Skip to main content
SpringerLink
Log in

An empirical investigation into open source web applications’ implementation vulnerabilities

  • Published:
Empirical Software Engineering Aims and scope Submit manuscript

Abstract

Current web applications have many inherent vulnerabilities; in fact, in 2008, over 63% of all documented vulnerabilities are for web applications. While many approaches have been proposed to address various web application vulnerability issues, there has not been a study to investigate whether these vulnerabilities share any common properties. In this paper, we use an approach similar to the Goal-Question-Metric approach to empirically investigate four questions regarding open source web applications vulnerabilities: What proportion of security vulnerabilities in web applications can be considered as implementation vulnerabilities? Are these vulnerabilities the result of interactions between web applications and external systems? What is the proportion of vulnerable lines of code within a web application? Are implementation vulnerabilities caused by implicit or explicit data flows? The results from the investigation show that implementation vulnerabilities dominate. They are caused through interactions between web applications and external systems. Furthermore, these vulnerabilities only contain explicit data flows, and are limited to relatively small sections of the source code.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. http://www.qualys.com/research/rnd/vulnlaws/, last accessed August 16, 2009

  2. http://www4.symantec.com/Vrt/wl?tu_id=gCGG123913789453640802, last accessed January 29, 2010

  3. http://www.ietf.org/rfc/rfc2822.txt, last accessed July 25, 2009

  4. http://www.osvdb.org/, last accessed July 22, 2009

  5. http://www.securityfocus.com/archive/1, last accessed July 22, 2009

  6. http://nvd.nist.gov/statistics.cfm, last accessed July 31, 2009

  7. http://www.kb.cert.org/vuls/, last accessed July 31, 2009

  8. http://xforce.iss.net/, last accessed July 31, 2009

  9. http://www.cerias.purdue.edu/about/history/coast/projects/vdb.html, last accessed July 31, 2009

  10. http://lwn.net/Vulnerabilities/, last accessed July 31, 2009

  11. http://sourcecount.com/, last accessed July 29, 2009

  12. Clearly, this is a simplification of the situation. However, the study has insufficient data to allow the evaluation of more complex models.

  13. http://www.acunetix.com/, last accessed Feb. 7, 2006

References

  • Agrawal H, Horgan JR (1990) Dynamic program slicing. Proceedings of the ACM SIGPLAN’90 Conference on Programming Language Design and Implementation, New York, USA, pp 246–256

  • Alhazmi OH, Malaiya YK, Ray I (2007) Measuring, analyzing and predicting security vulnerabilities in software systems. Comput Secur J 26(3):219–228

    Article  Google Scholar 

  • Basili V, Caldeira G, Rombach HD (1994) The goal question metric approach. Encyclopedia of Software Engineering, Wiley

  • Baskerville R, Pries-Heje J (2004) Short cycle time systems development. Inf Syst J 14(3):237–264

    Article  Google Scholar 

  • Boyd SW, Keromytis AD (2004) SQLrand: preventing SQL injection attacks. In Proc. of the 2nd Applied Cryptography and Network Security Conf. (ACNS ’04), Yellow Mountain, China pp 292–302

  • Buehrer GT, Weide BW, Sivilotti PAG (2005) Using parse tree validation to prevent SQL injection attacks. In Proc. of the 5th Intl. Workshop on Software Engineering and Middleware (SEM ’05), Lisbon, Portugal, pp 106–113

  • Cova M, Balzarotti D, Felmetsger V, Vigna G (2007) Swaddler: an approach for the anomaly-based detection of State violations in web applications, Recent Advance in Intrusion Detection (RAID), pp 63–86

  • Denning DE, Denning PJ (1997) Certification of programs for secure information flow. Commun ACM 20:504–513, New York, USA, ACM

    Article  Google Scholar 

  • Halfond WG, Orso A (2005) AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Long Beach, CA, USA, pp 174–183

  • Halfond WG, Orso A, Manolios P (2006) Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proceedings of the 14th ACM SIGSOFT international Symposium on Foundations of Software Engineering, Portland, Oregon, USA, pp 175–185

  • Halfond WGJ, Orso A, Manolios P (2008) WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans Softw Eng 34(1):65–81

    Article  Google Scholar 

  • Huang YW, Yu F, Hang C, Tsai CH, Lee DT, Kuo SY (2004) Securing web application code by static analysis and runtime protection, in WWW ’04: Proceedings of the 13th International Conference on World Wide Web. New York, NY, USA: ACM Press, pp 40–52

  • Liu A, Yuan Y, Wijesekera D, Stavrou A (2009) SQLProb: a proxy-based architecture towards preventing SQL injection attacks. Proceedings of the 2009 ACM symposium on Applied Computing, Honolulu, Hawaii, pp 2054–2061

  • Johnson R, Wagner D (2004) Finding user/kernel pointer bugs with type inference. In Proceedings of the 2004 Usenix Security Conference, San Diego, CA, USA, pp 119–134

  • Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA, pp 258–263

  • Kals S, Kirda E, Kruegel C, Jovanovic N (2006) SecuBat: a web vulnerability scanner. The 15th International World Wide Web Conference (WWW 2006), Edinburgh, Scotland, pp 247–256

  • Kiezun A, Guo PJ, Jayaraman K, Ernst MD (2008) Automatic creation of SQL injection and cross-site scripting attacks. Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, Vancouver, British Columbia, Canada, pp 199–209

  • Lin J-C, Chen J-M (2006) An automatic revised tool for anti-malicious injection. Sixth IEEE International Conference on Computer and Information Technology (CIT’06), Seoul, South Korea, pp 164–170

  • Martin M, Lam M (2008) Automatic generation of XSS and SQL injection attacks with goal-directed model checking. Proceedings of the 17th conference on Security symposium, San Jose, CA, pp 31–43

  • Martin M, Livshits B, Lam MS (2005) Finding application errors and security flaws using PQL: a program query language. In OOPSLA ’05: Proc. of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, San Diego, CA, USA, pp 365–383

  • Nguyen-Tuong A, Guarnieri S, Greene D, Shirley J, Evans D (2005) Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference, Chiba, Japan, pp 372–382

  • OWASP (2007) Top 10 2007. http://www.owasp.org/index.php/Top_10_2007, last accessed June 29, 2009

  • Pietraszek T, Berghe CV (2005) Defending against injection attacks through context-sensitive string evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID2005), Seattle, Washington, USA, pp 124–145

  • Rapid7 (2005) Vulnerability management trends. (2)1–9

  • Scambray J, Shema M, Sima C (2006) Hacking exposed: web applications second edition. McGraw-Hill, San Francisco

    Google Scholar 

  • Scott D, Sharp R (2002) Abstracting application-level web security. In Proc. of the 11th Intl. Conference on the World Wide Web (WWW 2002), Honolulu, Hawaii, USA, pp 396–407

  • Shankar U, Talwar K, Foster JS, Wagner D (2001) Detecting format string vulnerabilities with type qualifiers. In 10th USENIX Security Symposium, Washington, D.C., pp 201–220

  • Su Z, Wassermann G (2006) The essence of command injection attacks in web applications. In The 33rd Annual Symposium on Principles of Programming Languages, Charleston, South Carolina, USA, pp 372–382

  • Swiderski F, Snyder W (2004) Threat modeling. Microsoft Press, Redmond

    Google Scholar 

  • Tip F (1995) A survey of program slicing techniques. J Program Lang 3(3):121–189

    Google Scholar 

  • Weiser M (1984) Program slicing. IEEE Trans Softw Eng SE-10(4):352–357

    Article  Google Scholar 

  • Zhang X, Edwards A, Jaeger T (2002) Using CQual for static analysis of authorization hook placement. In the Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, pp 33–48

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Electrical and Computer Engineering Research Facility, University of Alberta, Edmonton, AB, T6G 2V4, Canada

    Toan Huynh & James Miller

Authors
  1. Toan Huynh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. James Miller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to James Miller.

Additional information

Editor: Bojan Cukic

Rights and permissions

Reprints and permissions

About this article

Cite this article

Huynh, T., Miller, J. An empirical investigation into open source web applications’ implementation vulnerabilities. Empir Software Eng 15, 556–576 (2010). https://doi.org/10.1007/s10664-010-9131-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10664-010-9131-y

Keywords

Search

Navigation