A Clustering Approach for Web Vulnerabilities Detection

Author

Dessiatnikoff, A. ; Akrout, R. ; Alata, E. ; Kaâniche, M. ; Nicomette, V.

Author_Institution

LAAS, Toulouse, France

fYear

2011

fDate

12-14 Dec. 2011

Firstpage

194

Lastpage

203

Abstract

This paper presents a new algorithm aimed at the vulnerability assessment of web applications following a black-box approach. The objective is to improve the detection efficiency of existing vulnerability scanners and to move a step forward toward the automation of this process. Our approach covers various types of vulnerabilities but this paper mainly focuses on SQL injections. The proposed algorithm is based on the automatic classification of the responses returned by the web servers using data clustering techniques and provides especially crafted inputs that lead to successful attacks when vulnerabilities are present. Experimental results on several vulnerable applications and comparative analysis with some existing tools confirm the effectiveness of our approach.

Keywords

Internet; SQL; computer network reliability; computer network security; pattern classification; pattern clustering; SQL injections; Web security assessment; Web servers; Web vulnerability detection; automatic response classification; black-box approach; data clustering techniques; detection efficiency improvement; vulnerability assessment; vulnerability scanners; Algorithm design and analysis; Clustering algorithms; Grammar; Pattern matching; Security; Web servers; clustering; dynamic analysis; security scanners; web security assessment; web vulnerabilities;

fLanguage

English

Publisher

ieee

Conference_Titel

Dependable Computing (PRDC), 2011 IEEE 17th Pacific Rim International Symposium on

Conference_Location

Pasadena, CA

Print_ISBN

978-1-4577-2005-5

Electronic_ISBN

978-0-7695-4590-5

Type

conf

DOI

10.1109/PRDC.2011.31

Filename

6133081