Predicting common web application vulnerabilities from input validation and sanitization code patterns

Software defect prediction studies have shown that defect predictors built from static code attributes are useful and effective. On the other hand, to mitigate the threats posed by common web application vulnerabilities, many vulnerability detection approaches have been proposed. However, finding al...

Celý popis

Uložené v:

Podrobná bibliografia
Vydané v:	27th IEEE/ACM International Conference on Automated Software Engineering (ASE) : proceedings, September 3-7, 2012, Essen, Germany s. 310 - 313
Hlavní autori:	Shar, Lwin Khin, Tan, Hee Beng Kuan
Médium:	Konferenčný príspevok..
Jazyk:	English
Vydavateľské údaje:	New York, NY, USA ACM 03.09.2012
Edícia:	ACM Conferences
Predmet:	Codes Complexity theory Data collection Data mining Defect prediction empirical study General and reference > Cross-computing tools and techniques > Metrics General and reference > Cross-computing tools and techniques > Verification input validation and sanitization Predictive models Security Software Software and its engineering > Software creation and management > Software development process management Software and its engineering > Software creation and management > Software verification and validation > Formal software verification Software and its engineering > Software organization and properties > Software functional properties > Formal methods > Software verification Software engineering static code attributes Theory of computation > Semantics and reasoning > Program reasoning > Program verification Time measurement Vectors web application vulnerabilities static code attributes empirical study input validation and sanitization web application vulnerabilities Defect prediction
ISBN:	1450312047, 9781450312042
On-line prístup:	Získať plný text
Tagy:	Pridať tag Žiadne tagy, Buďte prvý, kto otaguje tento záznam!

Abstract	Software defect prediction studies have shown that defect predictors built from static code attributes are useful and effective. On the other hand, to mitigate the threats posed by common web application vulnerabilities, many vulnerability detection approaches have been proposed. However, finding alternative solutions to address these risks remains an important research problem. As web applications generally adopt input validation and sanitization routines to prevent web security risks, in this paper, we propose a set of static code attributes that represent the characteristics of these routines for predicting the two most common web application vulnerabilities—SQL injection and cross site scripting. In our experiments, vulnerability predictors built from the proposed attributes detected more than 80% of the vulnerabilities in the test subjects at low false alarm rates.
AbstractList	Software defect prediction studies have shown that defect predictors built from static code attributes are useful and effective. On the other hand, to mitigate the threats posed by common web application vulnerabilities, many vulnerability detection approaches have been proposed. However, finding alternative solutions to address these risks remains an important research problem. As web applications generally adopt input validation and sanitization routines to prevent web security risks, in this paper, we propose a set of static code attributes that represent the characteristics of these routines for predicting the two most common web application vulnerabilities-SQL injection and cross site scripting. In our experiments, vulnerability predictors built from the proposed attributes detected more than 80% of the vulnerabilities in the test subjects at low false alarm rates.
Author	Tan, Hee Beng Kuan Shar, Lwin Khin
Author_xml	– sequence: 1 givenname: Lwin Khin surname: Shar fullname: Shar, Lwin Khin email: shar0035@e.ntu.edu.sg organization: Nanyang Technological University, Singapore – sequence: 2 givenname: Hee Beng Kuan surname: Tan fullname: Tan, Hee Beng Kuan email: ibktan@ntu.edu.sg organization: Nanyang Technological University, Singapore
BookMark	eNqNUD1PwzAQNQIkaOnMwOKRpcUXJ049ooovqRIM3S07PiNDYkeJWwS_nlTJwIhueHpfN7wZOQsxICHXwFYAeXGX8QJEKVZHLDk_IbNBZRwylpenf8kFWfT9B2MMICsEFJfEvXVofZV8eKdVbJoY6Bcaqtu29pVOfuCHfR2w08bXPnnsqetiQ31o94kedO3tmNLB0l6HIfIzClW0SFudEnahvyLnTtc9Liack93jw27zvNy-Pr1s7rdLneVlWuYVF9JYB7pAaY3NpGFra0pXYCWdRIFgc8vXuWRGgBsgE9yBYXzNgEk-JzfjW4-Iqu18o7tvJXI5HB_c1ejqqlEmxs9eAVPHBdW0oJoWVKbz6IbC7T8L_Bf3gXK_
CODEN	IEEPAD
ContentType	Conference Proceeding
Copyright	2012 ACM
Copyright_xml	– notice: 2012 ACM
DBID	6IE 6IL CBEJK RIE RIL
DOI	10.1145/2351676.2351733
DatabaseName	IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present
DatabaseTitleList
Database_xml	– sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher
DeliveryMethod	fulltext_linktorsrc
Discipline	Computer Science
EISBN	1450312047 9781450312042
EndPage	313
ExternalDocumentID	6494943
Genre	orig-research
GroupedDBID	6IE 6IF 6IK 6IL 6IN AAJGR AAKMM ACM ADPZR ALMA_UNASSIGNED_HOLDINGS APO BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK GUFHI IEGSK IERZE OCL RIB RIC RIE RIL AAWTH ADFMO LHSKQ
ID	FETCH-LOGICAL-a247t-4c369bdf1a5e9dbd29b08db7f5ec9f9e6e1d4d38490b61f490263f1b03801093
IEDL.DBID	RIE
ISBN	1450312047 9781450312042
ISICitedReferencesCount	58
ISICitedReferencesURI	http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000319336200044&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
IngestDate	Wed Sep 03 07:08:58 EDT 2025 Wed Jan 31 06:50:38 EST 2024 Mon Feb 05 09:26:59 EST 2024
IsDoiOpenAccess	false
IsOpenAccess	true
IsPeerReviewed	false
IsScholarly	false
Keywords	static code attributes empirical study input validation and sanitization web application vulnerabilities Defect prediction
Language	English
License	Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Permissions@acm.org
LinkModel	DirectLink
MeetingName	ASE'12: IEEE/ACM International Conference on Automated Software Engineering
MergedId	FETCHMERGED-LOGICAL-a247t-4c369bdf1a5e9dbd29b08db7f5ec9f9e6e1d4d38490b61f490263f1b03801093
PageCount	4
ParticipantIDs	ieee_primary_6494943 acm_books_10_1145_2351676_2351733 acm_books_10_1145_2351676_2351733_brief
PublicationCentury	2000
PublicationDate	20120903 2012-Sept.
PublicationDateYYYYMMDD	2012-09-03 2012-09-01
PublicationDate_xml	– month: 09 year: 2012 text: 20120903 day: 03
PublicationDecade	2010
PublicationPlace	New York, NY, USA
PublicationPlace_xml	– name: New York, NY, USA
PublicationSeriesTitle	ACM Conferences
PublicationTitle	27th IEEE/ACM International Conference on Automated Software Engineering (ASE) : proceedings, September 3-7, 2012, Essen, Germany
PublicationTitleAbbrev	ase
PublicationYear	2012
Publisher	ACM
Publisher_xml	– name: ACM
SSID	ssj0001125615
Score	1.7719096
Snippet	Software defect prediction studies have shown that defect predictors built from static code attributes are useful and effective. On the other hand, to mitigate...
SourceID	ieee acm
SourceType	Publisher
StartPage	310
SubjectTerms	Codes Complexity theory Data collection Data mining Defect prediction empirical study General and reference -- Cross-computing tools and techniques -- Metrics General and reference -- Cross-computing tools and techniques -- Verification input validation and sanitization Predictive models Security Software Software and its engineering -- Software creation and management -- Software development process management Software and its engineering -- Software creation and management -- Software verification and validation -- Formal software verification Software and its engineering -- Software organization and properties -- Software functional properties -- Formal methods -- Software verification Software engineering static code attributes Theory of computation -- Semantics and reasoning -- Program reasoning -- Program verification Time measurement Vectors web application vulnerabilities
Title	Predicting common web application vulnerabilities from input validation and sanitization code patterns
URI	https://ieeexplore.ieee.org/document/6494943
WOSCitedRecordID	wos000319336200044&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText	1
inHoldings	1
isFullTextHit
isPrint
link	http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV3NS8MwFH9sw4OnqZs4v4ggeLFbm6RNcxaHp7HDDruVpkmgoJ10H3-_L2m3KQjiKR-EUvJe8pK89_s9gMcQdUCLKA4MNyzg1qa45qQJckbx9JrLVOvQJ5sQs1m6XMp5B54PWBhjjA8-M2NX9b58vSq27qlskjgqFc660BVCNFit43sKWmq0zh67FaOm0pCLPaVT26YttQ92TCiLo0QkY1cKlzW3mxcfPzKseAMz7f_v185geETqkfnBBp1Dx1QX0N-naiDtyh2AndfOI-NinAnqGOoewf2TfHNfk9323TFQ-2BZvD4TBzwhZYUfIqiNZZN7ieSVJmtHmdHiN4nDxJNPz9JZrYewmL4uXt6CNsVCkFMuNgEvWCKVtlEeG6mVplKFqVbCxqaQVprERJprlnIZqiSyWNCE2UiFLHU-NXYJvWpVmSsg2AwVjVQiY4d3ZVKj8HEIT2NqckVH8IAznLmrwzpr0NBx1koha6Uwgqc_x2SqLo0dwcDJIPtsKDmydvqvf---gVM859AmNOwWept6a-7gpNhtynV97_XoC6WTwPU
linkProvider	IEEE
linkToHtml	http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LSwMxEB7qA_Tkq2J9RhC8uHXz3M1ZLBVr6aEHb8tmk0BBV-nD3-9kd2sVBPGUB2FZMpNMkpnvG4CrGHXAJlRGTjgeCe9TXHPaRTlneHrNdWptXCWbSIbD9PlZj1pw84WFcc5VwWeuG6qVL9--FYvwVHarApWK4GuwIYVgtEZrrV5U0Fajfa7QWxJ1lcUiWZI6NW3WkPtgxy3jkqpEdUOZhLy5a3nx-iPHSmViejv_-7ldaK-wemT0ZYX2oOXKfdhZJmsgzdo9AD-aBp9MiHImqGWofQR3UPLNgU0-Fi-Bg7oKl8ULNAnQEzIp8UME9XFSZ18ieWnJLJBmNAhOElDx5L3i6SxnbRj37sd3_ahJshDlTCTzSBRcaWM9zaXT1limTZxak3jpCu21U45aYXkqdGwU9VgwxT01MU-DV40fwnr5VrojINiMDaNGaRkQr1xbFD8OEalkLjesA5c4w1m4PMyyGg8ts0YKWSOFDlz_OSYz04nzHTgIMsjea1KOrJn-49-7L2CrP34aZIOH4eMJbOOph9WBYqewPp8u3BlsFh_zyWx6XunUJ991xDw
openUrl	ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+of+the+27th+IEEE%2FACM+International+Conference+on+Automated+Software+Engineering&rft.atitle=Predicting+common+web+application+vulnerabilities+from+input+validation+and+sanitization+code+patterns&rft.au=Shar%2C+Lwin+Khin&rft.au=Tan%2C+Hee+Beng+Kuan&rft.series=ACM+Conferences&rft.date=2012-09-03&rft.pub=ACM&rft.isbn=1450312047&rft.spage=310&rft.epage=313&rft_id=info:doi/10.1145%2F2351676.2351733
thumbnail_l	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781450312042/lc.gif&client=summon&freeimage=true
thumbnail_m	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781450312042/mc.gif&client=summon&freeimage=true
thumbnail_s	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781450312042/sc.gif&client=summon&freeimage=true