Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis

Proceedings - International Conference on Software Engineering

Volumn , Issue , 2013, Pages 642-651

  Shar, Lwin Khin ^a   Beng Kuan Tan, Hee ^a   Briand, Lionel C ^b  

^a NANYANG TECHNOLOGICAL UNIVERSITY   (Singapore)

^b UNIVERSITY OF LUXEMBOURG   (Luxembourg)

Author keywords

Defect prediction; empirical study; input validation and sanitization; static and dynamic analysis; vulnerability

Indexed keywords

DEFECT PREDICTION; EMPIRICAL STUDIES; SANITIZATION; STATIC AND DYNAMIC ANALYSIS; VULNERABILITY;

FORECASTING; STATIC ANALYSIS;

SOFTWARE ENGINEERING;

EID: 84886430853     PISSN: 02705257     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ICSE.2013.6606610     Document Type: Conference Paper

References (29)

1. OWASP. "The open web application security project," http://www.owasp.org, accessed January 2012.
2. L. K. Shar and H. B. K. Tan, "Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities," in International Conference on Software Engineering, 2012, pp. 1293-1296.
3. N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: a static analysis tool for detecting web application vulnerabilities," in IEEE Symposium on Security and Privacy, 2006, pp. 258-263.
4. Y. Xie and A. Aiken, "Static detection of security vulnerabilities in scripting languages," in USENIX Security Symposium, 2006, pp. 179-192.
5. SourceForge. http://www.sourceforge.net, accessed March 2012.
6. CVE. http://cve.mitre.org, accessed March 2012.
7. PhpMiner. http://sharlwinkhin.com/phpminer.html.
8. J. Ferrante, K. J. Ottenstein, and J. D. Warren, "The program dependence graph and its use in optimization," ACM Transactions on Programming Languages and Systems, vol. 9, pp. 319-349, 1987.
9. I. H. Witten and E. Frank, Data Mining, 2nd ed., Morgan Kaufmann, 2005.
10. RSnake. http://ha.ckers.org, accessed March 2012.
11. D. Balzarotti et al., "Saner: composing static and dynamic analysis to validate sanitization in web applications," in IEEE Symposium on Security and Privacy, 2008, pp. 387-401.
12. L. C. Briand, J. Wüst, J. W. Daly, and D. V. Porter, "Exploring the relationships between design measures and software quality in object-oriented systems," Journal of Systems and Software, vol. 51 (3), pp. 245-273, 2000.
13. E. Arisholm, L. C. Briand, and E. B. Johannessen, "A systematic and comprehensive investigation of methods to build and evaluate fault prediction models," Journal of Systems and Software, vol. 83 (1), pp. 2-17. 2010.
14. S. Lessmann, B. Baesens, C. Mues, and S. Pietsch, "Benchmarking classification models for software defect prediction: a proposed framework and novel findings," IEEE Transactions on Software Engineering, vol. 34 (4), pp. 485-496, 2008.
15. T. Menzies, Z. Milton, B. Turhan, B. Cukic, Y. Jiang, and A. Bener, "Defect prediction from static code features: current results, limitations, new approaches," Automated Software Engineering, vol. 17 (4), pp. 375-407, 2010.
16. L. K. Shar and H. B. K. Tan, "Predicting common web application vulnerabilities from input validation and sanitization code patterns," in IEEE/ACM International Conference on Automated Software Engineering, 2012, pp. 310-313.
17. L. Portnoy, E. Eskin, and S. Stolfo, "Intrusion detection with unlabeled data using clustering," in ACM CSS Workshop on Data Mining Applied to Security, 2001.
18. S. Thamaraiselvi, R. Srivathsan, J. Imayavendhan, R. Muthuregunathan, and S. Siddharth, "Combining naive-bayesian classifier and genetic clustering for effective anomaly based intrusion detection," Lecture Notes in Computer Science, vol. 5908, pp. 455-462, 2009.
19. S. Palmer, Web Application Vulnerabilities: Detect, Exploit, Prevent, Syngress, 2007.
20. J. DemŠar, "Statistical comparisons of classifiers over multiple data sets," Journal of Machine Learning Research, vol. 7, pp. 1-30, 2006.
21. A. Kie?un, P. J. Guo, K. Jayaraman, and M. D. Ernst, "Automatic creation of SQL injection and cross-site scripting attacks," in International Conference on Software Engineering, 2009, pp. 199-209.
22. M. Martin and M. S. Lam, "Automatic generation of XSS and SQL injection attacks with goal-directed model checking," in USENIX Security Symposium, 2008, pp. 31-43.
23. Y. Shin, A. Meneely, L. Williams, and J. A. Osborne, "Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities," IEEE Transactions on Software Engineering, vol. 37 (6), pp. 772-787, 2011.
24. J. Walden, M. Doyle, G. A. Welch, and M. Whelan, "Security of open source web applications," in International Symposium on Empirical Software Engineering and Measurement, 2009, pp. 545-553.
25. N. Nagappan, T. Ball, and B. Murphy, "Using historical inprocess and product metrics for early estimation of software failures," in International Symposium on Software Reliability Engineering, 2006, pp. 62-74.
26. S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller, "Predicting vulnerable software components," in ACM Conference on Computer and Communications Security, 2007, pp. 529-540.
27. X. Fu and C.-C. Li, "A string constraint solver for detecting web application vulnerability," in International Conference on Software Engineering and Knowledge Engineering, 2010, pp. 535-542.
28. G. Wassermann and Z. Su, "Sound and precise analysis of web applications for injection vulnerabilities," in ACM SIGPLAN Conference on Programming Language Design and Implementation, 2007, pp. 32-41.
29. L. K. Shar and H. B. K. Tan, "Automated removal of cross site scripting vulnerabilities in web applications," Information and Software Technology, vol. 54 (5), pp. 467-478, 2012.