Abstract
Attackers can exploit vulnerabilities in web applications to commit malicious acts such as corrupting application functionality and Trojan horse implantation. For injection vulnerabilities in Web applications, existing methods are limited by the variety of programming languages and the difficulty in extracting semantic information to detect complex vulnerabilities. The paper proposes a pattern matching-based method for identifying injection vulnerabilities in Web applications, which transforms vulnerability identification into path matching in graphical databases by modifying the code property graph to enable it to handle more complex inter-functional relationships in Web applications. In this paper, we designed and implemented a prototype system, VulnFinder. By collecting 100 randomly selected Github high star open-source projects as the dataset for performance testing, we found 262 real vulnerabilities and conducted comparison experiments with static scanning tools RIPS and Cobra, VulnFinder far exceeded the comparison tools in terms of vulnerability determination accuracy, and in terms of the dataset VulnFinder was 94% accurate in determining vulnerabilities in the dataset. In scanning large projects, VulnFinder was approximately 21% more efficient than the comparable methodology tool RIPS.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
