Skip to Main content Skip to Navigation
Journal articles

Identification de vulnérabilités Web et génération de scénarios d'attaque

Abstract : Web applications have become increasingly exposed to malicious attacks that could affect essential properties such as confidentiality, integrity or availability of information systems. To cope with these threats, it is necessary to develop efficient security protection mechanisms and testing techniques (firewall, intrusion detection system, Web scanner, etc.). This paper presents a new methodology, based on Web pages clustering techniques, that is aimed at identifying the vulnerabilities of a Web application following a black box analysis of the target application. Each identified vulnerability is actually exploited to ensure that the identified vulnerability does not correspond to a false positive. The proposed approach can also highlight different potential attack scenarios including the exploitation of several successive vulnerabilities, taking into account explicitly the dependencies between these vulnerabilities. We have focused in particular on code injection vulnerabilities, such as SQL injections. The proposed method led to the development of a new Web vulnerability scanner and has been validated experimentally based on various vulnerable applications. This methodology has been implemented and has been validated experimentally on several examples of vulnerable applications
Document type :
Journal articles
Complete list of metadata

Cited literature [15 references]  Display  Hide  Download

https://hal.laas.fr/hal-01967638
Contributor : Mohamed Kaaniche <>
Submitted on : Tuesday, January 1, 2019 - 9:48:25 AM
Last modification on : Thursday, June 10, 2021 - 3:01:28 AM
Long-term archiving on: : Tuesday, April 2, 2019 - 3:24:46 PM

File

Tsi-soumis.pdf
Files produced by the author(s)

Identifiers

Citation

Rim Akrout, Eric Alata, Mohamed Kaâniche, Vincent Nicomette. Identification de vulnérabilités Web et génération de scénarios d'attaque. Revue des Sciences et Technologies de l'Information - Série TSI : Technique et Science Informatiques, Lavoisier, 2014, 33 (9-10), pp.809-840. ⟨10.3166/tsi.33.809-840⟩. ⟨hal-01967638⟩

Share

Metrics

Record views

127

Files downloads

507