Abstract
Current web applications have many inherent vulnerabilities; in fact, in 2008, over 63% of all documented vulnerabilities are for web applications. While many approaches have been proposed to address various web application vulnerability issues, there has not been a study to investigate whether these vulnerabilities share any common properties. In this paper, we use an approach similar to the Goal-Question-Metric approach to empirically investigate four questions regarding open source web applications vulnerabilities: What proportion of security vulnerabilities in web applications can be considered as implementation vulnerabilities? Are these vulnerabilities the result of interactions between web applications and external systems? What is the proportion of vulnerable lines of code within a web application? Are implementation vulnerabilities caused by implicit or explicit data flows? The results from the investigation show that implementation vulnerabilities dominate. They are caused through interactions between web applications and external systems. Furthermore, these vulnerabilities only contain explicit data flows, and are limited to relatively small sections of the source code.
Similar content being viewed by others
Notes
http://www.qualys.com/research/rnd/vulnlaws/, last accessed August 16, 2009
http://www4.symantec.com/Vrt/wl?tu_id=gCGG123913789453640802, last accessed January 29, 2010
http://www.ietf.org/rfc/rfc2822.txt, last accessed July 25, 2009
http://www.osvdb.org/, last accessed July 22, 2009
http://www.securityfocus.com/archive/1, last accessed July 22, 2009
http://nvd.nist.gov/statistics.cfm, last accessed July 31, 2009
http://www.kb.cert.org/vuls/, last accessed July 31, 2009
http://xforce.iss.net/, last accessed July 31, 2009
http://www.cerias.purdue.edu/about/history/coast/projects/vdb.html, last accessed July 31, 2009
http://lwn.net/Vulnerabilities/, last accessed July 31, 2009
http://sourcecount.com/, last accessed July 29, 2009
Clearly, this is a simplification of the situation. However, the study has insufficient data to allow the evaluation of more complex models.
http://www.acunetix.com/, last accessed Feb. 7, 2006
References
Agrawal H, Horgan JR (1990) Dynamic program slicing. Proceedings of the ACM SIGPLAN’90 Conference on Programming Language Design and Implementation, New York, USA, pp 246–256
Alhazmi OH, Malaiya YK, Ray I (2007) Measuring, analyzing and predicting security vulnerabilities in software systems. Comput Secur J 26(3):219–228
Basili V, Caldeira G, Rombach HD (1994) The goal question metric approach. Encyclopedia of Software Engineering, Wiley
Baskerville R, Pries-Heje J (2004) Short cycle time systems development. Inf Syst J 14(3):237–264
Boyd SW, Keromytis AD (2004) SQLrand: preventing SQL injection attacks. In Proc. of the 2nd Applied Cryptography and Network Security Conf. (ACNS ’04), Yellow Mountain, China pp 292–302
Buehrer GT, Weide BW, Sivilotti PAG (2005) Using parse tree validation to prevent SQL injection attacks. In Proc. of the 5th Intl. Workshop on Software Engineering and Middleware (SEM ’05), Lisbon, Portugal, pp 106–113
Cova M, Balzarotti D, Felmetsger V, Vigna G (2007) Swaddler: an approach for the anomaly-based detection of State violations in web applications, Recent Advance in Intrusion Detection (RAID), pp 63–86
Denning DE, Denning PJ (1997) Certification of programs for secure information flow. Commun ACM 20:504–513, New York, USA, ACM
Halfond WG, Orso A (2005) AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Long Beach, CA, USA, pp 174–183
Halfond WG, Orso A, Manolios P (2006) Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proceedings of the 14th ACM SIGSOFT international Symposium on Foundations of Software Engineering, Portland, Oregon, USA, pp 175–185
Halfond WGJ, Orso A, Manolios P (2008) WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans Softw Eng 34(1):65–81
Huang YW, Yu F, Hang C, Tsai CH, Lee DT, Kuo SY (2004) Securing web application code by static analysis and runtime protection, in WWW ’04: Proceedings of the 13th International Conference on World Wide Web. New York, NY, USA: ACM Press, pp 40–52
Liu A, Yuan Y, Wijesekera D, Stavrou A (2009) SQLProb: a proxy-based architecture towards preventing SQL injection attacks. Proceedings of the 2009 ACM symposium on Applied Computing, Honolulu, Hawaii, pp 2054–2061
Johnson R, Wagner D (2004) Finding user/kernel pointer bugs with type inference. In Proceedings of the 2004 Usenix Security Conference, San Diego, CA, USA, pp 119–134
Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA, pp 258–263
Kals S, Kirda E, Kruegel C, Jovanovic N (2006) SecuBat: a web vulnerability scanner. The 15th International World Wide Web Conference (WWW 2006), Edinburgh, Scotland, pp 247–256
Kiezun A, Guo PJ, Jayaraman K, Ernst MD (2008) Automatic creation of SQL injection and cross-site scripting attacks. Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, Vancouver, British Columbia, Canada, pp 199–209
Lin J-C, Chen J-M (2006) An automatic revised tool for anti-malicious injection. Sixth IEEE International Conference on Computer and Information Technology (CIT’06), Seoul, South Korea, pp 164–170
Martin M, Lam M (2008) Automatic generation of XSS and SQL injection attacks with goal-directed model checking. Proceedings of the 17th conference on Security symposium, San Jose, CA, pp 31–43
Martin M, Livshits B, Lam MS (2005) Finding application errors and security flaws using PQL: a program query language. In OOPSLA ’05: Proc. of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, San Diego, CA, USA, pp 365–383
Nguyen-Tuong A, Guarnieri S, Greene D, Shirley J, Evans D (2005) Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference, Chiba, Japan, pp 372–382
OWASP (2007) Top 10 2007. http://www.owasp.org/index.php/Top_10_2007, last accessed June 29, 2009
Pietraszek T, Berghe CV (2005) Defending against injection attacks through context-sensitive string evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID2005), Seattle, Washington, USA, pp 124–145
Rapid7 (2005) Vulnerability management trends. (2)1–9
Scambray J, Shema M, Sima C (2006) Hacking exposed: web applications second edition. McGraw-Hill, San Francisco
Scott D, Sharp R (2002) Abstracting application-level web security. In Proc. of the 11th Intl. Conference on the World Wide Web (WWW 2002), Honolulu, Hawaii, USA, pp 396–407
Shankar U, Talwar K, Foster JS, Wagner D (2001) Detecting format string vulnerabilities with type qualifiers. In 10th USENIX Security Symposium, Washington, D.C., pp 201–220
Su Z, Wassermann G (2006) The essence of command injection attacks in web applications. In The 33rd Annual Symposium on Principles of Programming Languages, Charleston, South Carolina, USA, pp 372–382
Swiderski F, Snyder W (2004) Threat modeling. Microsoft Press, Redmond
Tip F (1995) A survey of program slicing techniques. J Program Lang 3(3):121–189
Weiser M (1984) Program slicing. IEEE Trans Softw Eng SE-10(4):352–357
Zhang X, Edwards A, Jaeger T (2002) Using CQual for static analysis of authorization hook placement. In the Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, pp 33–48
Author information
Authors and Affiliations
Corresponding author
Additional information
Editor: Bojan Cukic
Rights and permissions
About this article
Cite this article
Huynh, T., Miller, J. An empirical investigation into open source web applications’ implementation vulnerabilities. Empir Software Eng 15, 556–576 (2010). https://doi.org/10.1007/s10664-010-9131-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10664-010-9131-y