Pertanika Journal

Go to Pertanika

Go to JTAS Home

Go to Pertanika Facebook

Home / Regular Issue / JST Vol. 31 (3) Apr. 2023 / JST-3452-2022

Automation of Quantifying Security Risk Level on Injection Attacks Based on Common Vulnerability Scoring System Metric

Aditya Kurniawan, Mohamad Yusof Darus, Muhammad Azizi Mohd Ariffin, Yohan Muliono and Chrisando Ryan Pardomuan

Pertanika Journal of Science & Technology, Volume 31, Issue 3, April 2023

DOI: https://doi.org/10.47836/pjst.31.3.07

Keywords: Common vulnerability scoring system, injection attack, metrics security risk level

Published on: 7 April 2023

Abstract

An injection attack is a cyber-attack that is one of The Open Web Application Security Project Top 10 Vulnerabilities. These attacks take advantage of insufficient user input validation into the system through the input surface of a Web application as that user in the browser. The company’s cyber security team must filter thousands of attacks to prioritize which attacks are considered the most dangerous to be mitigated first. This activity of filtering thousands of attacks takes much time because you have to check these attacks one by one. Therefore, a method is needed to assess how dangerous a cyber-attack is that enters an organization’s or company’s server. Injection attack detection can be done by analyzing the request data in the web server log. Our research attempts to perform quantification modeling of the variations of two types of injection attacks, SQL Injection (SQLi) and Cross-Site Scripting (XSS), using Common Vulnerability Scoring System Metrics (CVSS). CVSS metrics are generally used to calculate the level of dangerous weakness in the system. This metric is never used to calculate the level of how dangerous an attack is. The modeling that we have made shows that SQLi and XSS attacks have many variations in levels ranging from low to high levels. We discovered that when classified with Common Weakness Enumeration Database, SQLi and XSS attacks CVE values would have high-level congruence with almost 94% value between one another vector on CVSS.

References

Aksu, M. U., Bicakci, K., Dilek, M. H., Ozbayoglu, A. M., & Tatli, E. I. (2018). Automated generation of attack graphs using NVD. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (pp. 135-142). ACM Publishing. https://doi.org/10.1145/3176258.3176339
Alazmi, S., & de Leon, D. C. (2022). A systematic literature review on the characteristics and effectiveness of web application vulnerability scanners. IEEE Access, 10, 33200-33219. https://doi.org/10.1109/ACCESS.2022.3161522
Aliero, M. S., Ghani, I., Qureshi, K. N., & Rohani, M. F. (2020). An algorithm for detecting SQL injection vulnerability using black-box testing. Journal of Ambient Intelligence and Humanized Computing, 11, 249-266. https://doi.org/10.1007/s12652-019-01235-z
Aliero, M. S., Qureshi, K. N., Pasha, M. F., Ghani, I., & Yauri, R. A. (2020). Systematic review analysis on SQLIA detection and prevention approaches. Wireless Personal Communications, 112, 2297-2333. https://doi.org/10.1007/s11277-020-07151-2
Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E. P., & Karagiannis, T. (2010, June 23-24). xJS: Practical XSS prevention for web application development [Paper presentation]. USENIX Conference on Web Application Development, Boston, MA, USA.
Bates, D., Barth, A., & Jackson, C. (2010). Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th International Conference on World Wide Web - WWW ’10 (pp. 91-100). ACM Publishing. https://doi.org/10.1145/1772690.1772701
Beck, A., & Rass, S. (2016). Using neural networks to aid CVSS risk aggregation - An empirically validated approach. Journal of Innovation in Digital Ecosystems, 3(2), 148-154. https://doi.org/10.1016/j.jides.2016.10.002
Bisht, P., & Venkatakrishnan, V. N. (2008). XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In D. Zamboni (Ed.), Detection of Intrusions and Malware, and Vulnerability Assessment (Vol. 5137, 23-43). Springer. https://doi.org/10.1007/978-3-540-70542-0_2
Bozic, J., & Wotawa, F. (2013). XSS pattern for attack modeling in testing. In 2013 8th International Workshop on Automation of Software Test (AST) (pp. 71-74). IEEE Publishing. https://doi.org/10.1109/IWAST.2013.6595794
Elbaz, C., Rilling, L., & Morin, C. (2020). Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure. In Proceedings of the 15th International Conference on Availability, Reliability and Security (pp. 1-10). ACM Publishing. https://doi.org/10.1145/3407023.3407038
Figueroa-Lorenzo, S., Añorga, J., & Arrizabalaga, S. (2021). A survey of IIoT protocols: A measure of vulnerability risk analysis based on CVSS. ACM Computing Surveys, 53(2), 1-53. https://doi.org/10.1145/3381038
Fogie, S., Grossman, J., Hansen, R., & Petkov, P. D. (2007). XSS Attacks: Cross Site Scripting Exploits and Defense (1st ed.). Syngres Media.
Gallon, L., & Bascou, J. J. (2011a). Using CVSS in attack graphs. In 2011 Sixth International Conference on Availability, Reliability and Security (pp. 59-66). IEEE Publishing. https://doi.org/10.1109/ARES.2011.18
Gallon, L., & Bascou, J. J. (2011b). Using CVSS in attack graphs. In 2011 Sixth International Conference on Availability, Reliability and Security (pp. 59-66). IEEE Publishing. https://doi.org/10.1109/ARES.2011.18
Gupta, S., & Gupta, B. B. (2016). XSS-immune: A google chrome extension-based XSS defensive framework for contemporary platforms of web applications. Security and Communication Networks, 9(17), 3966-3986. https://doi.org/10.1002/sec.1579
Gupta, S., & Gupta, B. B. (2017). Cross-site scripting (XSS) attacks and defense mechanisms: Classification and state-of-the-art. International Journal of System Assurance Engineering and Management, 8(Suppl 1), 512-530. https://doi.org/10.1007/s13198-015-0376-0
Houmb, S. H., & Franqueira, V. N. L. (2009). Estimating ToE risk level using CVSS. In 2009 International Conference on Availability, Reliability and Security (pp. 718-725). IEEE Publishing. https://doi.org/10.1109/ARES.2009.151
Houmb, S. H., Franqueira, V. N. L., & Engum, E. A. (2010a). Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83(9), 1622-1634. https://doi.org/10.1016/j.jss.2009.08.023
Houmb, S. H., Franqueira, V. N. L., & Engum, E. A. (2010b). Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83(9), 1622-1634. https://doi.org/10.1016/j.jss.2009.08.023
Kieyzun, A., Guo, P. J., Jayaraman, K., & Ernst, M. D. (2009). Automatic creation of SQL Injection and cross-site scripting attacks. In 2009 IEEE 31st International Conference on Software Engineering (pp. 199-209). IEEE Publishing. https://doi.org/10.1109/ICSE.2009.5070521
Kindy, D. A., & Pathan, A.-S. K. (2011). A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. In 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE) (pp. 468-471). IEEE Publishing. https://doi.org/10.1109/ISCE.2011.5973873
Kouns, J. (2008). Open source vulnerability database project. TIM Review. https://timreview.ca/article/155
Le, T. H. M., Hin, D., Croft, R., & Babar, M. A. (2021). DeepCVA: Automated commit-level vulnerability assessment with deep multi-task learning. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE) (pp. 717-729). IEEE Publishing. https://doi.org/10.1109/ASE51524.2021.9678622
Pelizzi, R., & Sekar, R. (2012). Protection, usability and improvements in reflected XSS filters. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security - ASIACCS ’12 (pp. 1-5). ACM Publishing. https://doi.org/10.1145/2414456.2414458
Pramod, A., Ghosh, A., Mohan, A., Shrivastava, M., & Shettar, R. (2015). SQLI detection system for a safer web application. In 2015 IEEE International Advance Computing Conference (IACC) (pp. 237-240). IEEE Publishing. https://doi.org/10.1109/IADCC.2015.7154705
Radack, S., & Kuhn, R. (2011). Managing security: The security content automation protocol. IT Professional, 13(1), 9-11. https://doi.org/10.1109/MITP.2011.11
Rao, K. S., Jain, N., Limaje, N., Gupta, A., Jain, M., & Menezes, B. (2016). Two for the price of one: A combined browser defense against XSS and clickjacking. In 2016 International Conference on Computing, Networking and Communications (ICNC) (pp. 1-6). IEEE Publishing. https://doi.org/10.1109/ICCNC.2016.7440629
Sadeghian, A., Zamani, M., & Manaf, A. A. (2013). A taxonomy of SQL injection detection and prevention techniques. In 2013 International Conference on Informatics and Creative Multimedia (pp. 53-56). IEEE Publishing. https://doi.org/10.1109/ICICM.2013.18
Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A survey of detection methods for XSS attacks. Journal of Network and Computer Applications, 118, 113-143. https://doi.org/10.1016/j.jnca.2018.06.004
Scarfone, K., & Mell, P. (2009). An analysis of CVSS version 2 vulnerability scoring. In 2009 3rd International Symposium on Empirical Software Engineering and Measurement (pp. 516-525). IEEE Publishing. https://doi.org/10.1109/ESEM.2009.5314220
Singh, A. K., & Roy, S. (2012). A network based vulnerability scanner for detecting SQLI attacks in web applications. In 2012 1st International Conference on Recent Advances in Information Technology (RAIT) (pp. 585-590). IEEE Publishing. https://doi.org/10.1109/RAIT.2012.6194594
Voeller, J. G. (2008). Wiley Handbook of Science and Technology for Homeland Security. John Wiley & Sons, Inc. https://doi.org/10.1002/9780470087923
Wang, C. H., & Zhou, Y. S. (2016). A new cross-site scripting detection mechanism integrated with HTML5 and CORS properties by using browser extensions. In 2016 International Computer Symposium (ICS) (pp. 264-269). IEEE Publishing. https://doi.org/10.1109/ICS.2016.0060