TESTING OF VULNERABLE SOURCE CODE IN WEB APPLICATIONS

Priyanka Dnyaneshwar Patil

Abstract


The security of web application is a a main problem nowadays. This occurs due to code which are sometimes vulnerable, written in unsafe languages like PHP. Source code static analysis tools and Data mining tools are a solution to find vulnerabilities. There are some techniques generated to remove these vulnerabilities like static analysis tools and data mining. These techniques has successfully detected the vulnerabilities and also removed the vulnerabilities occurring in these languages. But the problem arises due to false positives i.e if any vulnerability has occurred but actually it is not the vulnerability in real fact e.g SQL Injection then in this study testing is performed to checked whether the detected vulnerability is really the vulnerability or it has occurred due to false positives in an application. This study also creates the report of this process.

Keywords


Automatic protection, data mining, false positives, validation, software security, static analysis, web applications, software testing

Full Text:

PDF

References


Symantec, "Internet threat report. 2012 trends, vol. 18," Apr. 2013.

W. Halfond, A. Orso, and P. Manolios, "WASP: protecting web applicationsusing positive tainting" IEEE Trans.

Softw. Eng., vol. 34, no. 1, pp. 65–81, 2008.

T. Pietraszek and C. V. Berghe, "Defending against injection attacksthrough context-sensitive string evaluation," in Proc. 8th Int. Conf.Recent Advances in Intrusion Detection, 2005, pp. 124–145.

X. Wang, C. Pan, P. Liu, and S. Zhu, "SigFree: A signature-free bufferoverflow attack blocker," in Proc. 15th USENIX Security Symp., Aug.2006, pp. 225–240.

J. Antunes, N. F. Neves, M. Correia, P. Verissimo, and R. Neves,"Vulnerability removal with attack injection," IEEE Trans. Softw. Eng.vol. 36, no. 3, pp. 357–370, 2010.

R. Banabic and G. Candea, "Fast black-box testing of system recoverycode," Proc.7th ACM European Conf. Computer Systems, 2012, pp. 281–294.

Huang, Yao-Wen et al, “Web application securit by faultinjection and behavior monitoring,“ Proc. 12th Int. Conf. World Wide Web, 2003, pp. 148–159.

Huang, Yao-Wen et al, “Securing web application code by static analysistools and runtime protection,“ Proc. 13th Int. Conf. World Wide Web, 2004,.

N. Jovanovic, C. Kruegel, and E. Kirda, "Security using alias analysis for staticremoval of web application vulnerabilities," in Proc. 2006 Workshopon Programming Languages and Analysis for Security, Jun. 2006, pp.27–36.

W. Landi, "Undecidability of static analysis," ACM Letters on ProgrammingLanguages and Systems, vol. 1, no. 4, pp. 323–337, 1992.

N. L. de Poel, "Automated security review of PHP web applicationswith static code analysis and Data mining," M.S. thesis, State University of Groningen,May 2010.


Refbacks

  • There are currently no refbacks.




Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Copyright © 2017 INTERNATIONAL EDUCATION AND RESEARCH JOURNAL