Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns

Information and Software Technology

Volumn 55, Issue 10, 2013, Pages 1767-1780

  Shar, Lwin Khin ^a   Tan, Hee Beng Kuan ^a  

^a NANYANG TECHNOLOGICAL UNIVERSITY   (Singapore)

Author keywords

Data mining; Empirical study; Input sanitization; Static code attributes; Vulnerability prediction; Web application vulnerability

Indexed keywords

CROSS-SITE SCRIPTING; DYNAMIC TAINT ANALYSIS; EMPIRICAL STUDIES; HISTORICAL INFORMATION; SANITIZATION; STATIC CODES; VULNERABILITY DETECTION; WEB APPLICATION VULNERABILITY;

APPLICATIONS; DATA MINING; ERRORS; JAVA PROGRAMMING LANGUAGE; LEARNING SYSTEMS; WORLD WIDE WEB;

FORECASTING;

EID: 84880843062     PISSN: 09505849     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.infsof.2013.04.002     Document Type: Article

References (45)

1. E. Alpaydin Introduction to Machine Learning 2004 MIT Press Massachusetts
2. Anley, C., 2002. Advanced SQL Injection in SQL Server Applications. Next Generation Security Software Ltd., White Paper.
3. E. Arisholm, L.C. Briand, and E.B. Johannessen A systematic and comprehensive investigation of methods to build and evaluate fault prediction models Journal of Systems and Software 83 1 2010 2 17
4. BugTraq. < http://www.securityfocus.com/archive/1 > (accessed March 2011).
5. J. Demšar Statistical comparisons of classifiers over multiple data sets Journal of Machine Learning Research 7 2006 1 30 (Pubitemid 43022939)
6. M.W. Fagerland, and L. Sandvik Performance of five two-sample location tests for skewed distributions with unequal variances Contemporary Clinical Trials 30 5 2009 490 496
7. J. Ferrante, K.J. Ottenstein, and J.D. Warren The program dependence graph and its use in optimization ACM Transactions on Programming Languages and Systems 9 3 1987 319 349 (Pubitemid 17641083)
8. D. Fisher, L. Xu, N. Zard, Ordering effects in clustering, in: Proceedings of the 9th International Workshop on Machine Learning, Aberdeen, Scotland, 1992, pp. 163-168.
9. S. Fogie, J. Grossman, R. Hansen, A. Rager, XSS Exploits: Cross Site Scripting Attacks and Defense, Syngress, 2007, pp. 395-406.
10. K. Gao, T.M. Khoshgoftaar, H. Wang, and N. Seliya Choosing software metrics for defect prediction: an investigation on feature selection techniques Software Practice and Experience 41 5 2011 579 606
11. M. Gegick, L. Williams, J. Osborne, M. Vouk, Prioritizing software security fortification through code-level metrics, in: Proceedings of the 4th ACM Workshop on Quality of Protection, Alexandria, Virginia, 2008, pp. 31-38.
12. M. Halstead Elements of Software Science 1977 Elsevier New York
13. N. Jovanovic, C. Kruegel, E. Kirda, Pixy: a static analysis tool for detecting web application vulnerabilities, in: Proceedings of the IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, 2006, pp. 258-263. (Pubitemid 44753727)
14. A. Kiezun, V. Ganesh, P.J. Guo, P. Hooimeijer, M.D. Ernst, HAMPI: a solver for string constraints, in: Proceedings of the 18th International Symposium on Testing and Analysis, Chicago, IL, 2009, pp. 105-116.
15. A. Kiezun, P.J. Guo, K. Jayaraman, M.D. Ernst, Automatic creation of SQL injection and cross-site scripting attacks, in: Proceedings of the 31st International Conference on Software Engineering, Vancouver, BC, 2009, pp. 199-209.
16. S. Lessmann, B. Baesens, C. Mues, and S. Pietsch Benchmarking classification models for software defect prediction: a proposed framework and novel findings IEEE Transactions on Software Engineering 34 4 2008 485 496
17. V.B. Livshits, M.S. Lam, Finding security errors in Java programs with static analysis, in: Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, 2005, pp. 271-286.
18. M. Martin, M.S. Lam, Automatic generation of XSS and SQL injection attacks with goal-directed model checking, in: Proceedings of the 17th USENIX Security Symposium, San Jose, CA, 2008, pp. 31-43.
19. T. McCabe A complexity measure IEEE Transactions on Software Engineering 2 4 1976 308 320
20. T. Mende, Replication of defect prediction studies: problems, pitfalls and recommendations, in: Proceedings of the 5th International Conference on Predictor Models in Software Engineering, Timisoara, Romania, 2010, pp. 1-10.
21. T. Menzies, J. Greenwald, and A. Frank Data mining static code attributes to learn defect predictors IEEE Transactions on Software Engineering 33 1 2007 2 13 (Pubitemid 46002165)
22. T. Menzies, Z. Milton, B. Turhan, B. Cukic, Y. Jiang, and A. Bener Defect prediction from static code features: current results, limitations, new approaches Automated Software Engineering 17 4 2010 375 407
23. T. Menzies, B. Turhan, A. Bener, G. Gay, B. Cukic, Y. Jiang, Implications of ceiling effects in defect predictors, in: Promise Workshop (Part of the 30th International Conference on Software Engineering), Leipzig, Germany, 2008, pp. 47-54.
24. S. Neuhaus, T. Zimmermann, A. Zeller, Predicting vulnerable software components, in: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, Virginia, 2007, pp. 529-540.
25. OWASP. Top Ten Project 2010. < http://www.owasp.org > (accessed January 2012).
26. PhpMinerI. < http://sharlwinkhin.com/phpminer.html >.
27. PROMISE. Software Engineering Repository. < http://promise.site. uottawa.ca/SERepository/ > (accessed November 2011).
28. N.F. Schneidewind Methodology for validating software metrics IEEE Transactions on Software Engineering 18 5 1992 410 422
29. K. Sen, and G. Agha CUTE and jCUTE: concolic unit testing and explicit path model-checking tools Lecture Notes in Computer Science 4144 2006 419 423 (Pubitemid 44560895)
30. L.K. Shar, and H.B.K. Tan Automated removal of cross site scripting vulnerabilities in web applications Information and Software Technology 54 5 2012 467 478
31. L.K. Shar, H.B.K. Tan, Mining input sanitization patterns for predicting SQLI and XSS vulnerabilities, in: Proceedings of the 34th International Conference on Software Engineering, Zurich, Switzerland, 2012, pp. 1293-1296.
32. L.K. Shar, H.B.K. Tan, L.C. Briand, Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis, in: Proceedings of the 35th International Conference on Software Engineering, San Francisco, USA, in press.
33. Y. Shin, A. Meneely, L. Williams, and J.A. Osborne Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities IEEE Transactions on Software Engineering 37 6 2011 772 787
34. D.I.K. Sjøberg, J.E. Hannay, O. Hansen, V.B. Kampenes, A. Karahasanović, N.-K. Liborg, and A.C. Rekdal A survey of controlled experiments in software engineering IEEE Transactions on Software Engineering 31 9 2005 733 753 (Pubitemid 41555415)
35. Q. Song, Z. Jia, M. Shepperd, S. Ying, and J. Liu A general software defect-proneness prediction framework IEEE Transactions on Software Engineering 37 3 2011 356 370
36. Soot. A Java Optimization Framework. < http://www.sable.mcgill.ca/ soot/ > (accessed October 2012).
37. Sourceforge. < http://www.sourceforge.net > (accessed March 2011).
38. S. Thomas, L. Williams, and T. Xie On automated prepared statement generation to remove SQL injection vulnerabilities Information and Software Technology 51 3 2009 589 598
39. A. Tosun, A. Bener, Ai-based software defect predictors: applications and benefits in a case study, in: Proceedings of the 22nd Innovative Applications of Artificial Intelligence Conference, Atlanta, Georgia, 2010.
40. A. Tosun, B. Turhan, A. Bener, Validation of network measures as indicators of defective modules in software systems, in: Proceedings of the 5th International Conference on Predictor Models in Software Engineering, Vancouver, BC, 2009, pp. 1-9.
41. J. Walden, M. Doyle, G.A. Welch, M. Whelan, Security of open source web applications, in: Proceedings of the 3rd International Symposium on Empirical Software Engineering and Measurement, Lake Buena Vista, Florida, 2009, pp. 545-553.
42. G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, Z. Su, Dynamic test input generation for web applications, in: Proceedings of the International Symposium on Software Testing and Analysis, Seattle, WA, 2008, pp. 249-260.
43. I.H. Witten, and E. Frank Data Mining second ed. 2005 Morgan Kaufmann
44. Y. Xie, A. Aiken, Static detection of security vulnerabilities in scripting languages, in: Proceedings of the 15th USENIX Security Symposium, Vancouver, BC, 2006, pp. 179-192.
45. T. Zimmermann, N. Nagappan, Predicting defect using network analysis on dependency graphs, in: Proceedings of the 30th International Conference on Software Engineering, Leipzig, Germany, 2008, pp. 531-540.