Article

Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities

Authors:

Lwin Khin Shar,

Hee Beng Kuan TanAuthors Info & Claims

ICSE '12: Proceedings of the 34th International Conference on Software Engineering

Pages 1293 - 1296

Published: 02 June 2012 Publication History

Get Access

Abstract

Static code attributes such as lines of code and cyclomatic complexity have been shown to be useful indicators of defects in software modules. As web applications adopt input sanitization routines to prevent web security risks, static code attributes that represent the characteristics of these routines may be useful for predicting web application vulnerabilities. In this paper, we classify various input sanitization methods into different types and propose a set of static code attributes that represent these types. Then we use data mining methods to predict SQL injection and cross site scripting vulnerabilities in web applications. Preliminary experiments show that our proposed attributes are important indicators of such vulnerabilities.

References

[1]

N. F. Schneidewind, "Methodology for validating software metrics," IEEE Trans. Softw. Eng., vol. 18(5), 1992, pp. 410-422.

Digital Library

Google Scholar

[2]

T. McCabe, "A complexity measure," IEEE Trans. Softw. Eng., vol. 2(4), 1976, pp. 308-320.

Digital Library

Google Scholar

[3]

T. Menzies, J. Greenwald, and A. Frank, "Data mining static code attributes to learn defect predictors," IEEE Trans. Softw. Eng., vol. 33(1), 2007, pp. 2-13.

Crossref

Google Scholar

[4]

S. Lessmann, B. Baesens, C. Mues, and S. Pietsch, "Benchmarking classification models for software defect prediction: a proposed framework and novel findings," IEEE Trans. Softw. Eng., vol. 34(4), 2008, pp. 485-496.

Digital Library

Google Scholar

[5]

T. Zimmermann and N. Nagappan, "Predicting defect using network analysis on dependency graphs," In ICSE'08, 2008, pp. 531-540.

Digital Library

Google Scholar

[6]

N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: a static analysis tool for detecting web application vulnerabilities," In S&P'06, 2006, pp. 258-263.

Digital Library

Google Scholar

[7]

Y. Xie and A. Aiken, "Static detection of security vulnerabilities in scripting languages," In USENIX Security'06, 2006, pp. 179-192.

Digital Library

Google Scholar

[8]

G. Wassermann and Z. Su, "Static detection of cross-site scripting vulnerabilities," In ICSE'08, 2008, pp. 171-180.

Digital Library

Google Scholar

[9]

A. Kiezun, P. J. Guo, K. Jayaraman, and M. D. Ernst, "Automatic creation of SQL injection and cross-site scripting attacks," In ICSE'09, 2009, pp. 199-209.

Digital Library

Google Scholar

[10]

M. Martin and M. S. Lam, "Automatic generation of XSS and SQL injection attacks with goal-directed model checking," In USENIX Security'08, 2008, pp. 31-43.

Digital Library

Google Scholar

[11]

OWASP Top 10, 2010, http://www.owasp.org/

Google Scholar

[12]

I. H. Witten and E. Frank, Data Mining, 2nd ed., Morgan Kaufmann, Los Altos, CA, 2005.

Digital Library

Google Scholar

[13]

T. Mende, "Replication of defect prediction studies: problems, pitfalls and recommendations," In PROMISE'10, 2010.

Digital Library

Google Scholar

[14]

T. Menzies, Z. Milton, B. Turhan, B. Cukic, Y. Jiang, and A. Bener, "Defect prediction from static code features: current results, limitations, new approaches," Autom. Softw. Eng., vol. 17(4), 2010, pp. 375-407.

Digital Library

Google Scholar

Cited By

View all

Ge XFang CLi XSun WWu DZhai JLin SZhao ZLiu YChen Z(2024)Machine Learning for Actionable Warning Identification: A Comprehensive SurveyACM Computing Surveys10.1145/369635257:2(1-35)Online publication date: 19-Sep-2024
https://dl.acm.org/doi/10.1145/3696352
Cambronero JDang TVasilakis NShen JWu JRinard MMasuhara HPetricek T(2019)Active learning for software engineeringProceedings of the 2019 ACM SIGPLAN International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software10.1145/3359591.3359732(62-78)Online publication date: 23-Oct-2019
https://dl.acm.org/doi/10.1145/3359591.3359732
Guichang ZYunfeng NXing W(2019)CNNPaylProceedings of the 2019 11th International Conference on Machine Learning and Computing10.1145/3318299.3318302(477-483)Online publication date: 22-Feb-2019
https://dl.acm.org/doi/10.1145/3318299.3318302
Show More Cited By

Recommendations

Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns

Context: SQL injection (SQLI) and cross site scripting (XSS) are the two most common and serious web application vulnerabilities for the past decade. To mitigate these two security threats, many vulnerability detection approaches based on static and ...
Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09: Proceedings of the 31st International Conference on Software Engineering

We present a technique for finding security vulnerabilities in Web applications. SQL Injection (SQLI) and cross-site scripting (XSS) attacks are widespread forms of attack in which the attacker crafts the input to the application to access or modify ...
Client-side cross-site scripting protection

Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ICSE '12: Proceedings of the 34th International Conference on Software Engineering

June 2012

1657 pages

ISBN:9781467310673

General Chair:
Martin Glinz,
Program Chairs:
Gail Murphy,
Mauro Pezzè

Publisher

IEEE Press

Publication History

Published: 02 June 2012

Check for updates

Qualifiers

Article

Conference

ICSE '12

Sponsor:

SIGSOFT

ICSE '12: 34th International Conference on Software Engineering

June 2 - 9, 2012

Zurich, Switzerland

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
513
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Ge XFang CLi XSun WWu DZhai JLin SZhao ZLiu YChen Z(2024)Machine Learning for Actionable Warning Identification: A Comprehensive SurveyACM Computing Surveys10.1145/369635257:2(1-35)Online publication date: 19-Sep-2024
https://dl.acm.org/doi/10.1145/3696352
Cambronero JDang TVasilakis NShen JWu JRinard MMasuhara HPetricek T(2019)Active learning for software engineeringProceedings of the 2019 ACM SIGPLAN International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software10.1145/3359591.3359732(62-78)Online publication date: 23-Oct-2019
https://dl.acm.org/doi/10.1145/3359591.3359732
Guichang ZYunfeng NXing W(2019)CNNPaylProceedings of the 2019 11th International Conference on Machine Learning and Computing10.1145/3318299.3318302(477-483)Online publication date: 22-Feb-2019
https://dl.acm.org/doi/10.1145/3318299.3318302
Schuckert FKatt BLangweg H(2017)Source Code Patterns of SQL Injection VulnerabilitiesProceedings of the 12th International Conference on Availability, Reliability and Security10.1145/3098954.3103173(1-7)Online publication date: 29-Aug-2017
https://dl.acm.org/doi/10.1145/3098954.3103173
Medeiros INeves NCorreia MZeller ARoychoudhury A(2016)DEKANT: a static analysis tool that learns to detect web application vulnerabilitiesProceedings of the 25th International Symposium on Software Testing and Analysis10.1145/2931037.2931041(1-11)Online publication date: 18-Jul-2016
https://dl.acm.org/doi/10.1145/2931037.2931041
Vishnu BJevitha KRangan PJayaraman B(2014)Prediction of Cross-Site Scripting Attack Using Machine Learning AlgorithmsProceedings of the 2014 International Conference on Interdisciplinary Advances in Applied Computing10.1145/2660859.2660969(1-5)Online publication date: 10-Oct-2014
https://dl.acm.org/doi/10.1145/2660859.2660969
Medeiros INeves NCorreia MChung CBroder AShim KSuel T(2014)Automatic detection and correction of web application vulnerabilities using data mining to predict false positivesProceedings of the 23rd international conference on World wide web10.1145/2566486.2568024(63-74)Online publication date: 7-Apr-2014
https://dl.acm.org/doi/10.1145/2566486.2568024
Shar LTan HBriand LNotkin DCheng BPohl K(2013)Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysisProceedings of the 2013 International Conference on Software Engineering10.5555/2486788.2486873(642-651)Online publication date: 18-May-2013
https://dl.acm.org/doi/10.5555/2486788.2486873
Shar LTan HGoedicke MMenzies TSaeki M(2012)Predicting common web application vulnerabilities from input validation and sanitization code patternsProceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering10.1145/2351676.2351733(310-313)Online publication date: 3-Sep-2012
https://dl.acm.org/doi/10.1145/2351676.2351733

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Recommendations

Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns

Automatic creation of SQL Injection and cross-site scripting attacks

Client-side cross-site scripting protection