Title :
Vulnerability & attack injection for web applications
Author :
Fonseca, José ; Vieira, Marco ; Madeira, Henrique
Author_Institution :
CISUC, Univ. of Coimbra, Coimbra, Portugal
fDate :
June 29 2009-July 2 2009
Abstract :
In this paper we propose a methodology to inject realistic attacks in Web applications. The methodology is based on the idea that by injecting realistic vulnerabilities in a Web application and attacking them automatically we can assess existing security mechanisms. To provide true to life results, this methodology relies on field studies of a large number of vulnerabilities in Web applications. The paper also describes a set of tools implementing the proposed methodology. They allow the automation of the entire process, including gathering results and analysis. We used these tools to conduct a set of experiments to demonstrate the feasibility and effectiveness of the proposed methodology. The experiments include the evaluation of coverage and false positives of an intrusion detection system for SQL injection and the assessment of the effectiveness of two Web application vulnerability scanners. Results show that the injection of vulnerabilities and attacks is an effective way to evaluate security mechanisms and tools.
Keywords :
Internet; SQL; program debugging; program testing; security of data; SQL injection; Web application; Web application vulnerability scanner; intrusion detection system; realistic attack injection tool; realistic test bed; realistic vulnerability injection; security mechanism; software bug; Application software; Automation; Counting circuits; Information security; Inspection; Instruments; Intrusion detection; Performance evaluation; Probes; Testing;
Conference_Titel :
Dependable Systems & Networks, 2009. DSN '09. IEEE/IFIP International Conference on
Conference_Location :
Lisbon
Print_ISBN :
978-1-4244-4422-9
Electronic_ISBN :
978-1-4244-4421-2
DOI :
10.1109/DSN.2009.5270349
