Evaluation of Web Security Mechanisms (Using Vulnerability and

Attack Injector Tool)

Under the Guidance of,
Dr. Shantharam Nayak
Professor
Department of ISE.,
BY

Prateek Mandi
1RV12IS034
Gireesh B P
1RV13IS401
Lavanya
1RV10IS017

Introduction
Increase in the number of Web applications like personal websites, blogs, news, social
networks, web mails, bank agencies, forums, e-commerce applications, etc.
Web applications are highly exposed to attacks from anywhere in the world Hence there
is an increasing concern about security.
Need to evaluate the security of web applications and of attack counter measure tools.
To handle web application security, new tools need to be developed, and procedures and
regulations must be improved, redesigned or invented.
Need for new ways to effectively test existing web application security mechanisms in
order to evaluate and improve them.
The proposed methodology and a tool to inject vulnerabilities and attacks in web
applications.

Methodology
The attack injection methodology is based on the dynamic analysis and
the static analysis of information obtained from the runtime monitoring
of the web application and also the source code of the application.
The methodology can be applied to various types of vulnerabilities,
focus is made on two of the most SQL Injection (SQLi) and Cross Site
Scripting (XSS)

 Overview

Stages
Preparation Stage
Vulnerability Injection
AttackLoad Generation Stage
Attack Stage

Architecture of VAIT
Tool

Advantages
The use of both static and dynamic analysis is a key feature of the methodology that allows
increasing the overall performance and effectiveness, as it provides the means to inject more
vulnerability that can be successfully attacked
The proposed methodology provides a practical environment that can be used to test
countermeasure mechanisms such as intrusion detection systems (IDSs), web application
vulnerability scanners, web application fire-walls, static code analyzers, etc

Conclusion
methodology consists of analyzing the web application and generating a set of
potential vulnerabilities. Each vulnerability is then injected and various attacks are
done.
the proposed methodology can effectively be used to evaluate security mechanisms
like the IDS, providing at the same time indications of what could be improved.
By injecting vulnerabilities and attacking them automatically the VAIT could find
weaknesses in the IDS. These results were very important in developing bug fixes
The VAIT was also used to evaluate two commercial and widely used web application
vulnerability scanners, concerning their ability to detect SQLi vulnerabilities in web
applications