REALIZING WEB APPLICATION VULNERABILITY ANALYSIS VIA AVDL

Ha-Thanh Le, Peter Kok Keong Loh

Abstract

Several vulnerability analysis techniques in web-based applications detect and report on different types of vulnerabilities. However, no single technique provides a generic technology-independent handling of web-based vulnerabilities. In this paper we present our experience with and experimental exemplification of using the Application Vulnerability Description Language (AVDL) to realize a unified data model for technology-independent vulnerability analysis of web applications. We also introduce an overview of a new web vulnerability analysis framework. This work is part of a project that is funded by the Centre for Strategic Infocomm Technologies, Ministry of Defence Singapore.

References

  1. Hawaii International Conference on System Sciences, 2007. HICSS 2007. Waikoloa, HI: 163a - 163a.
  2. Berghe, C. V., J. Riordan, et al. (2005). A Vulnerability Taxonomy Methodology applied to Web Services.
  3. Bishop, M. (1999). Vulnerabilities Analysis. Web proceedings of the 2nd International Workshop on Recent Advances in Intrusion Detection (RAID'99), West Lafayette, Indiana, USA.
  4. Cova, M., V. Felmetsger, et al. (2007). Vulnerability Analysis of Web-based Applications. Test and Analysis of Web Services, Springer Berlin Heidelberg: 363-394.
  5. CVE. (2007). "CVE - Common Vulnerabilities and Exposures (CVE)." from http://cve.mitre.org/.
  6. Dowd, M., J. McDonald, et al. (2006). Chapter 1,2,3,4,8,13,17,18. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities, Addison Wesley Professional.
  7. Fong, E. and V. Okun (2007). Web Application Scanners: Definitions and Functions. Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 2007. HICSS'07, Waikoloa, HI, IEEE.
  8. Ghosh, A. K., T. O'Connor, et al. (1998). An Automated Approach for Identifying Potential Vulnerabilities in Software. Proceeding of the 1998 IEEE Symposium on Security and Privacy: 0104.
  9. Grossman, J. (2007). WhiteHat Website Security Statistics Report, WhiteHat Security.
  10. Halfond, W. G. J., A. Orso, et al. (2006). Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering SIGSOFT 7806/FSE-14 Portland, Oregon, USA, ACM Press: 175-185.
  11. Halfond, W. G. J., J. Viegas, et al. (2006). A Classification of SQL Injection Attacks and Countermeasures. Proceedings of the IEEE International Symposium on Secure Software Engineering (ISSSE 2006) Arlington, VA, USA.
  12. Huang, Y.-W., S.-K. Huang, et al. (2003). Web application security assessment by fault injection and behavior monitoring. Proceedings of the 12th international conference on World Wide Web. Budapest, Hungary, ACM Press: 148-159.
  13. Huang, Y.-W., F. Yu, et al. (2004). Securing web application code by static analysis and runtime protection. Proceedings of the 13th international conference on World Wide Web. New York, NY, USA, ACM Press: 40-52.
  14. Hurst, D. (2007, 09 Feb 2007). "Asking the Right Question: Penetration Testing vs. Vulnerability Analysis Tools, Which Is Best?" from http:// www.infosecwriters.com/texts.php?op=display&id=537.
  15. IBM (2007). Cyber Attacks On The Rise: IBM 2007 Midyear Report, IBM Corporation. IBM Internet Security Systems™ X-Force® Research and Development.
  16. Insecure.org. (2007). "Top 10 Web Vulnerability Scanners." Retrieved September, 2007, from http:// sectools.org/web-scanners.html.
  17. Jovanovic, N., C. Kruegel, et al. (2006). Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short paper). Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06): 258-263.
  18. Kals, S., E. Kirda, et al. (2006). SecuBat: A Web Vulnerability Scanner. Proceedings of the 15th international conference on World Wide Web (WWW 2006). Edinburgh, Scotland: 247 - 256.
  19. Le, H. T. and P. K. K. Loh (2007). Unified Approach to Vulnerability Analysis of Web Applications. The International e-Conference on Computer Science 2007 (IeCCS 2007). T. E. Simos.
  20. Livshits, B. and M. S. Lam (2005). Finding Security Vulnerabilities in Java Applications with Static Analysis. USENIX Security Symposium: 16.
  21. Minamide, Y. (2005). Static approximation of dynamically generated Web pages. Proceedings of the 14th International World Wide Web Conference. Chiba, Japan ACM Press: 432 - 441.
  22. Nguyen-Tuong, A., S. Guarnieri, et al. (2005). Automatically Hardening Web Applications Using Precise Tainting. Proceedings of the 20th IFIP International Information Security Conference. Makuhari-Messe, Chiba, Japan.
  23. NT Objectives, I. (2007). "NTOSpider." Retrieved October, 2007, from http://www.ntobjectives.com/ products/ntospider.php.
  24. OASIS. (2003). "AVDL XML Schema." Retrieved December, 2007, from http://www.oasisopen.org/committees/download.php/5065/avdl.xsd.
  25. OASIS (2004). Application Vulnerabilty Decription Language v1.0.
  26. OASIS (2004). Technical Overview of the Application Vulnerability Description Language (AVDL) V1.0. Version 1.0, 22 March 2004, OASIS Open.
  27. OASIS. (2007). "Application Security Standards." Retrieved November, 2007, from http:// xml.coverpages.org/appSecurity.html.
  28. OASIS. (2007). "OASIS homepage." Retrieved 18 November 2007, from http://www.oasisopen.org/home/index.php.
  29. Raina, K. (2004). "Trends in Web Application Security." Retrieved September, from http:// www.securityfocus.com/print/infocus/1809.
  30. SecurityFocus. (2007). "Bugtraq Mailing list." Retrieved 31/10/2007, from http://www.securityfocus.com/archive/1.
  31. SecurityFocus. (2007). "Vulnerabilities list." Retrieved 31/10/2007, from http://www.securityfocus.com/ vulnerabilities.
  32. Siddharth, S. and P. Doshi. (2006, 1/11/2007). "Five common Web application vulnerabilities." Retrieved 1/11/2007, from http://www.securityfocus.com/infocus/ 1864.
  33. SPIDynamics. (2007). "WebInspect." Retrieved September, from http://www.spidynamics.com/ products/webinspect/.
  34. Stamp, M. (2006). Information Security: Principles and Practice, John Wiley & Sons.
  35. Steffan, J. and M. Schumacher (2002). Collaborative attack modeling. Proceedings of the 2002 ACM symposium on Applied computing SAC 2002. Madrid, Spain ACM: 253-259.
  36. Suto, L. (2007, October, 2007). "Analyzing the Effectiveness and Coverage of Web Application Security Scanners." from http://ha.ckers.org/ blog/20071014/web-application-scanning-depth-statistics/.
  37. Watchfire. (2007). "AppScan." Retrieved September 2007, from http://www.watchfire.com/.
  38. Woo, S.-W., O. H. Alhazmi, et al. (2006). An Analysis Of The Vulnerability Disovery Process In Web Browsers. 10th IASTED International Conference SOFTWARE ENGINEERING AND APPLICATIONS, Dallas, TX, USA.
  39. Xie, Y. and A. Aiken (2006). Static Detection of Security Vulnerabilities in Scripting Languages. Proceedings of the 15th USENIX Security Symposium (USENIX'06). Vancouver, B.C., Canada: 179-192.
Download


Paper Citation


in Harvard Style

Le H. and Kok Keong Loh P. (2008). REALIZING WEB APPLICATION VULNERABILITY ANALYSIS VIA AVDL . In Proceedings of the Tenth International Conference on Enterprise Information Systems - Volume 6: ICEIS, ISBN 978-989-8111-38-8, pages 259-265. DOI: 10.5220/0001696802590265


in Bibtex Style

@conference{iceis08,
author={Ha-Thanh Le and Peter Kok Keong Loh},
title={REALIZING WEB APPLICATION VULNERABILITY ANALYSIS VIA AVDL},
booktitle={Proceedings of the Tenth International Conference on Enterprise Information Systems - Volume 6: ICEIS,},
year={2008},
pages={259-265},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001696802590265},
isbn={978-989-8111-38-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Tenth International Conference on Enterprise Information Systems - Volume 6: ICEIS,
TI - REALIZING WEB APPLICATION VULNERABILITY ANALYSIS VIA AVDL
SN - 978-989-8111-38-8
AU - Le H.
AU - Kok Keong Loh P.
PY - 2008
SP - 259
EP - 265
DO - 10.5220/0001696802590265