Most web applications have critical
bugs (faults) affecting their security, which makes them vulnerable to attacks
by hackers and organized crime. To prevent these security problems from
occurring it is of utmost importance to understand the typical software faults.
This paper contributes to this body of knowledge by presenting a field study on
two of the most widely spread and critical web application vulnerabilities: SQL
Injection and XSS. It analyzes the source code of security patches of widely
used web applications written in weak and strong typed languages. Results show
that only a small subset of software fault types, affecting a restricted
collection of statements, is related to security. To understand how these
vulnerabilities are really exploited by hackers, this paper also presents an
analysis of the source code of the scripts used to attack them. The outcomes of
this study can be used to train software developers and code inspectors in the
detection of such faults and are also the foundation for the research of
realistic vulnerability and attack injectors that can be used to assess
security mechanisms, such as intrusion detection systems, vulnerability
scanners, and static code analyzers.
No comments:
Post a Comment