Filters








856 Hits in 6.2 sec

An Integrated Approach for Effective Injection Vulnerability Analysis of Web Applications through Security Slicing and Hybrid Constraint Solving

Julian Thome, Lwin Khin Shar, Domenico Bianculli, Lionel Briand
2018 IEEE Transactions on Software Engineering  
We propose an integrated approach that seamlessly combines security slicing with hybrid constraint solving; the latter orchestrates automata-based solving with meta-heuristic search.  ...  This work addresses the challenge of detecting injection vulnerabilities in the server-side code of Java Web applications in a scalable and effective way.  ...  Xiang Fu from Hofstra University, Hempstead for sharing the Sushi tool.  ... 
doi:10.1109/tse.2018.2844343 fatcat:bnfa37aq5bfcxaqkokuzaw5ide

Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities

Abner Mendoza, Guofei Gu
2018 2018 IEEE Symposium on Security and Privacy (SP)  
We further tested 1,000 apps to validate web API hijacking vulnerabilities that can lead to potential compromise of user privacy and security and found that millions of users are potentially affected from  ...  Developing automatic methods of auditing web APIs for security remains challenging.  ...  To this end, Flowdroid fits well into our approach since it effectively solves many of the shortcomings of static analysis.  ... 
doi:10.1109/sp.2018.00039 dblp:conf/sp/MendozaG18 fatcat:upjdfihbhvfvveuz3qdpsw2pfy

TAJ

Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, Omri Weisman
2009 SIGPLAN notices  
Specifically, an industrial-strength tool must scale to large industrial Web applications, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors  ...  Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry.  ...  effective model for static analysis of Web applications.  ... 
doi:10.1145/1543135.1542486 fatcat:e2y5fajbyrekxbyri67ueqrjem

TAJ

Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, Omri Weisman
2009 Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation - PLDI '09  
Specifically, an industrial-strength tool must scale to large industrial Web applications, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors  ...  Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry.  ...  effective model for static analysis of Web applications.  ... 
doi:10.1145/1542476.1542486 dblp:conf/pldi/TrippPFSW09 fatcat:oeltvagp4zet3d25jucohtcoye

Search-Driven String Constraint Solving for Vulnerability Detection

Julian Thome, Lwin Khin Shar, Domenico Bianculli, Lionel Briand
2017 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE)  
We have implemented the proposed search-driven constraint solving technique in the ACO-Solver tool, which we have evaluated in the context of injection and XSS vulnerability detection for Java Web applications  ...  State-ofthe-art string constraint solvers support only a limited set of string operations and fail when they encounter an unsupported one; this leads to limited effectiveness in finding vulnerabilities  ...  Xiang Fu for sharing his tool Sushi. This work is supported by the National Research Fund, Luxembourg FNR/P10/03, INTER/DFG/14/11092585, and the AFR grant FNR9132112.  ... 
doi:10.1109/icse.2017.26 dblp:conf/icse/ThomeSBB17 fatcat:iduw3xmtjjckdpse3s27bev6l4

Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning

Lwin Khin Shar, Lionel C. Briand, Hee Beng Kuan Tan
2015 IEEE Transactions on Dependable and Secure Computing  
web application vulnerabilities.  ...  A practical approach to predicting vulnerable code would enable them to prioritize security auditing efforts.  ...  ACKNOWLEDGMENTS The authors would like to thank Hongyu Zhang [40] for providing us with the Java implementation of CoForest algorithm.  ... 
doi:10.1109/tdsc.2014.2373377 fatcat:p7k5sjcgxrcqxamw4bk6b3b2ye

Supporting automated vulnerability analysis using formalized vulnerability signatures

Mohamed Almorsy, John Grundy, Amani S. Ibrahim
2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering - ASE 2012  
Although this helps to minimize cost and increase availability and reachability of applications, it has serious implications on applications' security.  ...  We have validated our approach in capturing signatures of the OWSAP Top10 vulnerabilities and applied these signatures in analyzing a set of seven benchmark applications.  ...  ACKNOWLEDGEMENTS The authors are grateful to Swinburne University of Technology and the FRST SPPI project for support for this research.  ... 
doi:10.1145/2351676.2351691 dblp:conf/kbse/AlmorsyGI12 fatcat:stzi4hevergi3iffmptejzdgzq

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey [article]

Abdelhakim Hannousse and Salima Yahiouche and Mohamed Cherif Nait-Hamoud
2022 arXiv   pre-print
XSS has been and still in the TOP 10 list of web vulnerabilities reported by the Open Web Applications Security Project (OWASP).  ...  Since its reveal in late 1999 by Microsoft security engineers, several techniques have been developed in the aim to secure web navigation and protect web applications against XSS attacks.  ...  Marashdih and Zaaba [100] proposed an approach for the detection and removal of RXSS and SXSS vulnerabilities from PHP web applications.  ... 
arXiv:2205.08425v2 fatcat:mz2upyb3d5ekllmw66t7s4rsom

2020 Index IEEE Transactions on Software Engineering Vol. 46

2021 IEEE Transactions on Software Engineering  
J., Shar, L.K., Bianculli, D., and Briand, L., An Integrated Approach for Effective Injection Vulnerability Analysis of Web Applications Through Security Slicing and Hybrid Constraint Solving; TSE Feb.  ...  TSE Nov. 2020 1220-1240 Ter Beek, M.H., Legay, A., Lafuente, A.L., and Vandin, A., A Framework for Quantitative Modeling and Analysis of Highly (Re)configurable Systems; TSE March 2020 321-345 Thome,  ... 
doi:10.1109/tse.2020.3045901 fatcat:z4bq4ydrf5gdphfx5usnyocn3u

Chainsaw

Abeer Alhuzali, Birhanu Eshete, Rigel Gjomemo, V.N. Venkatakrishnan
2016 Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS'16  
In this regard, we present an approach that significantly improves the state-of-art in web injection vulnerability identification and exploit generation.  ...  We tackle the problem of automated exploit generation for web applications.  ...  Acknowledgments We thank Bridget Basan, Antonio Shelton and Kyle Tulipano for their help in modeling PHP functions. We also thank  ... 
doi:10.1145/2976749.2978380 dblp:conf/ccs/AlhuzaliEGV16 fatcat:gvgyqht3b5dg3jgpwhsotgftia

Security Testing [chapter]

Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, Alexander Pretschner
2016 Advances in Computers  
Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application.  ...  Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them.  ...  Acknowledgements The work was supported in part by the research projects QE LaB -Living Models for Open Systems (FFG 822740) and MOBSTECO (FWF P 26194-N15).  ... 
doi:10.1016/bs.adcom.2015.11.003 fatcat:gdd4ggwo6vcrjosp2nx63kp5mu

Exploratory Review of Hybrid Fuzzing for Automated Vulnerability Detection

Fayozbek Rustamov, Juhwan Kim, Jihyeon Yu, Joobeom Yun
2021 IEEE Access  
It also includes evaluations of the proposed approaches and a number of suggestions for the development of hybrid fuzzing in the future.  ...  The most reliable technique for automated software testing is a fuzzing tool that feeds programs with random test-input and detects software vulnerabilities that are critical to security.  ...  ACKNOWLEDGMENT The authors would like to thank the anonymous reviewers for their insightful comments.  ... 
doi:10.1109/access.2021.3114202 fatcat:6yvqxkcqcvg5xl4g2bjf6ndsue

Analyzing and defending against web-based malware

Jian Chang, Krishna K. Venkatasubramanian, Andrew G. West, Insup Lee
2013 ACM Computing Surveys  
We show that these three categories of approaches form an extensive solution space to the web-based malware problem.  ...  and testing techniques to identify the vulnerabilities of web applications; and (3) constructing reputation-based blacklists or smart sandbox systems to protect end users from attacks.  ...  Such security vulnerabilities lie in the code of web applications.  ... 
doi:10.1145/2501654.2501663 fatcat:kvmuw7n5wzcq5e4jtpxovxwmue

A Survey of Software Clone Detection from Security Perspective

Haibo Zhang, Kouichi Sakurai
2021 IEEE Access  
Another considerable issue is that code cloning provides an easy way for attackers to maliciously inject code.  ...  We then discuss three further research directions: (i) deep learning-based code clone vulnerability detection, (ii) vulnerable code clone detection for 5G-Internet of Things devices, and (iii) real-time  ...  Yujie Gu and all the reviewers for their advice on this manuscript. We thank Dr. Maxine Garcia from Edanz Group (https://en-author-services.edanz.com/ac) for editing a draft of this manuscript.  ... 
doi:10.1109/access.2021.3065872 fatcat:fh6ysdrcqvawpay6s767i3na2u

EWVHunter: Grey-Box Fuzzing with Knowledge Guide on Embedded Web Front-Ends

Enze Wang, Baosheng Wang, Wei Xie, Zhenhua Wang, Zhenhao Luo, Tai Yue
2020 Applied Sciences  
Therefore, by filling data at the input source on the web front-end and reusing web front-end program logic, we can effectively solve the impact of the stateful network protocol and communication data  ...  and (3) the conditional constraints of programs in the device reduce the depth and breadth of fuzz testing.  ...  Acknowledgments: We would like to sincerely thank all the reviewers for your time and expertise on this paper. Your insightful comments help us improve this work.  ... 
doi:10.3390/app10114015 fatcat:jtnjrq2p7nar7pi4adxcikuvjm
« Previous Showing results 1 — 15 out of 856 results