Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection
Autor(a) principal: | |
---|---|
Data de Publicação: | 2014 |
Tipo de documento: | Artigo |
Idioma: | eng |
Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
Texto Completo: | http://hdl.handle.net/10314/3164 |
Resumo: | In this paper we propose a methodology and a prototype tool to evaluate web application security mechanisms. The methodology is based on the idea that injecting realistic vulnerabilities in a web application and attacking them automatically can be used to support the assessment of existing security mechanisms and tools in custom setup scenarios. To provide true to life results, the proposed vulnerability and attack injection methodology relies on the study of a large number of vulnerabilities in real web applications. In addition to the generic methodology, the paper describes the implementation of the Vulnerability & Attack Injector Tool (VAIT) that allows the automation of the entire process. We used this tool to run a set of experiments that demonstrate the feasibility and the effectiveness of the proposed methodology. The experiments include the evaluation of coverage and false positives of an intrusion detection system for SQL Injection attacks and the assessment of the effectiveness of two top commercial web application vulnerability scanners. Results show that the injection of vulnerabilities and attacks is indeed an effective way to evaluate security mechanisms and to point out not only their weaknesses but also ways for their improvement |
id |
RCAP_d80e01cd6d41fcded2d5b06352496e7f |
---|---|
oai_identifier_str |
oai:bdigital.ipg.pt:10314/3164 |
network_acronym_str |
RCAP |
network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository_id_str |
7160 |
spelling |
Evaluation of Web Security Mechanisms Using Vulnerability & Attack InjectionSecurityFault injectionInternet applicationsReview and evaluationIn this paper we propose a methodology and a prototype tool to evaluate web application security mechanisms. The methodology is based on the idea that injecting realistic vulnerabilities in a web application and attacking them automatically can be used to support the assessment of existing security mechanisms and tools in custom setup scenarios. To provide true to life results, the proposed vulnerability and attack injection methodology relies on the study of a large number of vulnerabilities in real web applications. In addition to the generic methodology, the paper describes the implementation of the Vulnerability & Attack Injector Tool (VAIT) that allows the automation of the entire process. We used this tool to run a set of experiments that demonstrate the feasibility and the effectiveness of the proposed methodology. The experiments include the evaluation of coverage and false positives of an intrusion detection system for SQL Injection attacks and the assessment of the effectiveness of two top commercial web application vulnerability scanners. Results show that the injection of vulnerabilities and attacks is indeed an effective way to evaluate security mechanisms and to point out not only their weaknesses but also ways for their improvementIEEE Transactions On Dependable And Secure Computing2016-11-16T20:00:52Z2016-11-162014-01-01T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articlehttp://hdl.handle.net/10314/3164http://hdl.handle.net/10314/3164engDOI: 10.1109/TDSC.2013.37Fonseca, José Carlosinfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-01-14T02:56:36Zoai:bdigital.ipg.pt:10314/3164Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T01:42:33.875752Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
dc.title.none.fl_str_mv |
Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection |
title |
Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection |
spellingShingle |
Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection Fonseca, José Carlos Security Fault injection Internet applications Review and evaluation |
title_short |
Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection |
title_full |
Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection |
title_fullStr |
Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection |
title_full_unstemmed |
Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection |
title_sort |
Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection |
author |
Fonseca, José Carlos |
author_facet |
Fonseca, José Carlos |
author_role |
author |
dc.contributor.author.fl_str_mv |
Fonseca, José Carlos |
dc.subject.por.fl_str_mv |
Security Fault injection Internet applications Review and evaluation |
topic |
Security Fault injection Internet applications Review and evaluation |
description |
In this paper we propose a methodology and a prototype tool to evaluate web application security mechanisms. The methodology is based on the idea that injecting realistic vulnerabilities in a web application and attacking them automatically can be used to support the assessment of existing security mechanisms and tools in custom setup scenarios. To provide true to life results, the proposed vulnerability and attack injection methodology relies on the study of a large number of vulnerabilities in real web applications. In addition to the generic methodology, the paper describes the implementation of the Vulnerability & Attack Injector Tool (VAIT) that allows the automation of the entire process. We used this tool to run a set of experiments that demonstrate the feasibility and the effectiveness of the proposed methodology. The experiments include the evaluation of coverage and false positives of an intrusion detection system for SQL Injection attacks and the assessment of the effectiveness of two top commercial web application vulnerability scanners. Results show that the injection of vulnerabilities and attacks is indeed an effective way to evaluate security mechanisms and to point out not only their weaknesses but also ways for their improvement |
publishDate |
2014 |
dc.date.none.fl_str_mv |
2014-01-01T00:00:00Z 2016-11-16T20:00:52Z 2016-11-16 |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/article |
format |
article |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10314/3164 http://hdl.handle.net/10314/3164 |
url |
http://hdl.handle.net/10314/3164 |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.relation.none.fl_str_mv |
DOI: 10.1109/TDSC.2013.37 |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.publisher.none.fl_str_mv |
IEEE Transactions On Dependable And Secure Computing |
publisher.none.fl_str_mv |
IEEE Transactions On Dependable And Secure Computing |
dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
instacron_str |
RCAAP |
institution |
RCAAP |
reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
repository.mail.fl_str_mv |
|
_version_ |
1799136919058120704 |