See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/266654806

Security vulnerabilities and mitigation techniques of web applications

Article · November 2013

DOI: 10.1145/2523514.2523589

CITATION READS
1 283

1 author:

Hossain Shahriar
Kennesaw State University
103 PUBLICATIONS   664 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Mitigating distributed denial of service attacks at the application layer View project

COMPSAC Message View project

All content following this page was uploaded by Hossain Shahriar on 17 December 2015.

The user has requested enhancement of the downloaded file.

 Security Vulnerabilities and Mitigation Techniques of Web
Applications
Hossain Shahriar
Department of Computer Science
Kennesaw State University
Kennesaw, GA 30144, USA
hshahria@kennesaw.edu
ABSTRACT
Web applications contain vulnerabilities, which may lead to
serious security breaches such as stealing of confidential
information. To protect against security breaches, it is necessary
to understand the detailed steps of attacks and the pros and cons of
existing defense mechanisms. This tutorial provides an overview
of four web application security vulnerabilities: SQL injection,
Cross-Site Scripting, Cross-Site Request Forgery, and
clickjacking. Then it discusses two popular mitigation approaches:
security testing and monitoring. The tutorial is intended to enable
practitioners for choosing the right technique to defend against
web application security vulnerabilities.
Categories and Subject Descriptors
C.2.0 [COMPUTER-COMMUNICATION NETWORKS]
General, Security and protection.
H.2.7 [DATABASE ADMINISTRATION] Security, Integrity,
and Protection.
General Terms
Security, Languages, Verification.
Keywords
Web security, SQL Injection, XSS, CSRF, Clickjacking, Security
testing, monitoring.
1. INTRODUCTION
Web applications are implemented in different languages and
many of them contain security vulnerabilities at the code level
(e.g., insufficient input sanitization). Some of the vulnerabilities
can be attributed to the runtime features (e.g., browsers attach
cookie automatically for outgoing requests). Thus, vulnerabilities
open up the door for attackers to perform malicious activities with
or without the knowledge of victims.
A recent survey by Grossman [1] indicates that web applications
from various domains (e.g., Banking, Healthcare, IT, Education,
Social Networking) are still commonly found to be vulnerable.
Fixing reported vulnerabilities may easily take more than a month.
Another report [2] indicates that SQL Injection (SQLI) and Cross-
Site Scripting (XSS) are still the two top ranked vulnerabilities
widely discovered in web applications followed by session
management related vulnerabilities. These vulnerabilities can
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. To copy
otherwise, or republish, to post on servers or to redistribute to lists,
requires prior specific permission and/or a fee.
SIN’13, November 26-28, 2013, Aksaray, Turkey.
Copyright © 2013 ACM 978-1-4503-2498-4/00/10... $15.00
View publication stats
result in security breaches such as stealing of confidential
information and session hijacking. Thus, it is necessity to increase
the awareness of common web security vulnerabilities, their
impact on the end users, and available mitigation techniques.
In this tutorial, we discuss four types of web application
vulnerabilities: SQLI [3], XSS [4], Cross-Site Request Forgery
(CSRF) [5], and clickjacking [6]. We show examples of
exploitations for each of the vulnerabilities. Then, we discuss two
well-known mitigation approaches: security testing, and
monitoring (e.g., [7-10]). Our discussion for security testing
involves comparing existing mitigation approaches based on some
common features such as test case generation, source of test case,
test case granularity, and vulnerability coverage [11]. We examine
existing mitigation techniques based on monitoring objectives
such as code execution flow and code structure integrity.
The tutorial is intended to highlight the context and applicability
of mitigation approaches. The discussion would enable
practitioners to choose the desired mitigation techniques based on
their needs.
2. REFERENCES
[1] J. Grossman, How does your website security stack up against peers?
White Hat Report, Summer 2012, Accessed from
https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf
[2] Application Vulnerability Trend Report, CEZNIC White paper, 2013,
Accessed from http://info.cenzic.com/rs/cenzic/images/Cenzic-
Application-Vulnerability-Trends-Report-2013.pdf
[3] SQL Injection, https://www.owasp.org/index.php/SQL_Injection
[4] XSS, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[5] Cross-Site Request forgery, https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF).
[6] Clickjacking, https://www.owasp.org/index.php/Clickjacking
[7] H. Shahriar, S. North, and W. Chen, “Early Detection of SQL Injection
Attacks,” International Journal of Network Security & Its
Applications (IJNSA), Vol. 5, No. 4, July 2013, pp. 53-65.
[8] H. Shahriar, V. Devendran, and H. Haddad, “ProClick: A Framework
for Testing Clickjacking Attacks in Web Applications,” Proc. of 6th
ACM/SIGSAC International Conference on Security of Information
and Networks (SIN 2013), Aksaray, Turkey, November 2013, 8 pp.
(to appear).
[9] H. Shahriar and M. Zulkernine, “S2XS2: A Server Side Approach to
Automatically Detect XSS Attacks,” Proc. of the 9th IEEE
International Conference on Dependable, Autonomic and Secure
Computing (DASC), Sydney, Australia, December 2011, pp. 7-14.
[10] H. Shahriar and M. Zulkernine, “Client-Side Detection of Cross-Site
Request Forgery Attacks,” Proc. of the 21st IEEE International
Symposium on Software Reliability Engineering (ISSRE), San Jose,
USA, November 2010, pp. 358-367.
[11] H. Shahriar and M. Zulkernine, “Mitigation of Program Security
Vulnerabilities: Approaches and Challenges,” ACM Computing
Surveys, Vol. 44, No. 3, Article 11, pp. 1-46, May 2012.