Evaluating security vulnerabilities in web-based

Applications using Static Analysis

Chinwuba Christian Nnaemeka Osejobe Ehichoya

Department of Computing & informatics Department of Computing & informatics
Bournemouth University Bournemouth University
Poole, United Kingdom Poole, United Kingdom
[email protected] [email protected]

Abstract—Web services are becoming business-critical web applications significantly impact application security
components, often deployed with critical software bugs that and users’ risk of being attacked by hackers exploiting flaws
can be maliciously explored. Web vulnerability scanners allow in the source code of web applications. How to detect
the detection of security vulnerabilities in web services by security bugs efficiently in software systems is a growing
stressing the service from the point of view of an attacker. concern, and it is vital to secure these applications against
However, research and practice show that different scanners hackers [19]. In 2002, the computer security institute and the
perform differently in vulnerability detection. This paper FBI performed a computer crime and security assessment,
presents a qualitative evaluation of security vulnerabilities
which indicated that more than half of all databases
found in web applications. Some well-known vulnerability
experienced at least one security breach, with an average loss
scanners have been used to identify security flaws in web
service implementations. Many vulnerabilities have been
of about $4 million [10]. In a survey by Alqaradaghi et al.,
observed, which confirms that many services are deployed 2021 about 75% of all attacks on web servers target web-
without proper security testing. Additionally, having reviewed based applications, and firewalls cannot defend against them
and considered several articles, the differences in the because they rely solely on HTTP traffic, which is typically
vulnerabilities detected and the high number of false positives allowed to pass through them unimpeded. Attention has been
(35% and 40% in two cases) and low coverage (less than 20% focused on network-level attacks like port scanning. As a
for two scanners) observed highlight the limitations of web result, hackers frequently gain access to Web apps directly.
vulnerability scanners in detecting security vulnerabilities in
web services.
Developers' lack of proper understanding of secure
Furthermore, this work will discuss the static analysis coding is a primary cause of web application insecurity,
approach for discovering security vulnerabilities in web resulting in flaws. Many ways of detecting source code
applications and complimenting it with proven research vulnerabilities have been investigated, with some extant
findings or solutions. These vulnerabilities include broken approaches falling into two categories: dynamic and static
access control, cross-site scripting, SQL injections, buffer
analysis. Dynamic analysis approaches, such as software
overflow, unrestricted file upload, broken authentications, etc.
testing, examine how an application program runs but only
Web applications are becoming mission-essential components
for businesses, potentially risking having several software guarantee 100% coverage. In contrast, the static analysis
vulnerabilities that hackers can exploit maliciously. A few examines the application's source code with many false
Vulnerability scanners have been used to detect security positives but achieves 100% testing coverage [22].
weaknesses in web service applications, and many According to a recent web security analysis and research,
vulnerabilities have been discovered, thus confirming that cross-site scripting (XSS) is the most susceptible web
many online apps are launched without sufficient security
application vulnerability [23]. They are inserted into the web
testing. The static analysis technique considered in this work
applications’ source code without encrypting or verifying
helps detect security flaws. However, it has an important
limitation of indicating high false positives.
XSS scripts. Hackers exploit them to steal sensitive data,
cookies, and web sessions. XSS vulnerabilities are produced
when malicious scripts are hosted on a website or when a
malicious URL lures a user. This vulnerability affects web
Keywords—Web-based, static Analysis, SQLi - SQL applications and is a known concern [20].
Injection, XSS - Cross-site Scripting, Buffer Overflow,
This paper examines a technique for discovering security
Unrestricted file Upload, Broken Authentication, Attack vector,
PHPi – Hypertext Pre-processor injection, RFI -Remote file
vulnerabilities in web-based applications using static
inclusion, CMDi – Command injection, SDLC – Software analysis. The methods entail studying the web application
development lifecycle source code for input validation defects and putting solutions
into the same principle to repair these flaws. This technique
immediately adds to web application security by reducing
I. INTRODUCTION vulnerabilities and indirectly allowing developers to identify
The importance of web-based application security has the problems.
increased since it handles sensitive data that, if hacked, may
cost the company millions of dollars [19]. Vulnerabilities in

XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE

 The paper is organised into five main sections, with every effort to identify problems as soon as feasible. Code
section one having four sub-sections. The main sections audits (code reviews), static analysis, dynamic analysis, and
include the introduction, methodology, research findings, security testing are methods for identifying vulnerabilities in
conclusion, and recommendation. Main section one has four online applications [35]. White-box and black-box testing
sub-sections: background, literature review, problem are the two primary techniques for vulnerability testing in
statement and research questions. web applications. Black-box testing does not directly
examine the source code of the program, unlike white-box
A. Background testing, which does so to find defects or vulnerable lines of
code. Static analysis is an example of white-box testing
• Static Analysis [34].
Static analysis of web applications is indispensable to any
software tool, integrated development environment, or B. Literature Review
system that requires compile-time information about the Web application vulnerability predicting frameworks were
semantics of programs. With the emergence of modern built using historical data that showed the proposed known
programming languages, static analysis of applications vulnerability data along with static properties to anticipate
consisting of both recursive data and dynamic storage has the XSS and SQLI flaws [6]. A set of static code attributes
become a field of active research. Programming mistakes was intended to represent these code patterns. They enhanced
introduce vulnerabilities in program source code that needs their work process by developing a strategy for building
to be fixed. The longer a vulnerability lies dormant, the more construction predictors using machine learning language [7].
expensive it can be to fix. Static analysis tools aim to identify A prototype program called PhpMinerl was created to collect
common coding mistakes before an application is deployed data and evaluate its methodology on different open-source
automatically. Static analysis extracts semantic information web applications. The results showed 11% false positives in
about a program at compile time [31]. It verifies the program detecting SQLI vulnerability and 6% in detecting XSS in
source code statically without attempting to execute the code. web applications. The developers were trained using the
Manual code auditing is a form of static analysis which is available vulnerability exposure dynamic and static analysis
time-consuming and requires the code auditors first to data. The static analysis primarily evaluates the program
understand what security flaws appear like to check the code source code without executing the regulations, whereas
thoroughly. Static analysis tools are quicker than manual dynamic analysis examines how this application works by
code audits, as they regularly analyse programs. code execution and validating its functionalities. Pixy was
Additionally, because they are designed to capture security the first static analysis tool to discover the XSS
knowledge, they do not need the tool operator to have the vulnerabilities in PHP source code in 2006; the report from
exact level of security experience as a human auditor [32]. this research suggests that using the right static analysis tool
Static analysis will only solve some of your security issues. achieves a successful outcome of approximately 72%
For instance, it scans the code for a predefined collection of predicting XSS vulnerability in web applications and the
patterns or criteria. To eliminate vulnerabilities, experienced result of static code analysis used reported a false positive
developers must still design a program correctly. Static rate of around 9%. Nevertheless, XSS vulnerability in web
analysis techniques can detect bugs in the essential details, applications persists due to analytical limitations, such as the
but they cannot evaluate the design. The result of a static false positive rate on the analysis’s findings [25].
analysis tool still needs human assessment [33].
The reliability of security scanners in discovering
• Vulnerability vulnerabilities vary, and it is an excellent tool for finding
web application flaws introduced in the source code during
Web applications are accepted in today’s business development. Web security scanners are one method that
environment and are used in the business’s day-to-day frequently characterises the effectiveness of various scanners
activities. Several companies have launched Web in identifying vulnerabilities in online applications [27]. Web
applications, and their use has recently surged. As web- security scanning tools are tested to determine their strengths
based applications become more critical business elements, and limitations regarding vulnerability assessment coverage
they are frequently deployed with significant software and false positives. The objective was to investigate the
vulnerabilities that can be exploited illegally. Vulnerabilities reliability of security scanners and identify effective forms of
are defects or weaknesses in a system's architecture, web application vulnerabilities. Three commercial scanning
development, and operation that might be manipulated to technologies were assessed, and the results revealed that
break the system's security procedures or functionality [36]. overall coverage is inadequate, with many false positives
Any vulnerability or hole in a web application can be used [13].
to obtain unauthorised access to, harm, or corrupt the Nonetheless, the analysis was limited to a particular family
information system. Web application vulnerabilities are of software, mainly web-based apps developed in PHP. The
embedded in web application codes. They are unaffected by findings cannot be generalised because many services
the technology used to develop the application, the safety of examined were launched without sufficient security testing
the Web application, or the back-end system. Developers [4]. The web scanner tools are divided into enterprise-level
and free, open-source tools; the enterprise-level device has
should follow proper coding practices, thoroughly evaluate
been evaluated as more accurate and precise due to the
the code for security vulnerabilities, run penetration testing,
implementation of extra innovations. Furthermore, in the
and employ code vulnerability checkers to prevent context of describing techniques for mitigating SQL injection
vulnerabilities. Technically, the cost to fix security flaws attacks, enterprise tools provided a transparent, solidly
discovered later in the software development cycle is higher automated SQL injection analysis tool based on a syntax
than security flaws found earlier [24]; developers must make algorithm [26]. A significant finding was that different
scanners discover different vulnerabilities, indicating that 3. Broken Authentications and Session Management
one scanner's coverage is far from flawless. Web scanners
have a high false-positive rate and low range, exposing their 4. Sensitive Data Exposure
limits in finding vulnerabilities in web applications [13]. 5. Security Misconfigurations
Numerous studies have examined techniques for
comprehensively evaluating various web threats, including
SQL injection, XSS, and other vulnerability mitigation and
detection techniques, to understand better the general
engineering fields connected to web security threats [18].
Static analysis tools can provide a reliable warning to some D. Research Question
extent, according to Walden and Doyle's research [16],
which found a strong link between Fortify SCA tool alerts • How often does vulnerability appear in a web-based
and NVD vulnerabilities. Zheng et al. [17] showed how application?
static analysis is a crucial technique for identifying flaws that • What level of breach or impact do these
have the potential to lead to security vulnerabilities based on vulnerabilities cause?
an enterprise-scale investigation. In comparing the value of
manual code review with static analysis (black-box testing) • What are the existing static analysis techniques, and
for online applications, Finifter and Wagner [15] found that how best can they be improved to optimise
the two are complementary and that manual analysis performance?
revealed more errors but consumed a lot more effort and
needed experts to examine the application code base. They II. METHODOLOGY
argued that no single technique could find every
vulnerability in a web application. Their research revealed This study used a qualitative research technique to critically
that relatively rare vulnerabilities are discovered using a analyse existing web application static analysis approaches
variety of methodologies, with automated penetration testing or strategies. The investigators conducted a systematic
being the most efficient in terms of time and static analysis review of academic papers in current peer-reviewed journals
coming in second. Research, parameter fiddling, SQL to assess the secondary literature on the research. Systematic
injection, and cross-site scripting attacks contribute to more reviews summarise what has been written and discovered
than a quarter of all identified Web application about a research topic objectively. This is especially useful
vulnerabilities [45]; the attacks listed above are made when several articles on an extensive study topic each focus
possible by user input that has not been adequately validated. on a different aspect of the field. The investigators will
Coding auditing can detect these attacks, and code reviews conduct their research using the databases MySearch, Google
discover issues before launching a program. Code reviews Scholar, IEEE, Scopus, ScienceDirect, and Web of Science.
are one of the most effective defence measures [17], but they These databases are multidisciplinary, well-established
are time-consuming and expensive. Thus, they are only used research platforms regularly updated and feature a wide
sparingly. Many programmers lack the security expertise range of peer-reviewed publications. These databases were
required for security audits, which drives up the cost of chosen to include all relevant papers. The researcher's
security assessments. Since security issues are regularly evaluation will be restricted to peer-reviewed literature. Peer-
introduced as they are being fixed, double audits (examining reviewed journal articles are expected to contain high-impact
the code twice) are strongly encouraged. research on Web-based application static analysis. The
researchers established a cut-off year for the review to ensure
that the data gathered was relevant, and they investigated its
impact on the field.
C. Problem Statement
In this research, we have considered a wide range of
As web technologies advance and users shift away from literature from 2010 - 2022. This range of literature will
traditional desktop applications, the adoption of web-based present comprehensive state-of-the-art research conducted in
applications has surged. Among the professional developers this field
who design web applications are a few amateurs with limited
knowledge of web application security who create vulnerable
applications. These security vulnerabilities allow attacks to
gain unauthorised access to the web application. The most A. Exclusion and Inclusion Metric
prevalent cause of web applications is unchecked input The systematic search strategy included phrases such as
parameters in the source code, which is a typical "static analysis," "SQL Injection," and "cross-site scripting."
development error [28]. Hackers employ two approaches to The systematic review concentrated on how much research
attack uncontrolled input parameters: they inject malicious had been conducted on web-based application static
code into web applications and then use the code to analysis. Other keyword phrases, such as "web-based
manipulate the application. In 2013, the (OWASP) Open
application vulnerability" or "web applications attack," were
Web Application Security Project identified the most severe
used in the search, but the results were limited to "Static
web application security vulnerabilities [20].
Analysis" only. As a result, searches such as "web
application static analysis" were carried out. The search
1. SQL Injection Attacks terms were intended to draw attention to the subject under
investigation so that relevant evidence could be discovered
2. XSS-Cross Site Scripting [3]. Below, in Fig 1, is the Prisma flowchart describes how
our research was conducted and the databases where
relevant research articles were found.

Fig 1. Prisma flow diagram

 III. RESEARCH FINDINGS
The research questions addressed in the study were as
follows: (1) How frequently does vulnerability appear in a
web-based application? (2) How serious is the breach or
impact caused by these vulnerabilities? (3) What are the
current static analysis techniques, and how can they be
enhanced to improve performance? The data was compiled
through a thorough review of peer-reviewed articles. Below
are some of the prominent findings discovered in our
research.

A. Impact of Web-based Application Attacks

According to the annual global security report 2018, which
analysed billions of security events, all tested applications Fig 2. Threat landscape [4]
have at least one vulnerability and an average of 11 failures.
Web attacks appear to be becoming more specific, frequent,
and sophisticated [39]. A successful web-based attack can The findings also indicate that the Cross-Site Scripting
significantly impact websites, web applications, reputation, (XSS) vulnerability is most common in web applications.
and customer relationships. It defaces the websites, This vulnerability can result in violations for the user or the
compromises user accounts, runs malicious code on web site. Many tools and methods focus on finding this
pages, etc., potentially compromising the user's device. It vulnerability in PHP source code. Nonetheless, identifying
stems from poorly developed web applications’ source XSS vulnerabilities in PHP web applications remains a
codes which are not adequately checked. According to a challenge for the time being. Most previous tools and
TechJury report, 30,000 websites are hacked daily [37]. approaches relied on static analysis to detect XSS
Frequently, hackers target financial, healthcare, and retail vulnerabilities. This is due to its ability to achieve nearly
organisations, and if cybercriminals cannot breach an 100% code coverage and observe all programme paths.
organisation’s security infrastructure, they may attempt to Furthermore, recent research has found that static analysis is
gain access to the corporate website. Similarly, software superior to other approaches for detecting this vulnerability.
vulnerability and third-party integrations such as extension Combining static analysis with other algorithms (genetic
usage are also ways attackers can accomplish this. Some algorithms, pattern matching, and machine learning)
plugins are responsible for 98% of the vulnerabilities in improved detection results and reduced static analysis run
content management systems, such as WordPress, which time [6].
hosts over 35% of all websites on the internet. As a result,
numerous security plugins are available to protect the C. Prevention Mechanism
vulnerable.
Various research articles have investigated practical and
comprehensive approaches to vulnerability in Web-based
B. Attack Vectors and Enablers applications. According to [5,] existing mechanisms for
Web applications can be attacked for various reasons, dealing with Web application threats can be divided into
including system flaws caused by incorrect coding, client-side and server-side solutions. An application-level
misconfigured web servers, application design flaws, or firewall protects against cross-site scripting (XSS) attacks
failure to validate forms. SQL injection (SQLI), cross-site that try to steal a user's credentials. Server-side solutions
scripting (XSS), remote code execution (RCE), and file have the advantage of discovering a broader range of
inclusion (FI) are among the most common and severe web vulnerabilities.
application vulnerabilities threatening the privacy and Pixel, [5] according to one of the peer-reviewed articles,
security of both clients and applications today, according to was the first open-source tool for statically detecting XSS
OWASP's Top 10 Project [7]. These flaws and vulnerabilities in PHP 4 code using data flow analysis. PHP
vulnerabilities enable attackers to access databases was chosen as the target language because it is widely used
containing sensitive information. Web applications are an for developing Web applications, and many security
easy target for attackers because they must always be advisories mention PHP programs. Although the peer-
available to customers. According to ENISA [4] threat reviewed article considered a prototype designed to detect
report, there is a general perception that web application XSS flaws, it can also be used to detect other taint-style
attacks are diverse. However, other data from security vulnerabilities such as SQL injection or command injection.
research suggests that most web application attacks are Any significant type of vulnerability (for example, cross-site
limited to SQL injection or Local file inclusion. Another scripting or SQL injection) can be considered an example of
report indicates that SQL injection, directory traversal, XSS, this general class of taint-style vulnerabilities [5].
broken authentication and session management are at the top Pixy was tested in this manner using six popular open-
of the attack vectors used in Web application type of attack. source PHP programs, and the test result returned accurate
SONICWALL also reported a similar trend for the top web results [5].
application attacks for 2019. On the list, SQLi, directory The extensive research conducted in [2], as shown in Fig 3
traversal, XSS, broken authentication and session below, presents an approach for discovering and correcting
management were on the top. vulnerabilities in web applications and a tool that
implements the policy for PHP programmes and input web-based application security. Nevertheless, it suffers a
validation vulnerabilities. The method and device look for significant setback from a high false positive rate when
vulnerabilities by combining two techniques: static source examining source codes. The adverse effects of this high
code analysis and data mining. The top three machine false positive rate have led to a lacklustre uptake of these
learning classifiers are used to identify false positives, and tools. False positives in code analysis are thought to be a
an induction rule classifier is used to justify their presence. complex problem [30]. Validation must balance false
Static analysis tools assist lowers the price of application positives and negatives (missing defects) (no defect
maintenance via early detection and avoidance of problems present). To reduce false positives, contextualised error
in web applications, making static analysis tools an essential reporting, conflicting terminology and issue prioritizations
framework in defending against web application attacks. must all be considered by static analysis tools running on
Adjustments to source code can be quickly checked to web-based applications.
increase code security with the introduction of static
analysis tools into the CI/CD pipelines [24]. These
technologies can help web-based applications by detecting
problems in the model, minimising security failure
mechanisms, and highlighting areas for development. Code
analysis tools are mainly used to detect programming
language problems and code syntax incompatibilities [29].
These tools are promising for improving the robustness of

Fig 3. Main modules and data structures. [2]

Many web applications are created quickly, and security is

an afterthought. It is critical for web application developers
D. Widespread Awareness Campaign
to understand not only the negative impact of XSS and other
Even though much research is being done to mitigate vulnerabilities but also to be able to mitigate them; by so
vulnerabilities in web applications, raising awareness about doing, it would assist developers in addressing web
this issue is still critical. Both web application developers vulnerabilities when developing web applications. Similarly,
and users must be aware of the gravity of web web application users should be warned and given best
vulnerabilities and what they can do to mitigate their impact practice guidelines when visiting web applications online,
on web application security. Security requirements should especially when sensitive information is shared. Some
be integrated into web application development at all stages banking applications, for example, warn visitors about
of the software development lifecycle. security risks. Furthermore, users must exercise caution
when clicking links that may direct them to an insecure site REFERENCES
where they may become victims of hackers [38].
[1] R. K. Yin, Case study research and applications: Design and methods,
6th ed. Thousand Oaks, California: Sage Publications, Inc, 2018.
IV. CONCLUSION [2] Medeiros, N. Neves, and M. Correia, “Detecting and Removing Web
The principal objective of this qualitative study was to Application Vulnerabilities with Static Analysis and Data Mining,”
IEEE Transactions on Reliability, vol. 65, no. 1, pp. 54–69, Mar.
investigate static analysis as it relates to web-based 2016, doi: 10.1109/tr.2015.2457411.
applications and its relative impact on a wide scale. A [3] Boiko and V. Shendryk, “System Integration and Security of
comprehensive literature study and peer-reviewed journal Information Systems,” Procedia Computer Science, vol. 104, pp. 35–
article was conducted during the data-gathering phase. 42, 2017, doi: 10.1016/j.procs.2017.01.053.
Three themes emerged from the data study: the impact of [4] ENISA, “ENISA Threat Landscape 2020 - Web application attacks,”
Europa.eu, 2020. https://www.enisa.europa.eu/publications/web-
Web-based Application attacks, attack Vectors and application-attacks
Enablers, and Prevention Mechanisms. This study’s findings [5] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: a static analysis tool
were used to address the research questions. Relevant for detecting Web application vulnerabilities,” 2006 IEEE
stakeholders can use these findings to improve web Symposium on Security and Privacy (S&P’06), 2006, doi:
application security. Web applications have become a 10.1109/sp.2006.29.
popular and widely used medium of interaction in our daily [6] A. W. Marashdih, Z. F. Zaaba, K. Suwais, and N. A. Mohd, “Web
Application Security: An Investigation on Static Analysis with other
lives. Simultaneously, vulnerabilities that endanger users' Algorithms to Detect Cross Site Scripting,” Procedia Computer
data are discovered regularly. Manual security audits aimed Science, vol. 161, pp. 1173–1181, 2019, doi:
at these vulnerabilities are time-consuming, expensive, and 10.1016/j.procs.2019.11.230.
prone to error. Therefore, SDLC stakeholders need to be [7] L. K. Shar and H. B. K. Tan, “Predicting SQL injection and cross-site
scripting vulnerabilities through mining input sanitisation patterns,”
aware that hacking techniques are constantly changing with Information and Software Technology, vol. 55, no. 10, pp. 1767–
the advancement of technology, and there are always new 1780, Oct. 2013, doi: 10.1016/j.infsof.2013.04.002.
ways to steal information from businesses. Thus, protecting [8] L. K. Shar, L. C. Briand, and H. B. K. Tan, “Web Application
web systems may reduce security risks, increase customer Vulnerability Prediction Using Hybrid Program Analysis and
confidence, and improve the economy’s health. Machine Learning,” IEEE Transactions on Dependable and Secure
Computing, vol. 12, no. 6, pp. 688–707, Nov. 2015, doi:
10.1109/tdsc.2014.2373377.
[9] J. Fonseca, M. Vieira, and H. Madeira, “Testing and Comparing Web
V. RECOMMENDATION Vulnerability Scanning Tools for SQL Injection and XSS Attacks,”
This study uses various strategies to show how SMEs IEEE Xplore, Dec. 01, 2007.
https://ieeexplore.ieee.org/abstract/document/4459684/
protect sensitive firm data from cyber threats. The offered
[10] D. Stuttard and M. Pinto, The Web Application Hacker’s Handbook:
approaches are action plans for industry small business Finding and Exploiting Security Flaws. John Wiley & Sons, 2011.
entrepreneurs or MSMEs. As the first guideline, small Accessed: Nov. 08, 2022. [Online]. Available:
business owners should establish a company strategy that https://books.google.co.uk/books?hl=en&lr=&id=NSBHAAAAQBAJ
engages in active cybersecurity actions. Such a strategy &oi=fnd&pg=PT13&dq=The+Web+Application+Hacker%27s+Hand
book:+Discovering+and+Exploiting+Security+Flaws&ots=5tpR2CK
should include policies and methods to safeguard corporate 1GO&sig=A68J3az78O_DIfdaN0GcXTKe9fI&redir_esc=y#v=onepa
and consumer data from cyber threats. The second advice is ge&q=The%20Web%20Application%20Hacker
for small business owners to gradually link their business [11] U. Shankar, K. Talwar, J. S. Foster, and D. Wagner, “Title,”
operations to cybersecurity rules to develop a unified www.usenix.org.
security strategy across their organisation. The final https://www.usenix.org/legacy/events/sec01/full_papers/shankar/shan
kar_html/
recommendation is for small business owners to build an
[12] C. Anley and C. Com, “Advanced SQL Injection In SQL Server
adequate plan addressing preparation, data privacy, and data Applications.” [Online]. Available: https://priv.gg/e/Hacking%20-
breach response in case of a breach, which can help lessen %20Advanced%20SQL%20Injection.pdf
the impacts of data breaches while preserving personal [13] IBM, “Cost of a data breach 2022,” www.ibm.com, 2022.
company data. https://www.ibm.com/reports/data-breach
However, as considered in this work, static analysis of [14] Carbon Black, “Threat Research,” VMware, Nov. 06, 2022.
https://www.carbonblack.com/resources/threat-research/global-threat-
detecting web application vulnerability was thoroughly report-series/ (accessed Nov. 08, 2022).
expanded. The main disadvantage of static analysis is the [15] M. Finifter and D. Wagner, “Exploring the Relationship Between
high rate of false positives in the results. False positives are Web Application Development Tools and Security.” [Online].
results seen as vulnerable paths but not weak. Another Available:
disadvantage of static analysis approaches is their https://www.usenix.org/legacy/events/webapps11/tech/final_files/Fini
fter.pdf
dependence on a particular framework or language. For
[16] J. Walden and M. Doyle, “SAVI: Static-Analysis Vulnerability
example, a static analysis tool designed for PHP cannot be Indicator,” IEEE Security & Privacy, vol. 10, no. 3, pp. 32–39, May
used for Ruby on Rails without extensive engineering work. 2012, doi: 10.1109/msp.2012.1.
These tools are known to be inextricably linked to both [17] J. Zheng, L. Williams, N. Nagappan, W. Snipes, J. P. Hudepohl, and
language and framework features. Considering this M. A. Vouk, “On the value of static analysis for fault detection in
software,” IEEE Transactions on Software Engineering, vol. 32, no.
shortcoming, it would be ideally suitable to combine static, 4, pp. 240–253, Apr. 2006, doi: 10.1109/tse.2006.38.
dynamic and hybrid analysis [24]. [18] R. Johari and P. Sharma, “A Survey on Web Application
Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for
SQL Injection,” IEEE Xplore, May 01, 2012.
https://ieeexplore.ieee.org/document/6200667
[19] UNCTAD, “Digital Economy Report 2019 | UNCTAD,” unctad.org, and Measurement (ESEM), Oct. 2020, doi:
2019. https://unctad.org/webflyer/digital-economy-report-2019 10.1145/3382494.3410680.
[20] Sunardi, U. Dahlan, Y. Indonesia, I. Riadi, and P. Raharja, [30] K. F. Tomasdottir, M. Aniche, and A. van Deursen, “The Adoption of
“Vulnerability Analysis of E-voting Application using Open Web JavaScript Linters in Practice: A Case Study on ESLint,” IEEE
Application Security Project (OWASP) Framework,” IJACSA) Transactions on Software Engineering, vol. 46, no. 8, pp. 863–891,
International Journal of Advanced Computer Science and Aug. 2020, doi: 10.1109/tse.2018.2871058.
Applications, vol. 10, no. 11, 2019, [Online]. Available: [31] V. M. Santos, S. Misra, and M. S. Soares, “Architecture
http://eprints.uad.ac.id/22085/2/Paper-C.1.1- Conceptualization for Health Information Systems Using
Vulnerability%20Analysis%20of%20E- ISO/IEC/IEEE 42020,” Computational Science and Its Applications –
voting%20Application%20using%20Open%20Web%20Application ICCSA 2020, pp. 398–411, 2020, doi: 10.1007/978-3-030-58817-
%20Security%20Project%20%28OWASP%29%20Framework.pdf 5_30.
[21] M. Alqaradaghi, G. Morse, and T. Kozsik, “Detecting security [32] M. Nachtigall, M. Schlichtig, and E. Bodden, “A large-scale study of
vulnerabilities with static analysis – A case study,” Pollack Periodica, usability criteria addressed by static analysis tools,” Proceedings of
Dec. 2021, doi: 10.1556/606.2021.00454. the 31st ACM SIGSOFT International Symposium on Software
[22] A. Gosain and G. Sharma, “A Survey of Dynamic Program Analysis Testing and Analysis, Jul. 2022, doi: 10.1145/3533767.3534374.
Techniques and Tools,” Advances in Intelligent Systems and [33] A. Groce et al., “Evaluating and Improving Static Analysis Tools Via
Computing, pp. 113–122, 2015, doi: 10.1007/978-3-319-11933-5_13. Differential Mutation Analysis,” IEEE Xplore, Dec. 01, 2021.
[23] A. W. Marashdih and Z. F. Zaaba, “Detection and Removing Cross https://ieeexplore.ieee.org/abstract/document/9724764/ (accessed
Site Scripting Vulnerability in PHP Web Application,” IEEE Xplore, Dec. 07, 2022).
Oct. 01, 2017. https://ieeexplore.ieee.org/document/8109033 [34] A. Martin-Lopez, A. Arcuri, S. Segura, and A. Ruiz-Cortés, “Black-
(accessed Jul. 12, 2021). Box and White-Box Test Case Generation for RESTful APIs:
[24] A. W. Marashdih, Z. F. Zaaba, and K. Suwais, “Cross Site Scripting: Enemies or Allies?,” IEEE Xplore, Oct. 01, 2021.
Investigations in PHP Web Application,” IEEE Xplore, Oct. 01, 2018. https://ieeexplore.ieee.org/abstract/document/9700203 (accessed Nov.
https://ieeexplore.ieee.org/abstract/document/8531224 (accessed Dec. 07, 2022).
07, 2022). [35] T. Lee, G. Won, S. Cho, N. Park, and D. Won, “Detection and
[25] I. Medeiros, N. Neves, and M. Correia, “DEKANT: a static analysis Mitigation of Web Application Vulnerabilities Based on Security
tool that learns to detect web application vulnerabilities,” Proceedings Testing,” Lecture Notes in Computer Science, pp. 138–144, 2012,
of the 25th International Symposium on Software Testing and doi: 10.1007/978-3-642-35606-3_16.
Analysis, Jul. 2016, doi: 10.1145/2931037.2931041. [36] A. Dessiatnikoff, R. Akrout, E. Alata, M. Kaaniche, and V.
[26] G. Wassermann and Z. Su, “Sound and precise analysis of web Nicomette, “A Clustering Approach for Web Vulnerabilities
applications for injection vulnerabilities,” Proceedings of the 2007 Detection,” IEEE Xplore, Dec. 01, 2011.
ACM SIGPLAN conference on Programming language design and https://ieeexplore.ieee.org/abstract/document/6133081/ (accessed
implementation - PLDI ’07, 2007, doi: 10.1145/1250734.1250739. Dec. 07, 2022).
[27] M. Vieira, N. Antunes, and H. Madeira, “Using web security scanners [37] J. Bulao, “How Many Cyber Attacks Happen Per Day? [2021 Stats
to detect vulnerabilities in web services,” IEEE Xplore, Jun. 01, 2009. and Facts],” TechJury, Jul. 15, 2020. https://techjury.net/blog/how-
https://ieeexplore.ieee.org/abstract/document/5270294 (accessed Jan. many-cyber-attacks-per-day/#gref
23, 2021). [38] I. Hydara, A. B. Md Sultan, H. Zulzalil, and N. Admodisastro,
[28] V. Livshits and M. Lam, “Finding Security Vulnerabilities in Java “Removing Cross-Site Scripting Vulnerabilities from Web
Applications with Static Analysis.” [Online]. Available: Applications using the OWASP ESAPI Security Guidelines,” Indian
https://www.usenix.org/legacy/publications/library/proceedings/sec05 Journal of Science and Technology, vol. 8, no. 30, Nov. 2015, doi:
/tech/full_papers/livshits/livshits.pdf 10.17485/ijst/2015/v8i30/87182.
[29] A. J. Simmons, S. Barnett, J. Rivera-Villicana, A. Bajaj, and R. Vasa, [39] G. E. Rodríguez, J. G. Torres, P. Flores, and D. E. Benavides, “Cross-
“A large-scale comparative analysis of Coding Standard conformance site scripting (XSS) attacks and mitigation: A survey,” Computer
in Open-Source Data Science projects,” Proceedings of the 14th ACM Networks, vol. 166, p. 106960, Jan. 2020, doi:
/ IEEE International Symposium on Empirical Software Engineering 10.1016/j.comnet.2019.106960