Home / Regular Issue / JST Vol. 31 (3) Apr. 2023 / JST-3452-2022


Automation of Quantifying Security Risk Level on Injection Attacks Based on Common Vulnerability Scoring System Metric

Aditya Kurniawan, Mohamad Yusof Darus, Muhammad Azizi Mohd Ariffin, Yohan Muliono and Chrisando Ryan Pardomuan

Pertanika Journal of Science & Technology, Volume 31, Issue 3, April 2023

DOI: https://doi.org/10.47836/pjst.31.3.07

Keywords: Common vulnerability scoring system, injection attack, metrics security risk level

Published on: 7 April 2023

An injection attack is a cyber-attack that is one of The Open Web Application Security Project Top 10 Vulnerabilities. These attacks take advantage of insufficient user input validation into the system through the input surface of a Web application as that user in the browser. The company’s cyber security team must filter thousands of attacks to prioritize which attacks are considered the most dangerous to be mitigated first. This activity of filtering thousands of attacks takes much time because you have to check these attacks one by one. Therefore, a method is needed to assess how dangerous a cyber-attack is that enters an organization’s or company’s server. Injection attack detection can be done by analyzing the request data in the web server log. Our research attempts to perform quantification modeling of the variations of two types of injection attacks, SQL Injection (SQLi) and Cross-Site Scripting (XSS), using Common Vulnerability Scoring System Metrics (CVSS). CVSS metrics are generally used to calculate the level of dangerous weakness in the system. This metric is never used to calculate the level of how dangerous an attack is. The modeling that we have made shows that SQLi and XSS attacks have many variations in levels ranging from low to high levels. We discovered that when classified with Common Weakness Enumeration Database, SQLi and XSS attacks CVE values would have high-level congruence with almost 94% value between one another vector on CVSS.

  • Aksu, M. U., Bicakci, K., Dilek, M. H., Ozbayoglu, A. M., & Tatli, E. I. (2018). Automated generation of attack graphs using NVD. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (pp. 135-142). ACM Publishing. https://doi.org/10.1145/3176258.3176339

  • Alazmi, S., & de Leon, D. C. (2022). A systematic literature review on the characteristics and effectiveness of web application vulnerability scanners. IEEE Access, 10, 33200-33219. https://doi.org/10.1109/ACCESS.2022.3161522

  • Aliero, M. S., Ghani, I., Qureshi, K. N., & Rohani, M. F. (2020). An algorithm for detecting SQL injection vulnerability using black-box testing. Journal of Ambient Intelligence and Humanized Computing, 11, 249-266. https://doi.org/10.1007/s12652-019-01235-z

  • Aliero, M. S., Qureshi, K. N., Pasha, M. F., Ghani, I., & Yauri, R. A. (2020). Systematic review analysis on SQLIA detection and prevention approaches. Wireless Personal Communications, 112, 2297-2333. https://doi.org/10.1007/s11277-020-07151-2

  • Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E. P., & Karagiannis, T. (2010, June 23-24). xJS: Practical XSS prevention for web application development [Paper presentation]. USENIX Conference on Web Application Development, Boston, MA, USA.

  • Bates, D., Barth, A., & Jackson, C. (2010). Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th International Conference on World Wide Web - WWW ’10 (pp. 91-100). ACM Publishing. https://doi.org/10.1145/1772690.1772701

  • Beck, A., & Rass, S. (2016). Using neural networks to aid CVSS risk aggregation - An empirically validated approach. Journal of Innovation in Digital Ecosystems, 3(2), 148-154. https://doi.org/10.1016/j.jides.2016.10.002

  • Bisht, P., & Venkatakrishnan, V. N. (2008). XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In D. Zamboni (Ed.), Detection of Intrusions and Malware, and Vulnerability Assessment (Vol. 5137, 23-43). Springer. https://doi.org/10.1007/978-3-540-70542-0_2

  • Bozic, J., & Wotawa, F. (2013). XSS pattern for attack modeling in testing. In 2013 8th International Workshop on Automation of Software Test (AST) (pp. 71-74). IEEE Publishing. https://doi.org/10.1109/IWAST.2013.6595794

  • Elbaz, C., Rilling, L., & Morin, C. (2020). Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure. In Proceedings of the 15th International Conference on Availability, Reliability and Security (pp. 1-10). ACM Publishing. https://doi.org/10.1145/3407023.3407038

  • Figueroa-Lorenzo, S., Añorga, J., & Arrizabalaga, S. (2021). A survey of IIoT protocols: A measure of vulnerability risk analysis based on CVSS. ACM Computing Surveys, 53(2), 1-53. https://doi.org/10.1145/3381038

  • Fogie, S., Grossman, J., Hansen, R., & Petkov, P. D. (2007). XSS Attacks: Cross Site Scripting Exploits and Defense (1st ed.). Syngres Media.

  • Gallon, L., & Bascou, J. J. (2011a). Using CVSS in attack graphs. In 2011 Sixth International Conference on Availability, Reliability and Security (pp. 59-66). IEEE Publishing. https://doi.org/10.1109/ARES.2011.18

  • Gallon, L., & Bascou, J. J. (2011b). Using CVSS in attack graphs. In 2011 Sixth International Conference on Availability, Reliability and Security (pp. 59-66). IEEE Publishing. https://doi.org/10.1109/ARES.2011.18

  • Gupta, S., & Gupta, B. B. (2016). XSS-immune: A google chrome extension-based XSS defensive framework for contemporary platforms of web applications. Security and Communication Networks, 9(17), 3966-3986. https://doi.org/10.1002/sec.1579

  • Gupta, S., & Gupta, B. B. (2017). Cross-site scripting (XSS) attacks and defense mechanisms: Classification and state-of-the-art. International Journal of System Assurance Engineering and Management, 8(Suppl 1), 512-530. https://doi.org/10.1007/s13198-015-0376-0

  • Houmb, S. H., & Franqueira, V. N. L. (2009). Estimating ToE risk level using CVSS. In 2009 International Conference on Availability, Reliability and Security (pp. 718-725). IEEE Publishing. https://doi.org/10.1109/ARES.2009.151

  • Houmb, S. H., Franqueira, V. N. L., & Engum, E. A. (2010a). Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83(9), 1622-1634. https://doi.org/10.1016/j.jss.2009.08.023

  • Houmb, S. H., Franqueira, V. N. L., & Engum, E. A. (2010b). Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83(9), 1622-1634. https://doi.org/10.1016/j.jss.2009.08.023

  • Kieyzun, A., Guo, P. J., Jayaraman, K., & Ernst, M. D. (2009). Automatic creation of SQL Injection and cross-site scripting attacks. In 2009 IEEE 31st International Conference on Software Engineering (pp. 199-209). IEEE Publishing. https://doi.org/10.1109/ICSE.2009.5070521

  • Kindy, D. A., & Pathan, A.-S. K. (2011). A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. In 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE) (pp. 468-471). IEEE Publishing. https://doi.org/10.1109/ISCE.2011.5973873

  • Kouns, J. (2008). Open source vulnerability database project. TIM Review. https://timreview.ca/article/155

  • Le, T. H. M., Hin, D., Croft, R., & Babar, M. A. (2021). DeepCVA: Automated commit-level vulnerability assessment with deep multi-task learning. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE) (pp. 717-729). IEEE Publishing. https://doi.org/10.1109/ASE51524.2021.9678622

  • Pelizzi, R., & Sekar, R. (2012). Protection, usability and improvements in reflected XSS filters. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security - ASIACCS ’12 (pp. 1-5). ACM Publishing. https://doi.org/10.1145/2414456.2414458

  • Pramod, A., Ghosh, A., Mohan, A., Shrivastava, M., & Shettar, R. (2015). SQLI detection system for a safer web application. In 2015 IEEE International Advance Computing Conference (IACC) (pp. 237-240). IEEE Publishing. https://doi.org/10.1109/IADCC.2015.7154705

  • Radack, S., & Kuhn, R. (2011). Managing security: The security content automation protocol. IT Professional, 13(1), 9-11. https://doi.org/10.1109/MITP.2011.11

  • Rao, K. S., Jain, N., Limaje, N., Gupta, A., Jain, M., & Menezes, B. (2016). Two for the price of one: A combined browser defense against XSS and clickjacking. In 2016 International Conference on Computing, Networking and Communications (ICNC) (pp. 1-6). IEEE Publishing. https://doi.org/10.1109/ICCNC.2016.7440629

  • Sadeghian, A., Zamani, M., & Manaf, A. A. (2013). A taxonomy of SQL injection detection and prevention techniques. In 2013 International Conference on Informatics and Creative Multimedia (pp. 53-56). IEEE Publishing. https://doi.org/10.1109/ICICM.2013.18

  • Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A survey of detection methods for XSS attacks. Journal of Network and Computer Applications, 118, 113-143. https://doi.org/10.1016/j.jnca.2018.06.004

  • Scarfone, K., & Mell, P. (2009). An analysis of CVSS version 2 vulnerability scoring. In 2009 3rd International Symposium on Empirical Software Engineering and Measurement (pp. 516-525). IEEE Publishing. https://doi.org/10.1109/ESEM.2009.5314220

  • Singh, A. K., & Roy, S. (2012). A network based vulnerability scanner for detecting SQLI attacks in web applications. In 2012 1st International Conference on Recent Advances in Information Technology (RAIT) (pp. 585-590). IEEE Publishing. https://doi.org/10.1109/RAIT.2012.6194594

  • Voeller, J. G. (2008). Wiley Handbook of Science and Technology for Homeland Security. John Wiley & Sons, Inc. https://doi.org/10.1002/9780470087923

  • Wang, C. H., & Zhou, Y. S. (2016). A new cross-site scripting detection mechanism integrated with HTML5 and CORS properties by using browser extensions. In 2016 International Computer Symposium (ICS) (pp. 264-269). IEEE Publishing. https://doi.org/10.1109/ICS.2016.0060

ISSN 0128-7680

e-ISSN 2231-8526

Article ID


Download Full Article PDF

Share this article

Related Articles