Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications

Deepa, G.; Thilagam, P. Santhi; Khan, Fatima; Praseed, Amit; Pais, Alwyn Roshan; Palsetia, Nushafreen

doi:10.1007/s10207-016-0359-4

Cited by 20 publications

(20 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…As it is evident from different literatures, manual penetration testing method always provides cent precent of accuracy [18] and it is selected as the control environment for this research examination. Fig.…”

Section: Detection Results Comparisonmentioning

confidence: 99%

See 1 more Smart Citation

SAISAN: An Automated Local File Inclusion Vulnerability Detection Model

Hassan¹,

Bhuyian²,

Sohel³

et al. 2018

IJET

View full text Add to dashboard Cite

Communicating and delivering services to the consumers through web applications are now become very popular due to its user friendly interface, global accessibility, and easy manageability. Careless design and development of web applications are the key reasons for security breaches which are very alarming for the users as well as the web administrators. Currently, Local File Inclusion (LFI) vulnerability is found present commonly in several web applications that lead to remote code execution in host server and initiates sensitive information disclosure. Detection of LFI vulnerability is getting very critical concern for the web owner to take effective measures to mitigate the risk. After reviewing literatures, we found insignificant researches conducted on automated detection of LFI vulnerability. This paper has proposed an automated LFI vulnerability detection model, SAISAN for web applications and implemented it through a tool. 265 web applications of four different sectors has been examined and received 88% accuracy from the tool comparing with the manual penetration testing method.

show abstract

Section: Detection Results Comparisonmentioning

confidence: 99%

“…If the response code is matched with 200 status, the program will forward the given URL to the crawling [18] step. Otherwise, an error message with "Host server is not available" will be displayed before quitting the program.…”

Section: Url Validationmentioning

confidence: 99%

SAISAN: An Automated Local File Inclusion Vulnerability Detection Model

Hassan¹,

Bhuyian²,

Sohel³

et al. 2018

IJET

View full text Add to dashboard Cite

show abstract

“…[47][48][49] experimental results showed the proposed code parsing and reverse engineering algorithms are efficient in scraping data entry points (DEPs) and attack vectors from undertest web applications. In the meanwhile, [50][51][52][53][54][55][56][57][58][59][60]"s experimental results showed leveraging of searchbased testing technique, mutation testing technique, and genetic algorithm are effective in improving the attack coverage. Moreover, anomaly detection and information flow analysis by [8,9,27,28,31], and [61][62][63][64][65][66][67][68][69][70][71][72][73][74][75][76][77][78][79] are proven effective in detecting the web application vulnerability in either black box or white box testing environment.…”

Section: 3benchmarking the Algorithmsmentioning

confidence: 99%

The approaches to quantify web application security scanners quality: a review

Seng¹,

Ithnin²,

Said³

2018

IJACR

View full text Add to dashboard Cite

The web application security scanner is a computer program that assessed web application security with penetration testing technique. The benefit of automated web application penetration testing is huge, which web application security scanner not only reduced the time, cost, and resource required for web application penetration testing but also eliminate test engineer reliance on human knowledge. Nevertheless, web application security scanners are possessing weaknesses of low test coverage, and the scanners are generating inaccurate test results. Consequently, experimentations are frequently held to quantitatively quantify web application security scanner's quality to investigate the web application security scanner's strengths and limitations. However, there is a discovery that neither a standard methodology nor criterion is available for quantifying the web application security scanner's quality. Hence, in this paper systematic review is conducted and analysed the methodology and criterion used for quantifying web application security scanners' quality. In this survey, the experiment methodologies and criterions that had been used to quantify web application security scanner's quality is classified and review using the preferred reporting items for systematic reviews and meta-analyses (PRISMA) protocol. The objectives are to provide practitioners with the understanding of methodologies and criterions that available for measuring web application security scanners' test coverage, attack coverage, and vulnerability detection rate, while provides the critical hint for development of the next testing framework, model, methodology, or criterions, to measure web application security scanner quality.

show abstract

“…On the other hand it is a common observation that website serve to be a prime target for attackers for the reason of being omnipresent , in-demand and having an incrementing user-base. [2]. With the increased demand of the web applications, bloggers and web service providers are taking more interest in implementing and utilizing the web applications [3].…”

Section: Introductionmentioning

confidence: 99%

Web Vulnerability Finder (WVF): Automated Black- Box Web Vulnerability Scanner

Khalid¹,

Iqbal²,

Rasheed³

et al. 2020

IJITCS

View full text Add to dashboard Cite

Today the internet has become primary source of communication among people because it holds limitless space and pool of various web applications and resources. The internet allows us to communicate in a fraction of second with another people who is sitting in the other part of the world. At present, the internet has become part of our daily life and its usage is increasing exponentially, therefore it accumulates a number of web applications on daily basis on Web podium. Most of the web applications exist with few weaknesses and that weaknesses give room to several bad buys (hackers) to interrupt that weak part of code in web applications. Recently, SQL Injection, Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) seriously threaten the most of the web applications. In this study, we have proposed a black box testing method to detect different web vulnerabilities such as SQL Injection, XSS and CSRF and developed a detection tool i.e. Web Vulnerabilities Finder (WVF) for most of these vulnerabilities. Our proposed method can automatically analyze websites with the aim of finding web vulnerabilities. By applying the tool to some websites, we have found 45 exploitable XSS, SQL Injection 45, Directory Discloser 38 and Local/remote file inclusion 40 vulnerabilities. The experimental results show that our tool can efficiently detect XSS, SQL Injection, Directory Discloser and LFI/RFI vulnerabilities.

show abstract

Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications

Cited by 20 publications

References 27 publications

SAISAN: An Automated Local File Inclusion Vulnerability Detection Model

SAISAN: An Automated Local File Inclusion Vulnerability Detection Model

The approaches to quantify web application security scanners quality: a review

Web Vulnerability Finder (WVF): Automated Black- Box Web Vulnerability Scanner

Contact Info

Product

Resources

About