the 14th International Conference on Financial Cryptography and Data Security.
  8. Y. -W. Huang, F. Yu, C. Hang, C. -H. Tsai, D. Lee, and S. -Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 12th International World Wide Web Conference (WWW'04), pages 40–52, May 2004.
  9. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy, May 2006.
  10. N. Jovanovic, C. Kruegel, and E. Kirda. Precise Alias Analysis for Static Detection of Web Application Vulnerabilities. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS'06), June 2006.
  11. Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the 15th USENIX Security Symposium (USENIX'06), August 2006.
  12. Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In Proceedings of the 33rd Annual Symposium on Principles of Programming Languages (POPL'06), pages 372–382, 2006.
  13. R. Paleari, D. Marrone, D. Bruschi, and M. Monga. On race vulnerabilities in web applications. In Proceedings of the 5th Conference on Detection of Intru-sions and Malware & Vulnerability Assessmen t, DIMVA, Paris, France, Lecture Notes in Computer Science. Springer, July 2008
  14. W. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutraliz-ing SQL-Injection Attacks. In Proceedings of the International Conference on Automated Software Engineering (ASE'05), pages 174–183, November 2005
  15. A. Christensen, A. Møller, and M. Schwartzbach. Precise Analysis of String Ex-pressions. In Proceedings of the 10th International Static Analysis Symposium (SAS'03), pages 1–18, May 2003
  16. C. Gould, Z. Su, and P. Devanbu. Static Checking of Dynamically Generated Queries in Database Applications. In Proceedings of the 26th International Con-ference of Software Engineering (ICSE'04), pages 645–654, September 2004.
  17. R. A. McClure and I. H. Kr¨uger, "Sql dom: compile time checking of dynamic sql statements," in Proceedings of the 27th international conference on Software engineering, ser. ICSE '05, 2005, pp. 88–96.
  18. K. Kemalis and T. Tzouramanis, "Sql-ids: a specification based approach for sql-injection detection," in Proceedings of the 2008 ACM symposium on Applied computing, ser. SAC '08. ACM, 2008, pp. 2153–2158.
  19. P. Grazie, "Phd sqlprevent thesis," Ph. D. dissertation, University of British Columbia(UBC) Vancouver, Canada, 2008.
  20. M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna, "Swaddler: An approach for the anomaly-based detection of state violations in web applications," 2007.
  21. Weinberger, Joel, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song. "A systematic analysis of xss sanitization in web application frameworks. " In Computer Security–ESORICS 2011, pp. 150-171. Springer Berlin Heidelberg, 2011
  22. S. W. Boyd and A. D. Keromytis, "Sqlrand: Preventing sql injection attacks," in In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, 2004, pp. 292–302.
  23. Buehrer, G. , Weide, B. W. , and Sivilotti, P. A. G. , Using Parse Tree Validation to Prevent SQL Injection Attacks. Proc. of 5th International Workshop on Software Engineering and Middleware, Lisbon,Portugal 2005, pp. 106–113.
  24. Bisht, P. , Madhusudan, P. , and Venkatakrishnan, V. N. , CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Transactions on Information and System Security, Volume 13 Issue 2, 2010, DOI: 10. 1145/1698750. 1698754.
  25. Ali, S. , Shahzad, S. K. , and Javed, H. , SQLIPA: An Authentication Mechanism Against SQL Injection. European Journal of Scientific Research, Vol. 38, No. 4, 2009, pp. 604-611.
  26. Doupé, Adam, Marco Cova, and Giovanni Vigna. "Why Johnny can't pentest: An analysis of black-box web vulnerability scanners. " In Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 111-131. Springer Berlin Heidelberg, 2010
  27. Li, Xiaowei, and Yuan Xue. "BLOCK: a black-box approach for detection of state violation attacks towards web applications. " In Proceedings of the 27th Annual Computer Security Applications Conference, pp. 247-256. ACM, 2011
  28. Felmetsger, Viktoria, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. "Toward automated detection of logic vulnerabilities in web applications. " In USENIX Security Symposium, pp. 143-160. 2010
  29. Guha, Arjun, Shriram Krishnamurthi, and Trevor Jim. "Using static analysis for Ajax intrusion detection. " In Proceedings of the 18th international conference on World wide web, pp. 561-570. ACM, 2009.
Index Terms

Computer Science
Information Sciences

Keywords

Web applications security SQL injection Cross-side scripting Cross-site request forgery vulnerabilities