Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities

Static code attributes such as lines of code and cyclomatic complexity have been shown to be useful indicators of defects in software modules. As web applications adopt input sanitization routines to prevent web security risks, static code attributes that represent the characteristics of these routi...

Full description

Saved in:
Bibliographic Details
Published in2012 34th International Conference on Software Engineering (ICSE) pp. 1293 - 1296
Main Authors Lwin Khin Shar, Hee Beng Kuan Tan
Format Conference Proceeding
LanguageEnglish
Published IEEE 01.06.2012
Subjects
Complexity theory
Data mining
Data models
defect prediction
HTML
input sanitization
Predictive models
Security
Software
static code attributes
web security vulnerabilities
Online AccessGet full text

Cover

More Information
Summary:Static code attributes such as lines of code and cyclomatic complexity have been shown to be useful indicators of defects in software modules. As web applications adopt input sanitization routines to prevent web security risks, static code attributes that represent the characteristics of these routines may be useful for predicting web application vulnerabilities. In this paper, we classify various input sanitization methods into different types and propose a set of static code attributes that represent these types. Then we use data mining methods to predict SQL injection and cross site scripting vulnerabilities in web applications. Preliminary experiments show that our proposed attributes are important indicators of such vulnerabilities.
ISBN:9781467310666
1467310662
ISSN:0270-5257
1558-1225
DOI:10.1109/ICSE.2012.6227096