Abstract
With every passing year, there are more and more websites, which often process sensitive and/or valuable information. Due to models like Continuous Development, manual testing and code review are reduced to minimum, with new features implemented and deployed even on the same day. This calls for development of new automated testing methods, especially the ones that will allow for identification of potential security issues. In this article such a new method, which is based on automated web pages comparisons, clustering and grammatical evolution is proposed. This method allows for automated testing of a website and can identify outstanding (unusual) web pages. Such pages can then be further investigated by checking if they are legitimate, contain some unused modules or potential threats to application security. The proposed method can identify such anomalous pages within the set of interlinked web pages, but can also find web pages that are not linked to any other web page on the server by utilizing genetic-based generation of URLs.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Symantec: Internet Security Threat Report (2015). http://www.symantec.com/security_response/publications/threatreport.jsp
WhiteHat: Website Security Statistics Report (2013). http://info.whitehatsec.com/2013-website-security-report.html
van Goethem, T., Chen, P., Nikiforakis, N., Desmet, L., Joosen, W.: Large-Scale Security Analysis of the Web: Challenges and Findings. In: Holz, T., Ioannidis, S. (eds.) Trust 2014. LNCS, vol. 8564, pp. 110–126. Springer, Heidelberg (2014)
Rawat, S., Mounier, L.: An evolutionary computing approach for hunting buffer overflow vulnerabilities: a case of aiming in dim light. In: 2011 Seventh European Conference on Computer Network Defense, pp. 37–45 (2010)
Duchene, F., Rawat, S., Richier, J.L., Groz, R.: Kameleonfuzz: evolutionary fuzzing for black-box xss detection. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY 2014, NY, USA, pp. 37–48. ACM, New York (2014)
Budynek, J., Bonabeau, E., Shargel, B.: Evolving computer intrusion scripts for vulnerability assessment and log analysis. In: Proceedings of the 7th Annual Conference on Genetic and Evolutionary Computation, GECCO 2005, NY, USA, pp. 1905–1912 (2005).http://doi.acm.org/10.1145/1068009.1068331
Dozier, G., Brown, D., Hou, H., Hurley, J.: Vulnerability analysis of immunity-based intrusion detection systems using genetic and evolutionary hackers. Appl. Soft Comput. 7(2), 547–553 (2007). http://www.sciencedirect.com/science/article/pii/S1568494606000512
Levenshtein, V.: Binary Codes Capable of Correcting Deletions and Insertions and Reversals. Soviet Physics Doklady 10(8), 707–710 (1966)
Andoni, A., Onak, K.: Approximating edit distance in near-linear time. SIAM J. Comput. 41(6), 1635–1648 (2012)
Zachara, M., Pałka, D.: Comparison of text-similarity metrics for the purpose of identifying identical web pages during automated web application testing. In: Grzech, A., Borzemski, L., Świątek, J., Wilimowska, Z. (eds.) ISAT 2015, Part II. AISC, vol. 430, pp. 25–35. Springer, Heidelberg (2016)
Borg, I., Groenen, P.: Modern Multidimensional Scaling: Theory and Applications. Springer, New York (2005)
Torgerson, W.S.: Multidimensional scaling: I. theory and method. Psychometrika 17(4), 401–419 (1952)
Kamada, T., Kawai, S.: An algorithm for drawing general undirected graphs. Inf. Process. Lett. 31(1), 7–15 (1989)
O’Neill, M., Ryan, C.: Grammatical evolution. IEEE Trans. Evol. Comput. 5(4), 349–358 (2001)
O’Neill, M., Ryan, C.: Grammatical Evolution: Evolutionary Automatic Programming in a Arbitrary Language. Genetic programming, vol. 4. Kluwer Academic Publishers (2003)
Koza, J.R.: Genetic Programming: On the Programming of Computers by Means of Natural Selection. MIT Press, Cambridge (1992)
Glover, F.: Future paths for integer programming and links to artificial intelligence. Comput. Oper. Res. 13(5), 533–549 (1986)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Pałka, D., Zachara, M., Wójcik, K. (2016). Evolutionary Scanner of Web Application Vulnerabilities. In: Gaj, P., Kwiecień, A., Stera, P. (eds) Computer Networks. CN 2016. Communications in Computer and Information Science, vol 608. Springer, Cham. https://doi.org/10.1007/978-3-319-39207-3_33
Download citation
DOI: https://doi.org/10.1007/978-3-319-39207-3_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-39206-6
Online ISBN: 978-3-319-39207-3
eBook Packages: Computer ScienceComputer Science (R0)