ABSTRACT
In recent years, the global spread of web risks have proposed an immediate demand for security models and prevention mechanisms. This study preliminary findings analyze an extensive literature review on web application vulnerabilities security testing. Out of an initial set of 237 studies, 30 studies were finally included as Primary Research Studies (PRS) by assuring two research questions. The results reveals that SQL injection followed by XSS and Sensitive data exposure are the most recurring risks of web applications. Similarly, Invalidated Redirects and Forwards/Under Protected APIs have received little attention by research community. The scope of this study is also extended to web application vulnerabilities testing and identification of relevant data sets. This paper also recommends future possibilities to enhance the security approaches for protection against the risks.
- Mudassar Ahmad, Sohail Jabbar, Awais Ahmad, Francesco Piccialli, and Gwanggil Jeon. 2018. A sustainable solution to support data security in high bandwidth health care remote locations by using TCP CUBIC mechanism. IEEE Transactions on Sustainable Computing (2018).Google Scholar
- Eric Alata-Mohamed Kaaniche Akrout, Rim and Vincent Nicomette. 2014. An automated black box approach for web vulnerability identification and attack scenario generation. In Journal of the Brazilian Computer Society 20, no. 1. Springer, 4.Google ScholarCross Ref
- KHUBAIB AMJAD ALAM and RODINA AHMAD. 2016. A hybrid fuzzy multi-criteria decision model for cloud service selection and importance degree of component services in service compositions. In Uncertainty Modelling in Knowledge Engineering and Decision Making: Proceedings of the 12th International FLINS Conference. World Scientific, 334--340.Google Scholar
- Khubaib Amjad Alam, Rodina Ahmad, Adnan Akhunzada, Mohd Hairul Nizam Md Nasir, and Samee U Khan. 2015. Impact analysis and change propagation in service-oriented enterprises: A systematic review. Information Systems 54 (2015), 43--73. Google ScholarDigital Library
- Nuno Antunes and Marco Vieira. 2011. Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In 2011 IEEE International Conference on Services Computing. IEEE, 104--111. Google ScholarDigital Library
- Nuno Antunes and Marco Vieira. 2013. SOA-Scanner: an integrated tool to detect vulnerabilities in service-based infrastructures. In 2013 IEEE International Conference on Services Computing. IEEE, 280--287. Google ScholarDigital Library
- Ashar Aziz, Wei-lung Lai, and Jayaraman Manni. 2018. Systems and methods for malware attack prevention by intercepting flows of information. US Patent App. 14/552, 420.Google Scholar
- PlÃŋnio CÃl'sar SimÃţes Fernandes Mario Jino Basso, TÃćnia and Regina Moraes. 2010. A case study on web application security testing with tools and manual testing Analysis of the effect of Java software faults on security vulnerabilities and their detection by commercial web vulnerability scanner tool. In International Conference on Dependable Systems and Networks Workshops (DSN-W). IEEE, 150--155. Google ScholarDigital Library
- Zoran Djuric. 2013. A black-box testing tool for detecting SQL injection vulnerabilities. In 2013 Second International Conference on Informatics & Applications (ICIA). IEEE, 216--221.Google ScholarCross Ref
- Marco Cova DoupÃl', Adam and Giovanni Vigna. 2010. Why Johnny canâÃŹt pentest: An analysis of black-box web vulnerability scanners. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Berlin, Heidelberg. Springer, 111--131. Google ScholarDigital Library
- LaShanda Dukes, Xiaohong Yuan, and Francis Akowuah. 2013. A case study on web application security testing with tools and manual testing. In 2013 Proceedings of IEEE Southeastcon. IEEE, 1--6.Google ScholarCross Ref
- Xiaohong Yuan Dukes, LaShanda and Francis Akowuah. 2013. A case study on web application security testing with tools and manual testing. In Proceedings of IEEE Southeastcon. IEEE, 1--6.Google ScholarCross Ref
- Adolfo Villafiorita Komminist Weldemariam Eshete, Birhanu and Mohammad Zulkernine. 2013. Confeagle: Automated analysis of configuration vulnerabilities in web applications. In In 2013 IEEE 7th International Conference on Software Security and Reliability. IEEE, 188--197. Google ScholarDigital Library
- Jose Fonseca, Marco Vieira, and Henrique Madeira. 2014. Evaluation of web security mechanisms using vulnerability & attack injection. IEEE Transactions on dependable and secure computing 11, 5 (2014), 440--453.Google ScholarCross Ref
- Marco Vieira Fonseca, Jose and Henrique Madeira. 2014. Evaluation of web security mechanisms using vulnerability attack injection. In IEEE Transactions on dependable and secure computing). IEEE, 440--453.Google Scholar
- Ibrahim Ghafir, Jibran Saleem, Mohammad Hammoudeh, Hanan Faour, Vaclav Prenosil, Sardar Jaf, Sohail Jabbar, and Thar Baker. 2018. Security threats to critical infrastructure: the human factor. The Journal of Supercomputing (2018), 1--17. Google ScholarDigital Library
- Mohammad Umar Majigi Shafii Abdulhamid Morufu Olalere Idris, Ismaila and Saidu Isah Rambo. 2017. Vulnerability Assessment of Some Key Nigeria Government Websites. In International Journal of Digital Information and Wireless Communications 7. Research Gate, 143--153.Google Scholar
- Abid Jamil, Kashif Asif, Rehan Ashraf, Sheraz Mehmood, and Ghulam Mustafa. 2018. A Comprehensive study of Cyber Attacks & Counter Measures for web systems. In Proceedings of the 2nd International Conference on Future Networks and Distributed Systems. ACM, 50. Google ScholarDigital Library
- Chen Jan-Min, Wu Chia-Lun, et al. 2010. An automated vulnerability scanner for injection attack based on injection point. In Computer Symposium (ICS), 2010 International.Google Scholar
- Nidal Khoury, Pavol Zavarsky, Dale Lindskog, and Ron Ruhl. 2011. Testing and assessing web vulnerability scanners for persistent SQL injection attacks. In proceedings of the first international workshop on security and privacy preserving in e-societies. ACM, 12--18. Google ScholarDigital Library
- P. Z. L. R. Nidal Khoury et al. 2016. Testing and Assessing Web Vulnerability Scanners for Persistent SQL Injection Attacks. In IEEE International Conference on Engineering and Technology (ICETECH), 2016.Google Scholar
- Barbara Kitchenham and Stuart Charters. 2007. Guidelines for performing systematic literature reviews in software engineering. (2007).Google Scholar
- Salah Eddine Bouhouita Guermeche Lalia Saoudi Lounis, Ouarda and Salah Eddine Benaicha. 2014. A new algorithm for detecting SQL injection attack in Web application. In Science and Information Conference. IEEE, 589--594.Google Scholar
- Yuma Makino and Vitaly Klyuev. 2015. Evaluation of web vulnerability scanners. In IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), vol. 1. IEEE, 399--402.Google ScholarCross Ref
- Syeda Mariam Muzammal, Munam Ali Shah, Hasan Ali Khattak, Sohail Jabbar, Ghufran Ahmed, Shehzad Khalid, Shahid Hussain, and Kijun Han. 2018. Counter measuring conceivable security threats on smart healthcare devices. IEEE Access 6 (2018), 20722--20733.Google ScholarCross Ref
- Hamad Naeem. 2019. Detection of Malicious Activities in Internet of Things Environment Based on Binary Visualization and Machine Intelligence. Wireless Personal Communications (2019), 1--21.Google Scholar
- Hamad Naeem, Bing Guo, Muhammad Rashid Naeem, Farhan Ullah, Hamza Aldabbas, and Muhammad Sufyan Javed. 2019. Identification of malicious code variants based on image visualization. Computers & Electrical Engineering 76 (2019), 225--237.Google ScholarDigital Library
- Netwrix. 2019. Top 10 Most Common Types of Cyber Attacks. In https://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/.Google Scholar
- Nor Fatimah Oja Awang and Azizah Abd Manaf. 2013. Detecting Vulnerabilities in Web Applications Using Automated Black Box and Manual Penetration Testing. In International Conference on Security of Information and Communication Networks, Berlin, Heidelberg. Springer, 230--239.Google Scholar
- Hayden Wimmer Ojagbule, Olajide and Rami J. Haddad. 2018. Vulnerability Analysis of Content Management Systems to SQL Injection Using SQLMAP. In SoutheastCon. IEEE, 1--7.Google Scholar
- Robert Feldt Shahid Mujtaba Petersen, Kai and Michael Mattsson. 2008. Systematic mapping studies in software engineering. In ACM EASE'08 Proceedings of the 12th international conference on Evaluation and Assessment in Software Engineering, Swindon, UK). ACM, 68--77. Google ScholarDigital Library
- Ammar Rafiq, Pariwish Touseef, and Moeez Ameer Ashraf. 2017. Mechanism to Secure Sensitive Data Exposure Risk in MVC. NFC IEFR Journal of Engineering and Scientific Research 5 (2017), 31--39.Google Scholar
- Thiago S Rocha and Eduardo Souto. 2014. ETSSDetector: a tool to automatically detect Cross-Site Scripting vulnerabilities. In 2014 IEEE 13th International Symposium on Network Computing and Applications. IEEE, 306--309. Google ScholarDigital Library
- Hossain Shahriar and Mohammad Zulkernine. 2009. Automatic testing of program security vulnerabilities. In 2009 33rd Annual IEEE International Computer Software and Applications Conference, Vol. 2. IEEE, 550--555. Google ScholarDigital Library
- Shian-Shyong Tseng Jen-Feng Shih Tung, Yuan-Hsin and Hwai-Ling Shan. 2014. W-VST: A Testbed for Evaluating Web Vulnerability Scanner. In In 2014 14th International Conference on Quality Software. IEEE, 228--233. Google ScholarDigital Library
- Xin Wang, Luhua Wang, Gengyu Wei, Dongmei Zhang, and Yixian Yang. 2010. Hidden web crawling for SQL injection detection. In 2010 3rd IEEE International Conference on Broadband Network and Multimedia Technology (IC-BNMT). IEEE, 14--18.Google Scholar
- Pulei Xiong, Bernard Stepien, and Liam Peyton. 2009. Model-based penetration test framework for web applications using TTCN-3. In International Conference on E-Technologies. Springer, 141--154.Google ScholarCross Ref
- Analysis of Automated Web Application Security Vulnerabilities Testing
Recommendations
Enlargement of vulnerable web applications for testing
There are two main kinds of vulnerable web applications, usual applications developed with a specific aim and applications which are vulnerable by design. On one hand, the usual applications are those that are used everywhere and on a daily basis, and ...
Empirical Analysis of Web Attacks
The web applications are becoming more popular and complex in today's era of Internet. These on-line applications provide rich benefits along with risk to organization, brand and data. Malicious attackers continue to exploit vulnerabilities in ...
FileUploadChecker: Detecting and Sanitizing Malicious File Uploads in Web Applications at the Request Level
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and SecurityImproper handling of file uploads in web applications induces threats to the application and its users. In this paper, we propose FileUploadChecker, a server-side tool to automatically detect potentially malicious file uploads in web applications and ...
Comments