网站安全分析:变异检测方法和决策

2018 21st Saudi Computer Society National Computer Conference (NCC) Pub Date : 2018-04-01 DOI:10.1109/NCG.2018.8592962

I. Alsmadi, Fahad Mira

{"title":"网站安全分析:变异检测方法和决策","authors":"I. Alsmadi, Fahad Mira","doi":"10.1109/NCG.2018.8592962","DOIUrl":null,"url":null,"abstract":"Websites and web applications continue to evolve in terms of how they are developed and used. Different types of components in those websites and applications communicate with users through inputs taken from the users and outputs displayed to those users. Users, intentionally or unintentionally, may provide improper inputs. We proposed a model to investigate the behavior of websites when dealing with invalid inputs. From security perspectives, invalid inputs should be detected and rejected as early as possible. An invalid input is considered as a form of successful attack if it is processed by the website code or back-end database. Based on this assumption, we proposed a list of indicators that test invalid inputs are processed. A tool is developed to implement this model. We tested the model through evaluating several websites selected randomly. Our tool has no special credentials or access to any of the tested websites. We found many SQL injection vulnerabilities based on our proposed model. Upon the manual investigation of the web pages that showed such vulnerabilities, we found few instances of false positives. We believe that this can provide a systematic and automated approach to test websites for vulnerabilities related to improper input validation.","PeriodicalId":305464,"journal":{"name":"2018 21st Saudi Computer Society National Computer Conference (NCC)","volume":"94 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Website security analysis: variation of detection methods and decisions\",\"authors\":\"I. Alsmadi, Fahad Mira\",\"doi\":\"10.1109/NCG.2018.8592962\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Websites and web applications continue to evolve in terms of how they are developed and used. Different types of components in those websites and applications communicate with users through inputs taken from the users and outputs displayed to those users. Users, intentionally or unintentionally, may provide improper inputs. We proposed a model to investigate the behavior of websites when dealing with invalid inputs. From security perspectives, invalid inputs should be detected and rejected as early as possible. An invalid input is considered as a form of successful attack if it is processed by the website code or back-end database. Based on this assumption, we proposed a list of indicators that test invalid inputs are processed. A tool is developed to implement this model. We tested the model through evaluating several websites selected randomly. Our tool has no special credentials or access to any of the tested websites. We found many SQL injection vulnerabilities based on our proposed model. Upon the manual investigation of the web pages that showed such vulnerabilities, we found few instances of false positives. We believe that this can provide a systematic and automated approach to test websites for vulnerabilities related to improper input validation.\",\"PeriodicalId\":305464,\"journal\":{\"name\":\"2018 21st Saudi Computer Society National Computer Conference (NCC)\",\"volume\":\"94 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-04-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 21st Saudi Computer Society National Computer Conference (NCC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NCG.2018.8592962\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 21st Saudi Computer Society National Computer Conference (NCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NCG.2018.8592962","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

摘要

网站和web应用程序的开发和使用方式在不断发展。这些网站和应用程序中不同类型的组件通过从用户获取输入和向用户显示输出来与用户通信。用户可能有意或无意地提供不适当的输入。我们提出了一个模型来研究网站在处理无效输入时的行为。从安全角度来看，应该尽早检测和拒绝无效输入。如果无效输入被网站代码或后端数据库处理，则被认为是一种成功的攻击。基于这一假设，我们提出了一个指标列表来测试无效输入的处理情况。开发了实现该模型的工具。我们通过对随机选择的几个网站进行评价来检验模型。我们的工具没有特殊的凭证或访问任何被测试的网站。基于我们提出的模型，我们发现了许多SQL注入漏洞。在对显示此类漏洞的网页进行手动调查后，我们发现很少有误报的情况。我们相信，这可以提供一个系统的和自动化的方法来测试网站的漏洞与不正确的输入验证。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Website security analysis: variation of detection methods and decisions

Websites and web applications continue to evolve in terms of how they are developed and used. Different types of components in those websites and applications communicate with users through inputs taken from the users and outputs displayed to those users. Users, intentionally or unintentionally, may provide improper inputs. We proposed a model to investigate the behavior of websites when dealing with invalid inputs. From security perspectives, invalid inputs should be detected and rejected as early as possible. An invalid input is considered as a form of successful attack if it is processed by the website code or back-end database. Based on this assumption, we proposed a list of indicators that test invalid inputs are processed. A tool is developed to implement this model. We tested the model through evaluating several websites selected randomly. Our tool has no special credentials or access to any of the tested websites. We found many SQL injection vulnerabilities based on our proposed model. Upon the manual investigation of the web pages that showed such vulnerabilities, we found few instances of false positives. We believe that this can provide a systematic and automated approach to test websites for vulnerabilities related to improper input validation.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2018 21st Saudi Computer Society National Computer Conference (NCC)

自引率

0.00%

发文量