Cross site scripting is considered the major threat to the security of web applications. Removing vulnerabilities from existing web applications is a manual expensive task that would benefit from some level of automatic assistance. Static analysis represents a valuable support for security review, by suggesting candidate vulnerable points to be checked man- ually. However, potential benefits are quite limited when too many false positives, safe portions of code classified as vulnerable, are reported. In this paper, we present a preliminary investigation on the integration of static analysis with genetic algorithms. We show that this approach can suggest candidate false pos- itives reported by static analysis and provide input vectors that expose actual vulnerabilities, to be used as test cases in security testing.

Towards Security Testing with Taint Analysis and Genetic Algorithms

Avancini, Andrea;Ceccato, Mariano
2010-01-01

Abstract

Cross site scripting is considered the major threat to the security of web applications. Removing vulnerabilities from existing web applications is a manual expensive task that would benefit from some level of automatic assistance. Static analysis represents a valuable support for security review, by suggesting candidate vulnerable points to be checked man- ually. However, potential benefits are quite limited when too many false positives, safe portions of code classified as vulnerable, are reported. In this paper, we present a preliminary investigation on the integration of static analysis with genetic algorithms. We show that this approach can suggest candidate false pos- itives reported by static analysis and provide input vectors that expose actual vulnerabilities, to be used as test cases in security testing.
2010
9781605589657
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11582/7848
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
social impact