In this paper we propose a methodology and a
prototype tool to evaluate web application security mechanisms. The methodology
is based on the idea that injecting realistic vulnerabilities in a web
application and attacking them automatically can be used to support the
assessment of existing security mechanisms and tools in custom setup scenarios.
To provide true to life results, the proposed vulnerability and attack
injection methodology relies on the study of a large number of vulnerabilities
in real web applications. In addition to the generic methodology, the paper
describes the implementation of the Vulnerability & Attack Injector
Tool (VAIT) that allows the automation of the entire process. We used this tool
to run a set of experiments that demonstrate the feasibility and the
effectiveness of the proposed methodology. The experiments include the
evaluation of coverage and false positives of an Intrusion Detection System for
SQL Injection attacks and the assessment of the effectiveness of two top
commercial web application vulnerability scanners. Results show that the
injection of vulnerabilities and attacks is indeed an effective way to evaluate
security mechanisms and to point out not only their weaknesses but also ways
for their improvement.
No comments:
Post a Comment