This document discusses the detection of security vulnerabilities in web applications, particularly in ASP.NET, focusing on common issues like SQL injection and cross-site scripting (XSS). It proposes a scanning tool that employs a fault detection and recovery process, using algorithms such as prepared statement replacement to identify and address vulnerabilities effectively. The paper aims to enhance web application security by automating vulnerability detection and prevention techniques.

1. INTERNATIONAL JOURNAL FOR TRENDS IN ENGINEERING & TECHNOLOGY
VOLUME 3 ISSUE 1 –JANUARY 2015 - ISSN: 2349 - 9303
Routine Detection Of Web Application Defence Flaws
Vidhya.V1
1
Arunai Engineering College, CSE,
vidhyaa.av@gmail.com
Logash Prabu.M2
2
Tagore Institute Of Engineering
and Technology, CSE,
logashprabu@gmail.com
Kalvina.L.R3
3
Arunai Engineering College,
Department
kalvinacse@gmail.com
Abstract— The detection process for security vulnerabilities in ASP.NET websites / web applications is a complex one,
most of the code is written by somebody else and there is no documentation to determine the purpose of source code. The
characteristic of source code defects generates major web application vulnerabilities. The typical software faults that are
behind of web application vulnerabilities, taking into different programming languages. To analyze their ability to prevent
security vulnerabilities ASP.NET which is part of .NET framework that separate the HTML code from the programming
code in two files, aspx file and another for the programming code. It depends on the compiled language (Visual Basic VB,
C sharp C#, Java Script). Visual Basic and C# are the most common languages using with ASP.NET files, and these two
compiled languages are in the construction of our proposed algorithm in addition to aspx files. The hacker can inject his
malicious as a input or script that can destroy the database or steal website files. By using scanning tool the fault detection
process can be done. The scanning process inspects three types of files (aspx, VB and C#). then the software faults are
identified. By using fault recovery process the prepared replacement statement technique is used to detect the
vulnerabilities and recover it with high efficiency and it provides suggestion then the report is generated then it will help
to improve the overall security of the system.
Index Terms— SQL Injection; XSS Cross Site Scripting; Prepared Replacement Statement algorithm; Symbolic
implementation algorithm.
——————————  ——————————
1 INTRODUCTION
Organizations are increasingly becoming dependent on the Internet
for sharing and accessing information. This Internet has changed the
focus of application development from stand-alone applications to
distributed Web applications. Web applications are programs that
can be executed either on a web server or in a web browser. They
enable to share and access information over the Internet and operate
intranets. Web application can support online commercial
transactions, popularly known as e-commerce. Security
vulnerabilities in web applications may result in stealing of
confidential data, breaking of data integrity or affect web application
availability. The task of securing web applications is one of the most
according to Acunetix survey 60% of found vulnerabilities affect
web applications. The most common way of securing web
applications is searching and eliminating vulnerabilities. The most
efficient way of finding security vulnerabilities in web applications
is manual code review. Security society actively develops automated
approaches to finding security vulnerabilities. These approaches can
be divided into two wide categories: black-box and white-box
testing.
The first approach is based on web application analysis from
the user side, assuming that source code of an application is not
available. This is to submit various malicious patterns (implementing
for example SQL injection or cross-site scripting attacks) into web
application forms and to analyze its output. If any application errors
are observed an assumption of possible vulnerability is made. This
approach does not guarantee neither accuracy nor completeness of
the obtained results. The second approach is based on web
application analysis from the server side, with assumption that
source code of the application is available.
IJTET©2015
The Open Web Application Security vulnerabilities are critical
one in web application security risks, having Structured Query
Language injection and Client side scripting. The advantage of SQL
injection attacks is unrestricted input fields within the web
application interface to horribly it weak the SQL query that is sent to
the back-end information. In XSS vulnerability, the invader is try to
inject into web content unintended client-side script code, typically
in markup language and JavaScript.
SQLi and XSS enable attackers to access not allowable
information (study, include, modify, or cross out), raise to allow the
advantaged file accounts, masquerade as alternative users (such as
the administrator), mimic net applications, spoils web content, view,
and manage isolated records on the server, infuse and complete
server aspect programs and they permit the design of botnets
forbidden by the assaulter.
To find attacks that inject SQL code by taking variables that
supposedly shouldn't be strings (e.g., numbers, dates)as a result of
the range of the variable is determined the assigned value. In strong
written languages, this can be impossible as a result of sort of
variables is decided before runtime and therefore they decide to store
a string in an exceedingly variable of another type raises an
miscalculation. This does not stop the incidence of vulnerabilities in
strong written languages, but only in string variables. In strong
written programming languages, that has less security issues, Java is
intrinsically a protected programming language and it is a strong
written language, vulnerabilities is found in Java programs owing to
implementation faults. Input injection attacks may serve a number of
ends. They are chosen by malicious users as a way to obtain
restricted data from a back end database or to insert malicious code
onto a web server that will in turn provide up malware to
unsuspecting clients. These clients may find their credentials or
private information exfiltrated as a result.
134

2. INTERNATIONAL JOURNAL FOR TRENDS IN ENGINEERING & TECHNOLOGY
VOLUME 3 ISSUE 1 –JANUARY 2015 - ISSN: 2349 - 9303
When a developer writes code for a web application he has a
specific intent regarding what type of data to be collected, processed
and stored. Web application injection attacks occur when a malicious
client submits data that was unanticipated by the programmer. The
programmer probably performed some degree of verification of
submitted data to ensure it contains only the anticipated data type.
Issues arise frequently, in the logic applied to cleansing the input.
As an example, confirm that an inputted field, which is
supposed to contain a valid phone number actually does, rather than
some malicious code. The verification algorithm could make use of
checks for the following,
• Is the input of a certain length (say 7-12)
characters.
• Does the input contain only numbers, parentheses
and dashes.
• Does the area code map to a legitimate area code.
SQL injection exploits weaknesses present in a web app‟s
back-end database. This class of exploits is made possible when user
input is not cleansed for tingle escape characters and the web
application submits code amounting to a database command to the
database server, where Cross-site scripting that the web pages are
generated and displayed as input that is not validated properly when
it occurs dynamically.
2 RELATED WORK
In general, there is extensive literature on describing the
vulnerabilities in web application. This section reviews about the
some related work in order to explore the strengths and weakness of
existing methods.
Lwin Khin Shar and Lionel C. Briand , Hee Beng Kuan Tan
[1], In this paper we mainly focused on SQLI, XSS, RCE, and FI
vulnerabilities. By using a set of hybrid (static and dynamic) code
attributes that the input confirmation and cleansing code patterns and
are expected to be considerable indicators of web application
vulnerabilities. Based on this hypothesis, we built vulnerability
predictors that are fine grained, accurate, and scalable.
Nuno Antunes and Marco Vieira [2], Web applications need a
defense-in-depth approach to avoid and mitigate security
vulnerabilities. This approach assumes that every security precaution
can fail, so security depends on having several layers of mechanisms
that wrap the failures of each other. A less expensive option is code
review, a simplified version of inspections that is useful for
analyzing less critical code.
Sreenivasa Rao B, Kumar N [3], this paper mainly focused on
analyze the design of web application security evaluation
mechanisms is to identify poor coding practices. A Vulnerability
evaluation (VE) is the process of recognize, quantifies, and
prioritizing the vulnerabilities (security holes) in a technique the
extraction step, and also a number of heuristics is for making
regression models.
Bojan Jovicic , Dejan Simic [4], This focuses on attacks
against net applications, either to gain direct benefit by gathering
non-public data or to disenable the sites of the target sites. Asp.net
provides two mechanisms in exception handling.
IJTET©2015
One of them is the possibility to define a custom page to display
errors. This page will replace the default asp.net error page. Another
mechanism is application centralized exception handling of all
unhandled exceptions by implementing application on error method
to get the possibility to examine each unhandled exception.
Kevin Spett [5], The purpose of this paper is to educate
both application developers and end users on the techniques that can
be used to exploit a web application with cross-site scripting, suggest
how to eliminate such vulnerabilities from web applications, and
teach end users how to recognize and reduce the risk from a cross-
site scripting attack.
3 PROPOSED ALGORITHM
Here we present the detection of security vulnerabilities that
performs a scanning process for all website/ web application files.
By using scanning the Scanning process id done. It helps to identify
whether the input is valid or Invalid. After scanning process, it will
generate a report list of all the leaks and weak and strong
vulnerabilities by displaying the name of the infected file and
location and description of the file. We propose a fault detection and
a new fault recovery process, the vulnerabilities can be detected and
the report is generated in fault detection process. In recovery process
prepared replacement algorithm (PSR) and symbolic execution
algorithm are used to recover the web applications with high
efficiency.
Methodology
 Analysis of web application.
 Classification of software faults.
 Fault detection.
 Fault recovery.
A. Analysis Of Web Application
They has the capability to examine the source code of current
and earlier versions of the intention in web applications, together
with the security patches search to open source web applications.
B. Classification Of Software Faults
Then the web application are selected, then the web services
for all reported SQL Injection and CSS patches that were classified.
The code defects are derived from the above defect classification.
C. Fault Detection
The damage in the web applications are identified and
detected by scanning tool. Scanning tool is used to identify the type
of fault. The fault location are identified and the description are
described about the type of faults.
D. Fault Recovery
After the detection process the recovery process taken place
by prepared statement replacement and symbolic execution
technique the web applications are recovered.
135

3. INTERNATIONAL JOURNAL FOR TRENDS IN ENGINEERING & TECHNOLOGY
VOLUME 3 ISSUE 1 –JANUARY 2015 - ISSN: 2349 - 9303
4. SYSTEM DESIGN
Figure 1 demonstrates the framework of our proposed approach.
A. Scanning Tool
A net application security scanner could be a program that
communicates with online application through the net front-end so
able to get security vulnerabilities within the web application and
weaknesses. ASCII text file scanners, net application scanners
haven't got access to the ASCII text file and to spot vulnerabilities by
performing attacks. Web applications allow users to have an
interactive expertise on the web browser. In static web pages, users
are capable to make personal accounts like bank account this may
FIG 1. System Architecture
IJTET©2015
add content, query databases and complete transactions. The process
of providing an interactive contribution in web applications regularly
collect, store and use the sensitive personal data to deliver their
service. clients help from the ease of those applications, whereas
tacitly interesting risk that are non-public data that hold on net
applications square measure progressing to be compromised through
hacker attacks, business executive leaks etc. client records are
compromised because of inadequate security controls on corporate
information and net applications.
B. Sql Injection
SQL Injection is a attack that can occur when an application
uses user input that has not been checked to see that it is valid and
the hacker uses this malicious input to exploit sensitive information
from the database.
For example,
The user can enter the following malicious input : ' OR 1=1 --
This would turn the database query into:
SELECT au_lname, au_fname FROM authors WHERE au_id =
'' OR 1=1 --
Since 1=1 always evaluates to true, this query will always return
more than 0 rows.
The main cause of a SQL Injection vulnerability is in the
concatenation of characters together to create a string, in this case a
database command. The --" is the single-line statement operator
support by numerous relational file servers, together with MS SQL
Server, IBM DB2, Oracle, PostgreSQL, and MySQL. In this
technique, the invader be able to supply illicit code and to be
executed by the server and exploit the weakness. SQL injections is
an input validation problem, to accept only confident predictable
inputs. Proper input validation turns out to be extremely tricky to
complete the injection attack. we execute on the generated SQL
queries is to validate the deficiency of tautologies from all WHERE
clause. Generally, if an direct user requests to revisit all tuples (row)
for a query, the query will not have a WHERE clause. In the
framework of web applications, a tautology in a WHERE clause is
an probable sign of an attack, in which the attacker attempts to
circumvent restrictions on web users are allowed to do.
Generating a SQL injection involves following process,
• Insert invalid data into a web app‟s SQL database input
field.
• Manipulate the input until you can map out the inner
workings of the unseen SQL statement.
• Craft an input that will successfully escape the „data
input‟ context and allow the ability to enter database
commands. Map the database by with SQL queries,
either by guessing table names.
• Read/write/delete the data of interest with a SQL
query.
The most challenging part of this process is the manipulation
136
Prepared
statement
replacement
Invalid
Iframe
Web application as input
Scanning tool
valid
Attacks
Sql InjectionCross site
scripting
Hijack session
Cookie
Poisoning
Fault Recovery Process
Symbolic
execution
Report
generated

4. INTERNATIONAL JOURNAL FOR TRENDS IN ENGINEERING & TECHNOLOGY
VOLUME 3 ISSUE 1 –JANUARY 2015 - ISSN: 2349 - 9303
C. Client side scripting
Client side scripting occurs mainly in dynamic web pages that
are mixing of browser data (HTML) with the code (<script> tag)
which is embedded in the data. The script can be (JavaScript,
VBScript, ActiveX, HTML, or Flash) .The main objective of 'XSS' is
to manipulate client-side scripts of a web application to execute in
the mode desired by the malicious user.
There are two main types of Client side scripting
 Stored Client side scripting
 Reflected Client side scripting
Stored Client side scripting:
The stored (or persistent) Client side scripting occur after the
information provided by the invade r is saved via the server, and
then displayed permanently on "normal" pages returned to other
users. Stored XSS requires particular kind of vulnerability in the
application where the data is placed in somewhere (ex. Data base)
and later feedback is send to the user, this can be through Forum,
Blog, etc. The attacker can send <HTML> or <JavaScript> to the
application instead of the normal input to be stored in the data base,
later when the victim comes to the application web site he/she will
download the <HTML> or <JavaScript> located there. The
application here acts as an attack site but works for the hacker.
Reflected Client side scripting
Reflected (or non-persistent) Client side scripting can occur
once the information provided via a web client, the majority
commonly in HTTP query parameters or in HTML form
submissions, is used immediately by server-side scripts to generate a
page of results and reflected back for the user, without sanitizing the
request. For example, if we have a user Log-In prompt (User-Id,
Password) and the user has supplied his Log-In Information. If there
is no input validation for Log-In text boxes, the attacker can exploit
this vulnerability to inject his malicious input 'XSS' instead of User-
Id.
The attacker can craft an email contains a link request from the
user to click on the link to update personal data. XSS flaws occur
whenever an application takes user supplied data and sends it to a
web browser without first validating or encoding that content. XSS
allows attackers to execute script in the victim's browser which can
hijack user sessions, deface web sites, possibly introduce worms, etc.
Clients-site scripting (also known as XSS or CSS) allows an
attacker to set in as malicious JavaScript code into the generated
page and execute the script on the machine of any user that views the
site. Client-site scripting could potentially impact any site that allows
users to enter data.
Malicious input may be transmitted via URL parameters,
cookies or database queries. XSS, Stored XSS are enabled by
insufficient user input sanitization. The web application presents the
browser with untrusted, unvalidated data, causing it to execute
scripts and compromise the data.
IJTET©2015
This vulnerability is commonly seen on
 Search engines that echo the search keyword that was
entered.
 Error messages that echo the string that contained the
error.
 Forms that are filled out where values are later
presented to the user.
 Web message boards that allow users to post their own
messages.
An attacker who uses client-site scripting successfully might
compromise confidential information, manipulate or steal
information, generate requests that can be faulty for persons of a
valid customer, or execute malicious code on the end-user systems.
C. Fault Detection
The recommended algorithm performs a scanning procedure
for all website/ application files. Our scanner tool relies on study the
source code of the application depending on ASP.NET documents
and the code files (Visual Basic VB and C sharp C#).To detect the
security vulnerabilities and leaks. It identify the vulnerability is
weak or strong type. The scanner tool tries to detect the
vulnerabilities that can help hackers from the reflected output or
messages, and check most of the ASP.NET server controls and the
commands in the code behind that interact with the database. The
detection process finds the leak file, location, description.
D. Fault Recovery
After detection process, it will generate a report list of all the
discovered leaks and vulnerabilities by displaying the name of the
infected file, the explanation and its position. The recommended
algorithm will help organization to repair the vulnerabilities and
improve the whole protection. This report requires a reaction from
the organization to take the necessary corrections steps.
There are two types of algorithm used they are
 Prepared Statement Replacement algorithm (PSR)
 Symbolic execution
Prepared Statement Replacement Algorithm
A prepared statement replacement (PSR) algorithm and
corresponding automation for removing SQLIA vulnerabilities from
vulnerable SQL statements by replacing them with secure prepared
statements. This method analysis source code containing SQLIVs
and generates a specific recommended code structure containing
prepared statements. An SQLIV exists when an SQL statement does
not keep statement structure and input separate.
PSR-algorithm collects information from application‟s source
code which possible including SQLIVs. Then generates secure
prepared statement code that maintains functional integrity. Another
algorithm which called Prepared Statement Replacement Generator
(PSR-Generator) is created for automates the generation of the
prepared statement-based code in Java, which results from the PSR-
Algorithm.
137

5. INTERNATIONAL JOURNAL FOR TRENDS IN ENGINEERING & TECHNOLOGY
VOLUME 3 ISSUE 1 –JANUARY 2015 - ISSN: 2349 - 9303
PSR-Algorithm is useful for developers which have source code
contains SQLIVs and need to be removed. Their proposed method is
remove SQLIVs with minimal manual intervention. PSR-Algorithm
is used to remove only SQLIV and does not have to be integrated
into the runtime environment.
Prepared statements are SQL statements that separate statement
structure from statement input. Prepared statements have a static
structure when they are executed and take type specific input
parameters. When prepared statements are created and the statement
structure is explicitly set before runtime, the statement structure
cannot be changed by input variables and the statement is secured
from SQLIVs. A prepared SQL statement is “prepared” by declaring
the structure of the statement and putting bind variables in the places
where input will go at a later time
Symbolic Execution Algorithm
Symbolic Execution Algorithms that automatically and
systematically create tests. These algorithms decrease the input space
of automated testing and discover different classes of errors.
Symbolic grammars are introduced to create orders of extent less
input strings without sacrificing coverage. Symbolic test generation,
the program is executed on symbolic rather than concrete inputs A
constraint solver is then used to generate test inputs that satisfy the
symbolic constraints. The resulting test inputs are guaranteed to
force the program execution along with the path preferred by the
symbolic execution.
5. DISCUSSIONS
The web application vulnerability has been identified in the
website and the malicious input which contain weak code has been
discovered and the vulnerability is detected and the recovery
process taken place by using prepared replacement statement
algorithm and symbolic execution algorithm. Thus it gives the
recovered web application with high efficiency and the code is
generated as strong one with high recommendation.
6. RESULTS
This method used to find the vulnerabilities in the web
application and website files and used to detect the faults like SQL
Injection and Client side scripting. Then the detection process is
done by detecting the source code line by line and it identify weak
and strong type vulnerability affected in which location. Then leaks
of files also identified and recover without any leakage by using
prepared statement replacement technique and give suggestion and
description about the faults and generate specific recommended code
structure with high efficiency.
7. CONCLUSION
The goal is to understand the correlation between the number of
vulnerabilities and exploits, and the level of the exploit damage.
IJTET©2015
We can summarize the main differences and correlations observed in
the vulnerabilities found in the field for weak and strong typed web
applications. A unified repository that collects both vulnerabilities
and exploits in a systematic and standardized fashion. Useful to
improve the effectiveness of code inspections, as the team will be
more focused on a few important code structures that can cause most
vulnerabilities. The future work is to detect and recover the
vulnerabilities in different programming languages and make the
code more secure.
REFERENCES
[1]Lwin Khin Shar and Lionel C. Briand , Hee Beng Kuan Tan, " Web
Application Vulnerability Prediction Using Hybrid Program Analysis
And Machine Learning". In IEEE Transaction On Dependable and
secure computing, may 2013 vol, 10, no. 2, pp, 70 -83.
[2]Nuno Antunes and Marco Vieira, "Defending Against Web
Application Vulnerabilities". IEEE Transaction On Computer Society,
February 2012 , vol , 8, no. 7.
[3]Kumar N. and Sreenivasa Rao B., "Web Application Vulnerability
Assessment And Preventing Techniques", International Journal of
Enterprise Computing, April 2012 , Vol. 2 Issue 1.
[4]Bojan jovicici M. and dejan simici P., "Common Web Application
Attack Types And Security Using Asp.Net", IEEE Transaction On
Computer Society September 2012, vol.3, no. 2.
[5]Kevin spett H."Web Application Vulnerabilities In Cross Site
Scripting". In IEEE Transaction On Dependable and Secure Computing,
March 2011, vol.2,no.5.
[6]Christmansson J. and Chillarege R."Generation of an Error Set that
Emulates Software Faults". In IEEE Fault Tolerant Computing
Symposium, 2013.
[7]Carettoni L. and Zanchetta M."Automatic Detection of Web
Application Security Flaws". In Proc. IEEE Transaction Secure Software
Engineering 2012.
[8]Atefeh Tajpour N. and Maslin Masrom K, "SQL Injection Detection
and Prevention Tools Assessment". In IEEE Transaction on Computer
security in May 2010.
[9]Bhandari I.S. and Chaar J.K ." Orthogonal Defect Classification—A
Concept for In-Process Measurement". IEEE Transaction on Software
Engineering in February 2009, vol. 18, no.11,
[10]Fonseca J. and Madeira H."Vulnerability & Attack Injection for Web
Applications". In International Conference on Dependable Systems and
Networks 2007.
[11]Giorgini P. and N. Zannone," Modeling Security Requirements
through Ownership, Permission and Delegation". In IEEE International
Conference on Requirements Engineering ,2007.pp. 167-176.
[12]Alessandro Orso R. and William G.J., "A Classification of SQL
Injection Attacks and Countermeasures". In IEEE Standard on Secure
Computing in March 2006.
[13]Kruegel C. and Kirda E. "Precise Alias Analysis for Static Detection
of Web Application Vulnerabilities". In IEEE Symposium Security and
Privacy, 2006 pp. 27- 36.
138