Predicting common web application vulnerabilities from input validation and sanitization code patterns

2012 27th IEEE/ACM International Conference on Automated Software Engineering, ASE 2012 - Proceedings

Volumn , Issue , 2012, Pages 310-313

  Shar, Lwin Khin ^a   Tan, Hee Beng Kuan ^a  

^a NANYANG TECHNOLOGICAL UNIVERSITY   (Singapore)

Author keywords

Defect prediction; Empirical study; Input validation and sanitization; Static code attributes; Web application vulnerabilities

Indexed keywords

DEFECT PREDICTION; EMPIRICAL STUDIES; SANITIZATION; STATIC CODES; WEB APPLICATION VULNERABILITY;

DEFECTS; FORECASTING; NETWORK SECURITY; SOFTWARE ENGINEERING;

WORLD WIDE WEB;

EID: 84866920422     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2351676.2351733     Document Type: Conference Paper

References (14)

1. Arisholma, E., Briand, L. C., and Johannessen, E. B. 2010. A systematic and comprehensive investigation of methods to build and evaluate fault prediction models. Journal of Systems and Software, 83, 1, 2-17.
2. Demšar, J. 2006. Statistical comparisons of classifiers over multiple data sets. Journal of Machine Learning Research, 7, 1-30.
3. Jovanovic, N., Kruegel, C., and Kirda, E. 2006. Pixy: a static analysis tool for detecting web application vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy. 258-263.
4. Kieżun, A., Guo, P. J., Jayaraman, K., and Ernst, M. D. 2009. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering. 199-209.
5. Lessmann, S., Baesens, B., Mues, C., and Pietsch, S. 2008. Benchmarking classification models for software defect prediction: a proposed framework and novel findings. IEEE Transactions on Software Engineering, 34, 4, 485-496.
6. Martin, M. and Lam, M. S. 2008. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In Proceedings of the 17th USENIX Security Symposium. 31-43.
7. McCabe, T. 1976. A complexity measure. IEEE Transactions on Software Engineering, 2, 4, 308-320.
8. Menzies, T., Greenwald, J., and Frank, A. 2007. Data mining static code attributes to learn defect predictors. IEEE Transactions on Software Engineering, 33, 1, 2-13.
9. OWASP. Top Ten project 2010. http://www.owasp.org, accessed January 2012.
10. Shar, L. K. and Tan, H. B. K. 2012. Mining input sanitization patterns for predicting SQLI and XSS vulnerabilities. In Proceedings of the 34th International Conference on Software Engineering. 1293-1296.
11. Tosun, A. and Bener, A. 2010. Ai-based software defect predictors: applications and benefits in a case study. InProceedings of the 22nd Innovative Applications of Artificial Intelligence Conference.
12. Weiser, M. 1981. Program slicing. In Proceedings of the 5th International Conference on Software Engineering. 439-449.
13. Witten, I. H. and Frank, E. 2005. Data Mining. 2nd ed. Morgan Kaufmann.
14. Xie, Y. and Aiken, A. 2006. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th USENIX Security Symposium. 179-192.