On the automation of vulnerabilities fixing for web application

International journal of safety and security engineering, 2024

The increasing use of the internet has led to a growing number of security threats. Computers, smartphones, smartwatches, and other mobile devices associated with the internet face different threats and exploits. In those cases, different services are provided through web applications only. Those applications are vulnerable to hacking. There are over 1.9 billion websites today, and everything is connected to the network. According to the new national vulnerability database update, 10,683 weaknesses were found in web applications in the first quarter of 2023. The websites have the most significant details of the clients, like personal details, financial details, and so on. Checking all the web application weaknesses is not a silver bullet. So, vulnerability scanners play a significant role in web application security. Vulnerability analysis and penetration testing are two distinct vulnerability types of testing. These tests can help identify all the vulnerabilities in a web application, even those not detected by vulnerability scanners. While certain users access this vulnerability analysis data with just honest goals, like creating some security measures to avoid those vulnerabilities, some utilize it to recognize ways of destroying significant information and records of websites. As it is notable, the term penetration testing is also ethical hacking. The current paper aims to investigate penetration testing on web applications. The paper discusses the different types of penetration testing, the tools and techniques used, and the benefits of penetration testing. It also suggests the challenges of penetration testing and the steps that can be taken to mitigate these challenges.

2020

When developers fix a defect, they may change multiple files. The number of files changed for resolving the defect depends on how strongly the files are coupled with each other. In earlier works, researchers leveraged this coupling for better understanding and analyzing software as well as for guiding developers to quickly find all probable code areas to complete fixing a defect. In some studies, researchers generated association rules reflecting the coupling among files and built tools to automate the discovery of the related changes in the files. Such tools, however, do not consider the type of defects resolved earlier for generating the rules as a result of which many unrelated files may come up while changing a file in later releases for resolving a specific type of defect. Therefore, in our study, we consider only security defects or vulnerabilities to generate the rules and then automate the finding process of other related files while fixing a vulnerability. Our tool “SecureC...

Security and Privacy, 2006 …, 2006

The number and the importance of Web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident.

International journal of computer applications, 2022

Web applications are the backbone of technology in the global era of information. In this digital world connecting many commercial organizations that utilize the internet for financial transactions, education, and other activities. In recent days, web applications have been exploited by attackers frequently. Most web developers and website owners have limited awareness of the vulnerabilities in their websites,which are prone to web vulnerability attacks. Many researchers are working to detect and mitigate the vulnerability and provide differentmethods to resolve the various types of web vulnerabilities. However, these solutions are insufficient since they often have restrictions and areinefficient to prevent all vulnerabilities. This paper aims to reviewexisting detection and mitigation methodsfor web application vulnerabilities.This will helppractitioners to develop practices and solve issues related to web vulnerabilities.

2012

Abstract The paper proposes a security testing technique to detect known vulnerabilities of web applications using both static and dynamic analysis. We also present a process to improve the security of web applications by mitigating many of the vulnerabilities revealed in the testing phase, and address a new method for detecting unknown vulnerabilities by applying dynamic black-box testing based on a fuzzing technique.

Innovative Technologies for Dependable OTS-Based Critical Systems, 2013

This chapter presents a methodology to evaluate and benchmark web application vulnerability scanners using software fault injection techniques. The most common software faults are injected in the web application source code, which is then checked by the scanners. Using this procedure, we evaluated three leading commercial scanners, which are often regarded as an easy way to test the security of web applications, including critical vulnerabilities such as XSS and SQL Injection. Our idea consists of providing the scanners with the input they are supposed to handle, which is a web application with software faults and possible vulnerabilities originated by such faults. The results of the scanners are compared evaluating the efficiency in identifying the potential vulnerabilities created by the injected fault, their coverage of vulnerability detection and false positives. However, the results show that the coverage of these tools is low and the percentage of false positives is very high.

2009 ICSE Workshop on Software Engineering for Secure Systems, 2009

Increasingly, web applications handle sensitive data and interface with critical back-end components, but are often written by poorly experienced programmers with low security skills. The majority of vulnerabilities that affect web applications can be ascribed to the lack of proper validation of user's input, before it is used as argument of an output function. Several program analysis techniques were proposed to automatically spot these vulnerabilities. One particularly effective is dynamic taint analysis. Unfortunately, this approach introduces a significant run-time penalty.

2009

Vulnerabilities in applications and their widespread exploitation through successful attacks are common these days. Testing applications for preventing vulnerabilities is an important step to address this issue. In recent years, a number of security testing approaches have been proposed. However, there is no comparative study of these work that might help security practitioners select an appropriate approach for their needs. Moreover, there is no comparison with respect to automation capabilities of these approaches. In this work, we identify seven criteria to analyze program security testing work. These are vulnerability coverage, source of test cases, test generation method, level of testing, granularity of test cases, testing automation, and target applications. We compare and contrast prominent security testing approaches available in the literature based on these criteria. In particular, we focus on work that address four most common but dangerous vulnerabilities namely buffer overflow, SQL injection, format string bug, and cross site scripting. Moreover, we investigate automation features available in these work across a security testing process. We believe that our findings will provide practical information for security practitioners in choosing the most appropriate tools.

Computing, 2018

Automated Static Analysis Tools (ASATs) are one of the best ways to search for vulnerabilities in applications, so they are a resource widely used by developers to improve their applications. However, it is well-known that the performance of such tools is limited, and their detection capabilities may not meet the requirements of the project regarding the criticality of the application. Diversity is an obvious direction to take to improve the true positives, as different tools usually report distinct vulnerabilities, however with the cost of also increasing the false positives, which may be unacceptable in some scenarios. In this paper, we study the problem of combining diverse ASATs to improve the overall detection of vulnerabilities in web applications, considering four development scenarios with different criticality goals and constraints.

Proceedings of the International Conference on Dependable Systems and Networks, 2008

Web applications are typically developed with hard time constraints and are often deployed with critical software bugs, making them vulnerable to attacks. The classification and knowledge of the typical software bugs that lead to security vulnerabilities is of utmost importance. This paper presents a field study analyzing 655 security patches ofsix widely used web applications. Results are compared against other field studies on general software faults (i.e., faults not specifically related to security), showing that only a small subset of software fault types is related to security. Furthermore, the detailed analysis of the code of the patches has shown that web application vulnerabilities result from software bugs affecting a restricted collection of statements.