Skip to main content
SpringerLink
Log in

An Extensible Framework for Web Application Vulnerabilities Visualization and Analysis

  • Conference paper
Future Data and Security Engineering (FDSE 2014)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 8860))

Included in the following conference series:

Abstract

The popularity of web-based applications makes them interesting targets of cyber attacks. To deal with that threat, discovering existing vulnerabilities is a proactive step. Although there are many web application scanners designed for this task, they lack visual analysis capability and do not collaborate well together. In this paper, we propose a novel visualization technique and a flexible framework to solve the two problems mentioned above. We also develop a prototype based on the proposal and use it to experiment with virtual websites. Experiment results indicate the unique benefits our work offers. But more importantly, it shows that not only improving the visualization technique from a technical viewpoint is needed, but also improving it from a human cognitive viewpoint should be placed at a higher priority.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Symantec: 2014 Internet Security Threat Report, vol.19, http://www.symantec.com/security_response/publications/threatreport.jsp

  2. Jovanovic, N., Kruegel, C., Kirda, E.: Precise Alias Analysis for Static Detection of Web Application Vulnerabilities. In: 2006 Workshop on Programming Languages and Analysis for Security, pp. 27–36. ACM, New York (2006)

    Chapter  Google Scholar 

  3. Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 32–41. ACM, New York (2007)

    Chapter  Google Scholar 

  4. Wassermann, G., Su, Z.: Static Detection of Cross-Site Scripting Vulnerabilities. In: 30th International Conference on Software Engineering, pp. 171–180. ACM, New York (2008)

    Google Scholar 

  5. Rimsa, A., D’amorim, M., Pereira, F., Bigonha, R.: Efficient Static Checker for Tainted Variable Attacks. Science of Computer Programming 80, 91–105 (2014)

    Article  Google Scholar 

  6. Huang, Y.-W., Huang, S.-K., Lin, T.-P., Tsai, C.-H.: Web Application Security Assess-ment by Fault Injection and Behavior Monitoring. In: 12th International Conference on World Wide Web, pp. 148–159. ACM, New York (2003)

    Google Scholar 

  7. Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: a Web Vulnerability Scanner. In: 15th International Conference on World Wide Web, pp. 247–256. ACM, New York (2006)

    Chapter  Google Scholar 

  8. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applica-tions. In: 2008 IEEE Symposium on Security and Privacy, pp. 387–401. IEEE Computer Society, Washington (2008)

    Chapter  Google Scholar 

  9. Doupé, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of The State: a State-Aware Black-Box Web Vulnerability Scanner. In: 21st USENIX Conference on Security Symposium. USENIX Association, Berkeley (2012)

    Google Scholar 

  10. Visualization for Cyber Security, http://www.vizsec.org/

  11. Paula, R., Ding, X., Dourish, P., Nies, K., Pillet, B., Redmiles, D., Ren, J., Rode, J., Filho, R.: In the Eye of the Beholder: a Visualization-Based Approach to Information System Security. International Journal of Human-Computer Studies 63, 5–24 (2005)

    Article  Google Scholar 

  12. Leschke, T., Sherman, A.: Change-Link: a Digital Forensic Tool for Visualizing Changes to Directory Trees. In: 9th International Symposium on Visualization for Cyber Security, pp. 48–55. ACM, New York (2012)

    Google Scholar 

  13. Fischer, F., Mansmann, F., Keim, D.A., Pietzko, S., Waldvogel, M.: Large-Scale Network Monitoring for Visual Analysis of Attacks. In: Goodall, J.R., Conti, G., Ma, K.-L. (eds.) VizSec 2008. LNCS, vol. 5210, pp. 111–118. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  14. Conti, G., Grizzard, J., Ahamad, M., Owen, H.: Visual Exploration of Malicious Network Objects Using Semantic Zoom, Interactive Encoding and Dynamic Queries. In: 2005 IEEE Workshops on Visualization for Computer Security, IEEE Computer Society, Washington (2005)

    Google Scholar 

  15. Abdullah, K., Lee, C., Conti, G., Copeland, J., Stasko, J.: IDS RainStorm: Visualizing IDS Alarms. In: 2005 IEEE Workshops on Visualization for Computer Security. IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  16. Mansmann, F., Göbel, T., Cheswick, W.: Visual Analysis of Complex Firewall Configura-tions. In: 9th International Symposium on Visualization for Cyber Security, pp. 1–8. ACM, New York (2012)

    Google Scholar 

  17. Dang, TT., Dang, TK.: A Visual Model for Web Applications Security Monitoring. In: 2011 International Conference on Information Security and Intelligence Control, pp. 158-162. IEEE Computer Society, Washington (2011)

    Google Scholar 

  18. Dang, T.T., Dang, T.K.: Visualization of Web Form Submissions for Security Analysis. International Journal of Web Information Systems 9, 165–180 (2013)

    Article  Google Scholar 

  19. Battista, G., Eades, P., Tamassia, R., Tollis, I.: Graph Drawing: Algorithms for the Visualization of Graphs. Prentice Hall PTR, Upper Saddle River (1998)

    Google Scholar 

  20. Kamada, T., Kawai, S.: An Algorithm for Drawing General Undirected Graphs. Information Processing Letters 31, 7–15 (1989)

    Article  MathSciNet  MATH  Google Scholar 

  21. Fruchterman, T., Reingold, E.: Graph Drawing by Force-Directed Placement. Software: Practice and Experience 21, 1129–1164 (1991)

    Google Scholar 

  22. Shneiderman, B.: Tree Visualization with Tree-Maps: 2-D Space-Filling Approach. ACM Transactions on Graphics 11, 92–99 (1992)

    Article  MATH  Google Scholar 

  23. Munzner, T., Burchard, P.: Visualizing the Structure of the World Wide Web in 3D Hyperbolic Space. In: First Symposium on Virtual Reality Modeling Language, pp. 33–38. ACM, New York (1995)

    Chapter  Google Scholar 

  24. Yee, K.-P., Fisher, D., Dhamija, R., Hearst, M.: Animated Exploration of Dynamic Graphs with Radial Layout. In: 2001 IEEE Symposium on Information Visualization, pp. 43–50. IEEE Computer Society, Washington (2001)

    Google Scholar 

  25. Draper, G., Livnat, Y., Riesenfeld, R.: A Survey of Radial Methods for Information Visu-alization. IEEE Transactions on Visualization and Computer Graphics 15, 759–776 (2009)

    Article  Google Scholar 

  26. Arachni, http://www.arachni-scanner.com/

  27. w3af, http://w3af.org/

  28. Wapiti, http://wapiti.sourceforge.net/

  29. D3.js, http://d3js.org/

Download references

Author information

Authors and Affiliations

  1. Faculty of Computer Science and Engineering, Ho Chi Minh City University of Technology, VNU-HCM, Vietnam

    Tran Tri Dang & Tran Khanh Dang

Authors
  1. Tran Tri Dang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tran Khanh Dang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Ho Chi Minh City University of Technology, 268 Ly Thuong Kiet Street, District 10, Ho Chi Minh City, Vietnam

    Tran Khanh Dang  & Nam Thoai  & 

  2. Johannes Kepler University Linz, Altenberger Straße 69, 4040, Linz, Austria

    Roland Wagner  & Josef Küng  & 

  3. University of Vienna, Währinger Straße 29, 1190, Wien, Austria

    Erich Neuhold

  4. Hosei University, 3-7-2, Kajino-machi, 184-8584, Koganei-shi, Tokyo, Japan

    Makoto Takizawa

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Dang, T.T., Dang, T.K. (2014). An Extensible Framework for Web Application Vulnerabilities Visualization and Analysis. In: Dang, T.K., Wagner, R., Neuhold, E., Takizawa, M., Küng, J., Thoai, N. (eds) Future Data and Security Engineering. FDSE 2014. Lecture Notes in Computer Science, vol 8860. Springer, Cham. https://doi.org/10.1007/978-3-319-12778-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12778-1_7

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12777-4

  • Online ISBN: 978-3-319-12778-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation