Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

ZhangBing,; LiJingyue,; RenJiadong,; HuangGuoyan,

doi:10.1145/3474553

Cited by 17 publications

(4 citation statements)

References 119 publications

(278 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Source code review plays a crucial role in detecting security flaws in software systems including BAC vulnerabilities. Studies (e.g., [20]- [22]) found that source code review while utilizing automated source code review tools can effectively detect multiple security issues categories including broken access control. These studies emphasize the importance of incorporating source code review into the software development life cycle to improve the security of the application and strengthen it against potential exploitations.…”

Section: Countermeasures Familiesmentioning

confidence: 99%

“…Security testing is one of the most effective and practical techniques for identifying vulnerabilities in software solutions including broken access control vulnerabilities. Studies (e.g., in [22]- [27]) found that security testing can effectively find BAC vulnerabilities as it analyzes the behavior of the running system and evaluates the implementation of access control policies and applied controls and security levels. Other studies [28] discussed the use of security testing in combination with code review alongside threat modeling to identify BAC vulnerabilities in web applications; nevertheless, studies emphasize the value of the usage of automated security testing tools for effective and automated detection of broken access control vulnerabilities as it can provide a thorough assessment and analysis of the target application and help identify issues that may be overlooked by manual testing.…”

Section: Countermeasures Familiesmentioning

confidence: 99%

See 1 more Smart Citation

Survey on detecting and preventing web application broken access control attacks

Anas,

Elgamal,

Youssef

2024

IJECE

View full text Add to dashboard Cite

Web applications are an essential component of the current wide range of digital services proposition including financial and governmental services as well as social networking and communications. Broken access control vulnerabilities pose a huge risk to that echo system because they allow the attacker to circumvent the allocated permissions and rights and perform actions that he is not authorized to perform. This paper gives a broad survey of the current research progress on approaches used to detect access control vulnerabilities exploitations and attacks in web application components. It categorizes these approaches based on their key techniques and compares the different detection methods in addition to evaluating their strengths and weaknesses. We also spotted and elaborated on some exciting research gaps found in the current literature, Finally, the paper summarizes the general detection approaches and suggests potential research directions for the future.

show abstract

Section: Countermeasures Familiesmentioning

confidence: 99%

Section: Countermeasures Familiesmentioning

confidence: 99%

Survey on detecting and preventing web application broken access control attacks

Anas,

Elgamal,

Youssef

2024

IJECE

View full text Add to dashboard Cite

show abstract

“…With the development of machine learning, it has also provided a new approach to SQL injection attack detection [8] . Joshi et al [9] proposed a SQL injection attack detection method that combines the naive Bayes algorithm with role-based access permissions.…”

Section: Related Workmentioning

confidence: 99%

SQL injection attack detection method based on textCNN

Xia,

Shao,

et al. 2024

International Conference on Signal Processing and Communication Security (ICSPCS 2024)

View full text Add to dashboard Cite

Structured Query Language Injection (SQLI) has always been a prominent threat in the field of cybersecurity, targeting web applications. Traditional techniques to prevent SQL injection typically rely on rule matching or dynamic and static analysis, which has high false positive rate and low detection efficiency. However, using deep learning algorithms can effectively detect SQL injection attacks and, consequently, overcome these issues. This paper proposes a SQL injection attack detection method based on TextCNN from the perspective of natural language processing and deep learning. Firstly, Word2Vec was used to process the text vectorization of SQL injection attack data, and then one-dimensional convolution was used to extract the features of the vectorized data. Finally, the trained SQL injection attack detection model was used to detect SQL injection attack. Experimental results show that the proposed method can effectively detect SQL injection attacks, and its accuracy rate, accuracy rate, recall rate, F1 value all achieved over 95%.

show abstract

“…Pendekatan metode aplikasi pemindai kerentanan diklasifikasikan ke dalam analisis statis, analisis dinamis, white box, black box, taint analysis, pengujian penetrasi, pengujian fuzz, pengujian concolic, pengujian eksekusi simbolik, dan pemeriksaan model, sebagian besar diklasifikasikan pada pendekatan ke dalam tiga kategori, yaitu, statis, dinamis, dan hybrid [16]. Namun secara keseluruhan, pendekatan tersebut tidak lepas dari artefak (misalnya, Tag HTML, fungsi logika, variabel dalam kode sumber, permintaan HTTP, parameter GET/POST, dan nilai session atau cookie).…”

Section: Modifikasi Web Application Firewallunclassified

Effectiveness of Security Through Obscurity Methods to Avoid Web Application Vulnerability Scanners

Kurniawan,

Ramli

2023

J. Tek. Inform. (JUTIF)

View full text Add to dashboard Cite

The concept of security through obscurity is not recommended by the National Institute of Standards and Technology (NIST) as a form of system security. Basically this concept hides assets as difficult as possible so that it is not easy for attackers to find them, so that it can be used to avoid vulnerability scanner applications that are widely used by attackers to find out web system weaknesses. This research was conducted by modifying the web application firewall (WAF) and testing using the SQLMap and OWASP Zed Attack Proxy (ZAP) vulnerability scanner applications. The results of the study show that SQLMap takes up to 1238 times longer to complete a scan on a modified web application firewall than without modification, while OWASP ZAP cannot complete a scan on the same treatment. Thus the concept of security through obscurity can be applied to web security to extend vulnerability scanning time.

show abstract

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

Cited by 17 publications

References 119 publications

Survey on detecting and preventing web application broken access control attacks

Survey on detecting and preventing web application broken access control attacks

SQL injection attack detection method based on textCNN

Effectiveness of Security Through Obscurity Methods to Avoid Web Application Vulnerability Scanners

Contact Info

Product

Resources

About