We present a novel method for static analysis in which we combine data-flow analysis with machine learning to detect SQL injection (SQLi) and Cross-Site Scripting (XSS) vulnerabilities in PHP applications. We assembled a dataset from the National Vulnerability Database and the SAMATE project, containing vulnerable PHP code samples and their patched versions in which the vulnerability is solved. We extracted features from the code samples by applying data-flow analysis techniques, including reaching definitions analysis, taint analysis, and reaching constants analysis. We used these features in machine learning to train various probabilistic classifiers. To demonstrate the effectiveness of our approach, we built a tool called WIRECAML, and c...
Most web applications have critical bugs (faults) affecting their security, which makes them vulnera...
The Web today is a growing universe of pages and applications teeming with interactive content. The...
More than half of all of the vulnerabilities re-ported can be classified as input manipulation, such...
The number and the importance of Web applications have increased rapidly over the last years. At the...
With the widespread adoption of dynamic web applications in recent years, a number of threats to the...
This thesis presents approaches for mitigating SQL injection (SQLI) and cross site scripting (XSS) v...
We present a technique for finding security vulnerabilitiesin Web applications. SQL Injection (SQLI)...
Static code attributes such as lines of code and cyclomatic complexity have been shown to be useful ...
Abstract—In previous work, we proposed a set of static attributes that characterize input validation...
SQL injection and cross-site scripting are two of the most common security vulnerabilities that plag...
We compared vulnerable and fixed versions of the source code of 50 different PHP open source project...
Tese de mestrado, Engenharia Informática (Arquitetura, Sistemas e Redes de Computadores) Universidad...
Abstract—The World Wide Web grew rapidly during the last decades and is used by millions of people e...
This paper is intended to be a summary of the ideas provided by Yichen Xie & Alex Aiken [1]. The...
Possibly, reason for that insecurity of web applications is the fact many programmers lack appropria...
Most web applications have critical bugs (faults) affecting their security, which makes them vulnera...
The Web today is a growing universe of pages and applications teeming with interactive content. The...
More than half of all of the vulnerabilities re-ported can be classified as input manipulation, such...
The number and the importance of Web applications have increased rapidly over the last years. At the...
With the widespread adoption of dynamic web applications in recent years, a number of threats to the...
This thesis presents approaches for mitigating SQL injection (SQLI) and cross site scripting (XSS) v...
We present a technique for finding security vulnerabilitiesin Web applications. SQL Injection (SQLI)...
Static code attributes such as lines of code and cyclomatic complexity have been shown to be useful ...
Abstract—In previous work, we proposed a set of static attributes that characterize input validation...
SQL injection and cross-site scripting are two of the most common security vulnerabilities that plag...
We compared vulnerable and fixed versions of the source code of 50 different PHP open source project...
Tese de mestrado, Engenharia Informática (Arquitetura, Sistemas e Redes de Computadores) Universidad...
Abstract—The World Wide Web grew rapidly during the last decades and is used by millions of people e...
This paper is intended to be a summary of the ideas provided by Yichen Xie & Alex Aiken [1]. The...
Possibly, reason for that insecurity of web applications is the fact many programmers lack appropria...
Most web applications have critical bugs (faults) affecting their security, which makes them vulnera...
The Web today is a growing universe of pages and applications teeming with interactive content. The...
More than half of all of the vulnerabilities re-ported can be classified as input manipulation, such...