Routine Detection of Web Application Defence Flaws
Routine Detection of Web Application Defence Flaws
Logash Prabu.M2
2
Kalvina.L.R3
Abstract The detection process for security vulnerabilities in ASP.NET websites / web applications is a complex one,
most of the code is written by somebody else and there is no documentation to determine the purpose of source code. The
characteristic of source code defects generates major web application vulnerabilities. The typical software faults that are
behind of web application vulnerabilities, taking into different programming languages. To analyze their ability to prevent
security vulnerabilities ASP.NET which is part of .NET framework that separate the HTML code from the programming
code in two files, aspx file and another for the programming code. It depends on the compiled language (Visual Basic VB,
C sharp C#, Java Script). Visual Basic and C# are the most common languages using with ASP.NET files, and these two
compiled languages are in the construction of our proposed algorithm in addition to aspx files. The hacker can inject his
malicious as a input or script that can destroy the database or steal website files. By using scanning tool the fault detection
process can be done. The scanning process inspects three types of files (aspx, VB and C#). then the software faults are
identified. By using fault recovery process the prepared replacement statement technique is used to detect the
vulnerabilities and recover it with high efficiency and it provides suggestion then the report is generated then it will help
to improve the overall security of the system.
Index Terms SQL Injection; XSS Cross Site Scripting; Prepared Replacement Statement algorithm; Symbolic
implementation algorithm.
The Open Web Application Security vulnerabilities are critical
1 INTRODUCTION
one in web application security risks, having Structured Query
Language injection and Client side scripting. The advantage of SQL
rganizations are increasingly becoming dependent on the Internet injection attacks is unrestricted input fields within the web
for sharing and accessing information. This Internet has changed the application interface to horribly it weak the SQL query that is sent to
focus of application development from stand-alone applications to the back-end information. In XSS vulnerability, the invader is try to
distributed Web applications. Web applications are programs that inject into web content unintended client-side script code, typically
can be executed either on a web server or in a web browser. They in markup language and JavaScript.
enable to share and access information over the Internet and operate
SQLi and XSS enable attackers to access not allowable
intranets. Web application can support online commercial information (study, include, modify, or cross out), raise to allow the
transactions, popularly known as e-commerce. Security advantaged file accounts, masquerade as alternative users (such as
vulnerabilities in web applications may result in stealing of the administrator), mimic net applications, spoils web content, view,
confidential data, breaking of data integrity or affect web application
and manage isolated records on the server, infuse and complete
availability. The task of securing web applications is one of the most
server aspect programs and they permit the design of botnets
according to Acunetix survey 60% of found vulnerabilities affect
web applications. The most common way of securing web forbidden by the assaulter.
To find attacks that inject SQL code by taking variables that
applications is searching and eliminating vulnerabilities. The most
efficient way of finding security vulnerabilities in web applications supposedly shouldn't be strings (e.g., numbers, dates)as a result of
is manual code review. Security society actively develops automated the range of the variable is determined the assigned value. In strong
approaches to finding security vulnerabilities. These approaches can written languages, this can be impossible as a result of sort of
be divided into two wide categories: black-box and white-box variables is decided before runtime and therefore they decide to store
a string in an exceedingly variable of another type raises an
testing.
miscalculation. This does not stop the incidence of vulnerabilities in
The first approach is based on web application analysis from strong written languages, but only in string variables. In strong
the user side, assuming that source code of an application is not written programming languages, that has less security issues, Java is
available. This is to submit various malicious patterns (implementing intrinsically a protected programming language and it is a strong
for example SQL injection or cross-site scripting attacks) into web written language, vulnerabilities is found in Java programs owing to
application forms and to analyze its output. If any application errors implementation faults. Input injection attacks may serve a number of
are observed an assumption of possible vulnerability is made. This ends. They are chosen by malicious users as a way to obtain
approach does not guarantee neither accuracy nor completeness of restricted data from a back end database or to insert malicious code
the obtained results. The second approach is based on web onto a web server that will in turn provide up malware to
application analysis from the server side, with assumption that unsuspecting clients. These clients may find their credentials or
source code of the application is available.
private information exfiltrated as a result.
IJTET2015
134
2 RELATED WORK
In general, there is extensive literature on describing the
vulnerabilities in web application. This section reviews about the
some related work in order to explore the strengths and weakness of
existing methods.
Lwin Khin Shar and Lionel C. Briand , Hee Beng Kuan Tan
[1], In this paper we mainly focused on SQLI, XSS, RCE, and FI
vulnerabilities. By using a set of hybrid (static and dynamic) code
attributes that the input confirmation and cleansing code patterns and
are expected to be considerable indicators of web application
vulnerabilities. Based on this hypothesis, we built vulnerability
predictors that are fine grained, accurate, and scalable.
Nuno Antunes and Marco Vieira [2], Web applications need a
defense-in-depth approach to avoid and mitigate security
vulnerabilities. This approach assumes that every security precaution
can fail, so security depends on having several layers of mechanisms
that wrap the failures of each other. A less expensive option is code
review, a simplified version of inspections that is useful for
analyzing less critical code.
Sreenivasa Rao B, Kumar N [3], this paper mainly focused on
analyze the design of web application security evaluation
mechanisms is to identify poor coding practices. A Vulnerability
evaluation (VE) is the process of recognize, quantifies, and
prioritizing the vulnerabilities (security holes) in a technique the
extraction step, and also a number of heuristics is for making
regression models.
Bojan Jovicic , Dejan Simic [4], This focuses on attacks
against net applications, either to gain direct benefit by gathering
non-public data or to disenable the sites of the target sites. Asp.net
provides two mechanisms in exception handling.
IJTET2015
3 PROPOSED ALGORITHM
Here we present the detection of security vulnerabilities that
performs a scanning process for all website/ web application files.
By using scanning the Scanning process id done. It helps to identify
whether the input is valid or Invalid. After scanning process, it will
generate a report list of all the leaks and weak and strong
vulnerabilities by displaying the name of the infected file and
location and description of the file. We propose a fault detection and
a new fault recovery process, the vulnerabilities can be detected and
the report is generated in fault detection process. In recovery process
prepared replacement algorithm (PSR) and symbolic execution
algorithm are used to recover the web applications with high
efficiency.
Methodology
Analysis of web application.
Classification of software faults.
Fault detection.
Fault recovery.
A. Analysis Of Web Application
They has the capability to examine the source code of current
and earlier versions of the intention in web applications, together
with the security patches search to open source web applications.
B. Classification Of Software Faults
Then the web application are selected, then the web services
for all reported SQL Injection and CSS patches that were classified.
The code defects are derived from the above defect classification.
C. Fault Detection
The damage in the web applications are identified and
detected by scanning tool. Scanning tool is used to identify the type
of fault. The fault location are identified and the description are
described about the type of faults.
D. Fault Recovery
After the detection process the recovery process taken place
by prepared statement replacement and symbolic execution
technique the web applications are recovered.
135
Scanning tool
valid
Invalid
Attacks
Cross
scripting
site
Sql Injection
Hijack session
Cookie
Poisoning
Iframe
Prepared
statement
replacement
Symbolic
execution
Report
generated
136
IJTET2015
IJTET2015
137
5. DISCUSSIONS
The web application vulnerability has been identified in the
website and the malicious input which contain weak code has been
discovered and the vulnerability is detected and the recovery
process taken place by using prepared replacement statement
algorithm and symbolic execution algorithm. Thus it gives the
recovered web application with high efficiency and the code is
generated as strong one with high recommendation.
6. RESULTS
This method used to find the vulnerabilities in the web
application and website files and used to detect the faults like SQL
Injection and Client side scripting. Then the detection process is
done by detecting the source code line by line and it identify weak
and strong type vulnerability affected in which location. Then leaks
of files also identified and recover without any leakage by using
prepared statement replacement technique and give suggestion and
description about the faults and generate specific recommended code
structure with high efficiency.
7. CONCLUSION
The goal is to understand the correlation between the number of
vulnerabilities and exploits, and the level of the exploit damage.
REFERENCES
[1]Lwin Khin Shar and Lionel C. Briand , Hee Beng Kuan Tan, " Web
Application Vulnerability Prediction Using Hybrid Program Analysis
And Machine Learning". In IEEE Transaction On Dependable and
secure computing, may 2013 vol, 10, no. 2, pp, 70 -83.
[2]Nuno Antunes and Marco Vieira, "Defending Against Web
Application Vulnerabilities". IEEE Transaction On Computer Society,
February 2012 , vol , 8, no. 7.
[3]Kumar N. and Sreenivasa Rao B., "Web Application Vulnerability
Assessment And Preventing Techniques", International Journal of
Enterprise Computing, April 2012 , Vol. 2 Issue 1.
[4]Bojan jovicici M. and dejan simici P., "Common Web Application
Attack Types And Security Using Asp.Net", IEEE Transaction On
Computer Society September 2012, vol.3, no. 2.
[5]Kevin spett H."Web Application Vulnerabilities In Cross Site
Scripting". In IEEE Transaction On Dependable and Secure Computing,
March 2011, vol.2,no.5.
[6]Christmansson J. and Chillarege R."Generation of an Error Set that
Emulates Software Faults". In IEEE Fault Tolerant Computing
Symposium, 2013.
[7]Carettoni L. and Zanchetta M."Automatic Detection of Web
Application Security Flaws". In Proc. IEEE Transaction Secure Software
Engineering 2012.
[8]Atefeh Tajpour N. and Maslin Masrom K, "SQL Injection Detection
and Prevention Tools Assessment". In IEEE Transaction on Computer
security in May 2010.
[9]Bhandari I.S. and Chaar J.K ." Orthogonal Defect ClassificationA
Concept for In-Process Measurement". IEEE Transaction on Software
Engineering in February 2009, vol. 18, no.11,
[10]Fonseca J. and Madeira H."Vulnerability & Attack Injection for Web
Applications". In International Conference on Dependable Systems and
Networks 2007.
[11]Giorgini P. and N. Zannone," Modeling Security Requirements
through Ownership, Permission and Delegation". In IEEE International
Conference on Requirements Engineering ,2007.pp. 167-176.
[12]Alessandro Orso R. and William G.J., "A Classification of SQL
Injection Attacks and Countermeasures". In IEEE Standard on Secure
Computing in March 2006.
[13]Kruegel C. and Kirda E. "Precise Alias Analysis for Static Detection
of Web Application Vulnerabilities". In IEEE Symposium Security and
Privacy, 2006 pp. 27- 36.
138
IJTET2015