• DocumentCode
    187006
  • Title

    A Practical Experience on the Impact of Plugins in Web Security

  • Author

    Coelho Martins da Fonseca, Jose Carlos ; Amorim Vieira, Marco Paulo

  • Author_Institution
    CISUC, Univ. of Coimbra, Coimbra, Portugal
  • fYear
    2014
  • fDate
    6-9 Oct. 2014
  • Firstpage
    21
  • Lastpage
    30
  • Abstract
    In an attempt to support customization, many web applications allow the integration of third-party server-side plugins that offer diverse functionality, but also open an additional door for security vulnerabilities. In this paper we study the use of static code analysis tools to detect vulnerabilities in the plugins of the web application. The goal is twofold: 1) to study the effectiveness of static analysis on the detection of web application plugin vulnerabilities, and 2) to understand the potential impact of those plugins in the security of the core web application. We use two static code analyzers to evaluate a large number of plugins for a widely used Content Manage-ment System. Results show that many plugins that are current-ly deployed worldwide have dangerous Cross Site Scripting and SQL Injection vulnerabilities that can be easily exploited, and that even widely used static analysis tools may present disappointing vulnerability coverage and false positive rates.
  • Keywords
    Internet; content management; program diagnostics; security of data; SQL injection vulnerabilities; Web application plugin vulnerabilities; Web security; content management system; cross site scripting; false positive rates; static code analysis tools; Content management; Databases; Manuals; Security; Testing; Web pages; Web applications; plugins; security; static analysis; vulnerabilities;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Reliable Distributed Systems (SRDS), 2014 IEEE 33rd International Symposium on
  • Conference_Location
    Nara
  • Type

    conf

  • DOI
    10.1109/SRDS.2014.20
  • Filename
    6983376