In this paper
we propose a methodology and a prototype tool to evaluate web application
security mechanisms. The methodology is based on the idea that injecting
realistic vulnerabilities in a web application and attacking them automatically
can be used to support the assessment of existing security mechanisms and tools
in custom setup scenarios. To provide true to life results, the proposed
vulnerability and attack injection methodology relies on the study of a large
number of vulnerabilities in real web applications. In addition to the generic
methodology, the paper describes the implementation of the Vulnerability
& Attack Injector Tool (VAIT) that allows the automation of the entire
process. We used this tool to run a set of experiments that demonstrate the
feasibility and the effectiveness of the proposed methodology. The experiments
include the evaluation of coverage and false positives of an Intrusion
Detection System for SQL Injection attacks and the assessment of the
effectiveness of two top commercial web application vulnerability scanners.
Results show that the injection of vulnerabilities and attacks is indeed an
effective way to evaluate security mechanisms and to point out not only their
weaknesses but also ways for their improvement.
No comments:
Post a Comment