The Evolution of Input Validation Vulnerabilities in Web Applications
Web applications have become important services in our daily lives. Millions of users use web applications to obtain information, perform financial transactions, have fun, socialize, and communicate. Unfortunately, web applications are also frequently targeted by attackers. Recent data from SANS institute estimates that up to 60% of Internet attacks target web applications. Researchers from SAP Research Sophia-Antipolis, Institute Eurecom and Iseclab performed an empirical analysis of a large number of web vulnerability reports with the aim of understanding how input validation flaws, a specific type of web application vulnerabilities, have evolved in the last decade.
The work resulted in a scientific publication that has been accepted in the Financial Cryptography and Data Security ’11 conference to be held at St. Lucia. In the paper entitled “Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications”, we study the evolution of Cross-Site Scripting and SQL Injection vulnerabilities in web applications over the past decade. This blog-posting provides a short overview of the paper.
We chose to focus our study on Cross-Site Scripting and SQL Injection vulnerabilities as these two classes of web application vulnerabilities have the same root cause: improper sanitization of user-supplied input. Moreover, they are prevalent, well-known and have been well-studied in the past decade. By performing an automated analysis on the National Vulnerability Database provided by NIST, we learned that the number of these classes of vulnerabilities is surprisingly not decreasing. In our study, we tried to find out the reasons why these numbers are not decreasing despite the efforts made by researchers, industry and awareness programs, such as OWASP, to mitigate the problem.
First, we automatically analyzed 2600 vulnerabilities associated to exploits originating from different Security Information Providers such as Security Focus, Secunia and OSVDB to see whether attacks become more sophisticated with time, e.g. do they try to evade input sanitization or any other defense mechanisms? Furthermore, we were interested in getting insights about the relation between web application popularity and the number of vulnerabilities reported about an application. Last, but not least, we looked at the ten most affected applications to see whether these applications become more secure with time.
In general, the empirical data we collected and analyzed confirm the folkwisdom that developers are still very bad at securing their web applications. Unsurprisingly, the traditional practice of writing web applications and testing them for security problems does not seem to be working very well in practice. I think that more research is needed in securing applications by design. Also, we need to find out why the security of web applications are just not getting any better, and why people are not using the existing tools out there… Is web security research failing?
If you are interested in our future work in this area, I encourage you to check this blog once in a while. For further information please contact: Theodoor Scholte (email@example.com)