Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection

Detalhes bibliográficos
Autor(a) principal: Fonseca, José Carlos
Data de Publicação: 2014
Tipo de documento: Artigo
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10314/3164
Resumo: In this paper we propose a methodology and a prototype tool to evaluate web application security mechanisms. The methodology is based on the idea that injecting realistic vulnerabilities in a web application and attacking them automatically can be used to support the assessment of existing security mechanisms and tools in custom setup scenarios. To provide true to life results, the proposed vulnerability and attack injection methodology relies on the study of a large number of vulnerabilities in real web applications. In addition to the generic methodology, the paper describes the implementation of the Vulnerability & Attack Injector Tool (VAIT) that allows the automation of the entire process. We used this tool to run a set of experiments that demonstrate the feasibility and the effectiveness of the proposed methodology. The experiments include the evaluation of coverage and false positives of an intrusion detection system for SQL Injection attacks and the assessment of the effectiveness of two top commercial web application vulnerability scanners. Results show that the injection of vulnerabilities and attacks is indeed an effective way to evaluate security mechanisms and to point out not only their weaknesses but also ways for their improvement
id RCAP_d80e01cd6d41fcded2d5b06352496e7f
oai_identifier_str oai:bdigital.ipg.pt:10314/3164
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling Evaluation of Web Security Mechanisms Using Vulnerability & Attack InjectionSecurityFault injectionInternet applicationsReview and evaluationIn this paper we propose a methodology and a prototype tool to evaluate web application security mechanisms. The methodology is based on the idea that injecting realistic vulnerabilities in a web application and attacking them automatically can be used to support the assessment of existing security mechanisms and tools in custom setup scenarios. To provide true to life results, the proposed vulnerability and attack injection methodology relies on the study of a large number of vulnerabilities in real web applications. In addition to the generic methodology, the paper describes the implementation of the Vulnerability & Attack Injector Tool (VAIT) that allows the automation of the entire process. We used this tool to run a set of experiments that demonstrate the feasibility and the effectiveness of the proposed methodology. The experiments include the evaluation of coverage and false positives of an intrusion detection system for SQL Injection attacks and the assessment of the effectiveness of two top commercial web application vulnerability scanners. Results show that the injection of vulnerabilities and attacks is indeed an effective way to evaluate security mechanisms and to point out not only their weaknesses but also ways for their improvementIEEE Transactions On Dependable And Secure Computing2016-11-16T20:00:52Z2016-11-162014-01-01T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articlehttp://hdl.handle.net/10314/3164http://hdl.handle.net/10314/3164engDOI: 10.1109/TDSC.2013.37Fonseca, José Carlosinfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-01-14T02:56:36Zoai:bdigital.ipg.pt:10314/3164Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T01:42:33.875752Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection
title Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection
spellingShingle Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection
Fonseca, José Carlos
Security
Fault injection
Internet applications
Review and evaluation
title_short Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection
title_full Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection
title_fullStr Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection
title_full_unstemmed Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection
title_sort Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection
author Fonseca, José Carlos
author_facet Fonseca, José Carlos
author_role author
dc.contributor.author.fl_str_mv Fonseca, José Carlos
dc.subject.por.fl_str_mv Security
Fault injection
Internet applications
Review and evaluation
topic Security
Fault injection
Internet applications
Review and evaluation
description In this paper we propose a methodology and a prototype tool to evaluate web application security mechanisms. The methodology is based on the idea that injecting realistic vulnerabilities in a web application and attacking them automatically can be used to support the assessment of existing security mechanisms and tools in custom setup scenarios. To provide true to life results, the proposed vulnerability and attack injection methodology relies on the study of a large number of vulnerabilities in real web applications. In addition to the generic methodology, the paper describes the implementation of the Vulnerability & Attack Injector Tool (VAIT) that allows the automation of the entire process. We used this tool to run a set of experiments that demonstrate the feasibility and the effectiveness of the proposed methodology. The experiments include the evaluation of coverage and false positives of an intrusion detection system for SQL Injection attacks and the assessment of the effectiveness of two top commercial web application vulnerability scanners. Results show that the injection of vulnerabilities and attacks is indeed an effective way to evaluate security mechanisms and to point out not only their weaknesses but also ways for their improvement
publishDate 2014
dc.date.none.fl_str_mv 2014-01-01T00:00:00Z
2016-11-16T20:00:52Z
2016-11-16
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/article
format article
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10314/3164
http://hdl.handle.net/10314/3164
url http://hdl.handle.net/10314/3164
dc.language.iso.fl_str_mv eng
language eng
dc.relation.none.fl_str_mv DOI: 10.1109/TDSC.2013.37
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.publisher.none.fl_str_mv IEEE Transactions On Dependable And Secure Computing
publisher.none.fl_str_mv IEEE Transactions On Dependable And Secure Computing
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799136919058120704

Registros relacionados