Hybrid approach for Detection and Analysis of SQL and XSS vulnerabilities

Monali Shetty; Chirantar Nalawade

doi:https://doi.org/10.14445/22315381/IJETT-V59P206

Research Article | Open Access | Download PDF

Volume 59 | Number 1 | Year 2018 | Article Id. IJETT-V59P206 | DOI : https://doi.org/10.14445/22315381/IJETT-V59P206

Hybrid approach for Detection and Analysis of SQL and XSS vulnerabilities

Monali Shetty, Chirantar Nalawade

Citation :

Monali Shetty, Chirantar Nalawade, "Hybrid approach for Detection and Analysis of SQL and XSS vulnerabilities," International Journal of Engineering Trends and Technology (IJETT), vol. 59, no. 1, pp. 37-41, 2018. Crossref, https://doi.org/10.14445/22315381/IJETT-V59P206

Abstract

Web applications have become one of the most popular targets of cyber-attacks during the last few years. According to Open Web Application Security Project report, SQL injection and XSS are top two vulnerabilities found to be present in majority of web application. As a result, identification and analysis of vulnerabilities present in the web applications are important to prevent potential attacks. Current industrial approaches involve white-box testing which examines source code of applications; whereas black-box testing makes use of external attacks on the application. However, white-box testing produces large number of false positives which decreases overall efficiency, whereas detection rate of vulnerability in black box testing is low. In this research paper, we present a new technique to find vulnerabilities which are able to enhance detection rate of vulnerabilities and increases efficiency by decreasing number of false positives as well as false negatives. We focus on an innovative tool that implements hybrid approach which combines white-box and black-box testing techniques. At the end we have given an evaluation table, which compares our scanner with other two web scanners.

Keywords

Web application security, SQL injection, XSS injection, vulnerability detection, hybrid approach, white -box testing, black-box testing.

References

[1] OWASP, Top. "Top 10–2013." The Ten Most Critical Web Application Security Risks (2013).
[2] Sekar, R. "An Efficient Black-box Technique for Defeating Web Application Attacks." NDSS. 2009.
[3] Z. Djuric, “A black-box testing tool for detecting sql injection vulnerabilities,” in 978-1-4673-5256-7/13 IEEE, 2013.
[4] G. S. Mukesh Kumar Gupta, M.C. Govil, “Static analysis approaches to detect sql injection and cross site scripting vulnerabilities in web applications: A survey,” in IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2014), May 2014.
[5] Eric Alata, Mohamed Kaaniche, Vincent Nicomette and Rim Akrout,“A Clustering Approach for Web Vulnerabilities Detection” in 17th Pacific Rim International Symposium, Dependable Computing (PRDC), IEEE ,2011.
[6] Avinash Kumar Singh and Sangita Roy,”A network based vulnerability scanner for detecting SQLI attacks in web applications” in 1st International Conference of Recent Advances in Information Technology (RAIT), IEEE, 2012.
[7] Jan-Min Chen and Chia-Lun Wu, “An automated vulnerability scanner for injection attack based on injection point” International Computer Symposium, IEEE, 2010.
[8] Larry Suto, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners, San Francisco”, 2012.
[9] Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell,” State of the Art: Automated Black-BoxWeb Application Vulnerability Testing” in IEEE Symposium on Security and Privacy, 2010.
[10] Adam Doup´e, Marco Cova, and Giovanni Vigna,”Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners” in Detection of Intrusions and Malware, and Vulnerability Assessment, pp 111-131, Springer, 2010.