ABSTRACT
Web applications are notoriously vulnerable to code injection attacks. Given that, practitioners need to assess the risk posed by applications due to code injection attacks to plan ahead on employing necessary mitigation approaches. This paper proposes a risk assessment approach for code injection vulnerability in web applications. We are motivated by the observation that traditional risk assessment approaches work well when quantitative values of specific parameters of the risk computation model is known in advance. In practice, they are difficult to predict correctly. Moreover, one specific code injection vulnerabilities can be exploited in different ways that may result in different types of severity level. Further, diverse types of injection vulnerabilities and their implications cannot be combined in existing approaches. To address these limitations, we propose a Fuzzy Logic-based System (FLS) to assess the risk due to different types of code injection vulnerabilities. Our further contribution is a set of proposed code-level metrics that can be used to establish the linguistic terms to express vulnerability levels and their impact subjectively. We apply nested FLS to combine risk from multiple vulnerabilities to assess a single value representing the overall risk. We evaluate our approach with three real-world web applications implemented in PHP, and apply for SQL Injection (SQLI) and Cross-Site Scripting (XSS), the two most widely reported vulnerabilities in today's web applications. The initial results indicate that the proposed approach can effectively assess high risks present in vulnerable applications.
- SQL Injection, https://www.owasp.org/index.php/SQL_Injection.Google Scholar
- Cross-site Scripting (XSS), Accessed from https://www.owasp.org/index.php/Cross-site_Scripting_(XSS).Google Scholar
- OWASP Top 10 2013, Accessed from https://www.owasp.org/index.php/Top_10_2013-Top_10Google Scholar
- R. Schaffer, National Information Assurance Glossary, July 2012, http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf.Google Scholar
- C. May, M. Baker, D. Gabbard, T. Good, G. Grimes, M. Holmgren, R. Nolan, R. Nowark, and S. Pennline, Advanced Information Assurance Handbook, CMU/SEI-2004-HB-001.Google Scholar
- March 2004. XSS Session Hijacking proof of concept, http://msujaws.wordpress.com/2011/02/17/xss-session-hijacking-proof-of-concept/.Google Scholar
- W3af, Open Source Web Application Security Scanner, http://w3af.org.Google Scholar
- Sqlifuzzer, http://code.google.com/p/sqlifuzzer.Google Scholar
- L. Shar, H. Tan, "Auditing the XSS defence features implemented in web application programs," IET Software, Vol. 6, No. 4, pp. 377--390.Google ScholarCross Ref
- SQL-inject-me, https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me/.Google Scholar
- S. Chen and S. Chen, "Fuzzy Risk Analysis Based on Similarity Measures of Generalized Fuzzy Numbers," IEEE Transactions of Fuzzy Systems, Vol. 11, No. 1, February 2003, pp. 45--56. Google ScholarDigital Library
- E. Han and G. Karypis, "Centroid-based Document Classification: Analysis and Experimental Results," Principles of Data Mining and Knowledge Discovery, LNCS, Volume 1910, 2000, pp. 116--123. Google ScholarDigital Library
- B. Lazzerini and L. Mkrtchyan, "Analyzing Risk Impact Factors Using Extended Fuzzy Cognitive Maps," IEEE Systems Journals, Vol. 5, Issue 2, June 2011, pp. 288--297.Google ScholarCross Ref
- R. Kangari and L. Riggs, "Construction Risk Assessment by Linguistics", IEEE Transactions on Engineering Management, Volume 36, No. 2, May 1989, pp. 126--131.Google ScholarCross Ref
- J. Spears, "A Holistic Risk Analysis Method for Identifying Information Security", IFIP International Federation for Information Processing, Springer, Vol 193, 2006, pp. 185--202.Google ScholarCross Ref
- W. Ru and J. Eloff, "Risk Analysis Modeling with the Use of Fuzzy Logic", Computers & Security, 15 (3), 1996, pp. 239--248. Google ScholarDigital Library
- E. Smith and J. Eloff, "Cognitive Fuzzy Modeling for Enhanced Risk Assessment in a Health Care Institution," IEEE Intelligent Systems and their Applications, Volume 15, Issue 2, March 2000, pp. 69--75. Google ScholarDigital Library
- E. Mamdani, "Applications of Fuzzy Algorithm for Control a Simple Dynamic Plant," IEEE, 121 (12), 1974, pp. 1585--1588.Google ScholarCross Ref
- W. G. Halfond, J. Viegas, and A. Orso, "A Classification of SQL-Injection Attacks and Countermeasures," Proc. of the Int. Symposium on Secure Software Engineering, Mar. 2006.Google Scholar
- SQL Injection Walkthrough, Accessed from http://www.securiteam.com/securityreviews/5DP0N1P76E.html.Google Scholar
- T. Tuncer and Y. Tatar, "Detection SYN Flooding Attacks Using Fuzzy Logic," Proc. of Int. Conf. on Information Security and Assurance, Korea, April 2008, pp. 321--325. Google ScholarDigital Library
- M. Aburrous, M. Hossain, K. Dahal, and F. Thabtah, "Intelligent Phishing Detection System for E-banking using Fuzzy Data Mining," J. of Expert Systems with Applications, Elsevier, Vol 37, Issue 12, Dec 2010, pp. 7913--7921. Google ScholarDigital Library
- C. Jang, J. Kim, H. Jang, S. Park, B. Jang, B. Kim, and E. Choi, "Rule-based Auditing System for Software Security Assurance," Proc. of 1st Int. Conf. on Ubiquitous and Future Networks, Hong Kong, June 2009, pp. 198--202. Google ScholarDigital Library
- H. Shahriar and M. Zulkernine, "A Fuzzy Logic-Based Buffer Overflow Vulnerability Auditor," Proc. of the 9th IEEE DASC, December 2011, Sydney, Australia, pp. 137--144. Google ScholarDigital Library
- S. Halkidis, N. Tsantalis, A. Chatzigeorgiou, and G. Stephanides, "Architectural Risk Analysis of Software Systems Based on Security Patterns," IEEE Tran. on Dependable and Secure Computing, Volume 5 Issue 3, July 2008, pp. 129--142. Google ScholarDigital Library
- B. Lazzerini and L. Mkrtchyan, "Analyzing Risk Impact Factors Using Extended Fuzzy Cognitive Maps," IEEE Systems Journals, Vol. 5, Issue 2, June 2011, pp. 288--297.Google ScholarCross Ref
- P Hanacek, P. Peringer, and Z. Rabova, "Knowledge-based Approach to Risk Analysis Modelling," Proc. of JCKBSE 2000, Brno, CZ, pp. 25--30, http://www.fit.vutbr.cz/~hanacek/papers/JCKBSE00.pdf.Google Scholar
- K. Sanguansat and S. Chen, "A New Method for Analyzing Fuzzy Risk Based on A New Fuzzy Ranking Method Between Generalized Fuzzy Numbers," Proc. of the 8th International Conf. on Machine Learning and Cyber Security, Baoding, China, 2009, pp. 2823--2827.Google Scholar
- J. Kim, "Injection Attack Detection Using the Removal of SQL Query Attribute Values," Proc. of the International Conf. on Information Science and Applications, Jeju, Korea, 2011, pp. 1--7.Google Scholar
- G. Buehrer, B. W. Weide, P. A. G. Sivilotti, "Using parse tree validation to prevent SQL injection attacks," Proceedings of the 5th International Workshop on Software Engineering and Middleware (SEM '05), Lisbon, Portugal, 2005, pp. 106--113. Google ScholarDigital Library
- G. Agosta, A. Barenghi, A. Parata, G. Pelosi, "Automated Security Analysis of Dynamic Web Applications through Symbolic Code Execution," Proc. of the 9th Int. Conf. on Information Technology: New Generations, April 2012, Las Vegas, NV, pp. 189--194. Google ScholarDigital Library
- Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, Y. Takahama, "Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection," Proc. of the 23rd Annual Computer Security Applications Conference (ACSAC), Miami, Dec 2007, pp. 107--117.Google Scholar
- CVSS Scoring System, http://nvd.nist.gov/cvss.cfmGoogle Scholar
- H. Shahriar and M. Zulkernine, "S2XS2: A Server Side Approach to Automatically Detect XSS Attacks," Proc. of the 9th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC), Sydney, Australia, December 2011, pp. 7--14. Google ScholarDigital Library
- H. Shahriar, S. North, W. Chen, and E. Mawangi, "Design and Development of Anti-XSS Proxy," Proc. of the 8th International Conference for Internet Technology and Secured Transactions (ICITST), December 2013, London, UK, 6 pp. (to appear).Google Scholar
- H. Shahriar and M. Zulkernine, "Information Theoretic Detection of SQLI Attacks," Proc. of 14th IEEE International High Assurance Systems Engineering Symposium, Omaha, NE, Oct 2012, pp. 40--47. Google ScholarDigital Library
- jFuzzyLogic, http://jfuzzylogic.sourceforge.net.Google Scholar
Index Terms
- Risk assessment of code injection vulnerabilities using fuzzy logic-based system
Recommendations
Fuzzy Rule-Based Vulnerability Assessment Framework for Web Applications
This paper addresses the problem of assessing risk in web application due to implementation level vulnerabilities. In particular, the authors address the common research challenge of finding enough historical data to compute the probability of ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Comments