Risk assessment of code injection vulnerabilities using fuzzy logic-based system

Abstract

Web applications are notoriously vulnerable to code injection attacks. Given that, practitioners need to assess the risk posed by applications due to code injection attacks to plan ahead on employing necessary mitigation approaches. This paper proposes a risk assessment approach for code injection vulnerability in web applications. We are motivated by the observation that traditional risk assessment approaches work well when quantitative values of specific parameters of the risk computation model is known in advance. In practice, they are difficult to predict correctly. Moreover, one specific code injection vulnerabilities can be exploited in different ways that may result in different types of severity level. Further, diverse types of injection vulnerabilities and their implications cannot be combined in existing approaches. To address these limitations, we propose a Fuzzy Logic-based System (FLS) to assess the risk due to different types of code injection vulnerabilities. Our further contribution is a set of proposed code-level metrics that can be used to establish the linguistic terms to express vulnerability levels and their impact subjectively. We apply nested FLS to combine risk from multiple vulnerabilities to assess a single value representing the overall risk. We evaluate our approach with three real-world web applications implemented in PHP, and apply for SQL Injection (SQLI) and Cross-Site Scripting (XSS), the two most widely reported vulnerabilities in today's web applications. The initial results indicate that the proposed approach can effectively assess high risks present in vulnerable applications.