Towards Web Application Security by Automated Code Correction

Ricardo Morgado, Ibéria Medeiros, Nuno Neves

Abstract

Web applications are commonly used to provide access to the services and resources offered by companies. However, they are known to contain vulnerabilities in their source code, which, when exploited, can cause serious damage to organizations, such as the theft of millions of user credentials. For this reason, it is crucial to protect critical services, such as health care and financial services, with safe web applications. Often, vulnerabilities are left in the source code unintentionally by programmers because they have insufficient knowledge on how to write secure code. For example, developers many times employ sanitization functions of the programming language, believing that they will defend their applications. However, some of those functions do not invalidate all attacks, leaving applications still vulnerable. This paper presents an approach and a tool capable of automatically correcting web applications from relevant classes of vulnerabilities (XSS and SQL Injection). The tool was evaluated with both benchmark test cases and real code, and the results are very encouraging. They show that the tool can insert safe and right corrections while maintaining the original behavior of the web applications in the vast majority of the cases.

Download


Paper Citation


in Harvard Style

Morgado R., Medeiros I. and Neves N. (2020). Towards Web Application Security by Automated Code Correction.In Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE, ISBN 978-989-758-421-3, pages 86-96. DOI: 10.5220/0009369900860096


in Bibtex Style

@conference{enase20,
author={Ricardo Morgado and Ibéria Medeiros and Nuno Neves},
title={Towards Web Application Security by Automated Code Correction},
booktitle={Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE,},
year={2020},
pages={86-96},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0009369900860096},
isbn={978-989-758-421-3},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE,
TI - Towards Web Application Security by Automated Code Correction
SN - 978-989-758-421-3
AU - Morgado R.
AU - Medeiros I.
AU - Neves N.
PY - 2020
SP - 86
EP - 96
DO - 10.5220/0009369900860096