Evaluation of Static Analysis on Web Applications
Evaluation of Static Analysis on Web Applications
Abstract—Web services are becoming business-critical web applications significantly impact application security
components, often deployed with critical software bugs that and users’ risk of being attacked by hackers exploiting flaws
can be maliciously explored. Web vulnerability scanners allow in the source code of web applications. How to detect
the detection of security vulnerabilities in web services by security bugs efficiently in software systems is a growing
stressing the service from the point of view of an attacker. concern, and it is vital to secure these applications against
However, research and practice show that different scanners hackers [19]. In 2002, the computer security institute and the
perform differently in vulnerability detection. This paper FBI performed a computer crime and security assessment,
presents a qualitative evaluation of security vulnerabilities
which indicated that more than half of all databases
found in web applications. Some well-known vulnerability
experienced at least one security breach, with an average loss
scanners have been used to identify security flaws in web
service implementations. Many vulnerabilities have been
of about $4 million [10]. In a survey by Alqaradaghi et al.,
observed, which confirms that many services are deployed 2021 about 75% of all attacks on web servers target web-
without proper security testing. Additionally, having reviewed based applications, and firewalls cannot defend against them
and considered several articles, the differences in the because they rely solely on HTTP traffic, which is typically
vulnerabilities detected and the high number of false positives allowed to pass through them unimpeded. Attention has been
(35% and 40% in two cases) and low coverage (less than 20% focused on network-level attacks like port scanning. As a
for two scanners) observed highlight the limitations of web result, hackers frequently gain access to Web apps directly.
vulnerability scanners in detecting security vulnerabilities in
web services.
Developers' lack of proper understanding of secure
Furthermore, this work will discuss the static analysis coding is a primary cause of web application insecurity,
approach for discovering security vulnerabilities in web resulting in flaws. Many ways of detecting source code
applications and complimenting it with proven research vulnerabilities have been investigated, with some extant
findings or solutions. These vulnerabilities include broken approaches falling into two categories: dynamic and static
access control, cross-site scripting, SQL injections, buffer
analysis. Dynamic analysis approaches, such as software
overflow, unrestricted file upload, broken authentications, etc.
testing, examine how an application program runs but only
Web applications are becoming mission-essential components
for businesses, potentially risking having several software guarantee 100% coverage. In contrast, the static analysis
vulnerabilities that hackers can exploit maliciously. A few examines the application's source code with many false
Vulnerability scanners have been used to detect security positives but achieves 100% testing coverage [22].
weaknesses in web service applications, and many According to a recent web security analysis and research,
vulnerabilities have been discovered, thus confirming that cross-site scripting (XSS) is the most susceptible web
many online apps are launched without sufficient security
application vulnerability [23]. They are inserted into the web
testing. The static analysis technique considered in this work
applications’ source code without encrypting or verifying
helps detect security flaws. However, it has an important
limitation of indicating high false positives.
XSS scripts. Hackers exploit them to steal sensitive data,
cookies, and web sessions. XSS vulnerabilities are produced
when malicious scripts are hosted on a website or when a
malicious URL lures a user. This vulnerability affects web
Keywords—Web-based, static Analysis, SQLi - SQL applications and is a known concern [20].
Injection, XSS - Cross-site Scripting, Buffer Overflow,
This paper examines a technique for discovering security
Unrestricted file Upload, Broken Authentication, Attack vector,
PHPi – Hypertext Pre-processor injection, RFI -Remote file
vulnerabilities in web-based applications using static
inclusion, CMDi – Command injection, SDLC – Software analysis. The methods entail studying the web application
development lifecycle source code for input validation defects and putting solutions
into the same principle to repair these flaws. This technique
immediately adds to web application security by reducing
I. INTRODUCTION vulnerabilities and indirectly allowing developers to identify
The importance of web-based application security has the problems.
increased since it handles sensitive data that, if hacked, may
cost the company millions of dollars [19]. Vulnerabilities in