SAISAN: An Automated Local File Inclusion Vulnerability Detection Model

 
 
 
  • Abstract
  • Keywords
  • References
  • PDF
  • Abstract


    Communicating and delivering services to the consumers through web applications are now become very popular due to its user friendly interface, global accessibility, and easy manageability. Careless design and development of web applications are the key reasons for security breaches which are very alarming for the users as well as the web administrators. Currently, Local File Inclusion (LFI) vulnerability is found present commonly in several web applications that lead to remote code execution in host server and initiates sensitive information disclosure. Detection of LFI vulnerability is getting very critical concern for the web owner to take effective measures to mitigate the risk. After reviewing literatures, we found insignificant researches conducted on automated detection of LFI vulnerability. This paper has proposed an automated LFI vulnerability detection model, SAISANfor web applications and implemented it through a tool. 265 web applications of four different sectors has been examined and received 88% accuracy from the tool comparing with the manual penetration testing method.


  • Keywords


    Cyber Security, Web Application Security, Web Application Vulnerability, Automated Vulnerability Detection Tool, Local File Inclusion (LFI).

  • References


      [1] O. B. Al-Khurafi and M. A. Al-Ahmad, "Survey of Web Application Vulnerability Attacks," 2015 4th International Conference on Advanced Computer Science Applications and Technologies (ACSAT), Kuala Lumpur, 2015, pp. 154-158.

      [2] P.V. Ami, S. C. Malav, “Top Five Dangerous Security Risks over Web Application,” International Journal of Emerging Trends & Technology in Computer Science, 2013, pp.41-43.

      [3] D. Alam, M. A. Kabir, T. Bhuiyan and T. Farah, "A Case Study of SQL Injection Vulnerabilities Assessment of .bd Domain Web Applications," 2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec), Jakarta, 2015, pp. 73-77.

      [4] T. Farah, D. Alam, M. A. Kabir and T. Bhuiyan, "SQLi penetration testing of financial Web applications: Investigation of Bangladesh region," 2015 World Congress on Internet Security (WorldCIS), Dublin, 2015, pp. 146-151.

      [5] A. Begum, M. M. Hassan, T. Bhuiyan and M. H. Sharif, "RFI and SQLi based local file inclusion vulnerabilities in web applications of Bangladesh," 2016 International Workshop on Computational Intelligence (IWCI), Dhaka, 2016, pp. 21-25.

      [6] L. Dukes, X. Yuan and F. Akowuah, "A case study on web application security testing with tools and manual testing," 2013 Proceedings of IEEE Southeastcon, Jacksonville, FL, 2013, pp. 1-6.

      [7] G. Buja, K. B. A. Jalil, F. B. H. M. Ali and T. F. A. Rahman, "Detection model for SQL injection attack: An approach for preventing a web application from the SQL injection attack," 2014 IEEE Symposium on Computer Applications and Industrial Electronics (ISCAIE), Penang, 2014, pp. 60-64.

      [8] B. Delamore and R. K. L. Ko, "Escrow: A Large-Scale Web Vulnerability Assessment Tool," 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, Beijing, 2014, pp. 983-988.

      [9] R. Akrout, E. Alata, M. Kaaniche and V Nicomette, “An automated black box approach for web vulnerability identification and attack scenario generation,” Journal of the Brazilian Computer Society, 2014, 20(1), 4.

      [10] F. Duchene, S. Rawat and J.L. Richier, “KameleonFuzz: Evolutionary Fuzzing for Black-Box XSS Detection,” In Proceedings of the 4th ACM conference on Data and application security and privacy, 2014 pp. 37-48.

      [11] (October 18, 2017) Internet Users. Available: http://www.internetlivestats.com/internet-users/

      [12] (October 18, 2017) Category:OWASP Top Ten Project. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013

      [13] (October 18, 2017) CWE/SANS TOP 25 Most Dangerous Software Errors Available: https://www.sans.org/top25-software-errors.

      [14] Y. Stefinko, A. Piskozub and R. Banakh, "Manual and automated penetration testing. Benefits and drawbacks. Modern tendency," 2016 13th International Conference on Modern Problems of Radio Engineering, Telecommunications and Computer Science (TCSET), Lviv, 2016, pp. 488-491.

      [15] J. Esmet, M. A. Bender, M. Farach-Colton, B.C Kuszmaul,”TheTokuFS Streaming File System,” InHotStorage, 2012

      [16] W. Jannen, J. Yuan, Y. Zhan, A. Akshintala, J. Esmet, Y. Jiao, A. Mittal, P. Pandey, P. Reddy, L. Walsh, M. A. Bender, M. Farach-Colton, R. Johnson, B. C. Kuszmaul, and D. E. Porter, “BetrFS: Write-optimization in a ker- nel file system,” Transactions on Storage, Article 18,29 pages, Nov.2015.

      [17] H. Debar and A. Wespi, “Aggregation and correlation of intrusion-detection alerts”. 4th International Symposium, RAID 2001 Davis, CA, USA, 2001,pp. 85-103

      [18] G. Deepa , P. S. Thilagam, F. A. Khan, A. Praseed, A.R. Pais, And N. Palsetia,” Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications,” International Journal of Information Security, 2017, pp. 1-16

      [19] Y. L. Chen, H. M. Lee, A. B. Jeng and T. E. Wei, "DroidCIA: A Novel Detection Method of Code Injection Attacks on HTML5-Based Mobile Apps," 2015 IEEE Trustcom/BigDataSE/ISPA, Helsinki, 2015, pp. 1014-1021.

      [20] G. Vigna, W. Robertson, Vishal Kher and R. A. Kemmerer, "A stateful intrusion detection system for World-Wide Web servers," 19th Annual Computer Security Applications Conference, 2003. Proceedings., 2003, pp. 34-43.

      [21] V.K.Robert, W.M.Daryle, "Morgandeter Mining sample size for research activities", Educational and Psychological Measurement, The NEA Research Bulletin, 1970, Vol. 38,p. 99.

      [22] J. S.Kang and H. S.Park, “Web-based automated black-box testing framework for component based robot software,” 2012 ACM Conference on Ubiquitous Computing, 2012, pp. 852-859.

      [23] N. F. Awang, A. Manaf and S.F. Abidin, “Test Input Generation for Detecting SQL Injection Vulnerability in Web Application,” International Journal of Soft Computing, 11(2), pp. 103-106, 2016.

      [24] A. B. M. Rasheed, B. Shanmugan, G.N. Samy, N. Maarop, P. Megalingam, K.C. Yeo and S. Azam, “Secure Web Application Development Prototype Using Enterprise Security Programming Interface (ESAPI),” Asian Journal of Information Technology,


 

View

Download

Article ID: 9956
 
DOI: 10.14419/ijet.v7i2.3.9956




Copyright © 2012-2015 Science Publishing Corporation Inc. All rights reserved.