Blending Static and Dynamic Analysis for Web Application Vulnerability Detection: Methodology and Case Study
Static Analysis (SA) and Dynamic Analysis (DA) are complementary techniques for searching web application vulnerabilities. Typically, SA detects more vulnerabilities but reports a higher number of false positives, whereas DA finds less but with better precision. In this paper, we blend SA and DA to...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/10813334/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841557060093739008 |
|---|---|
| author | Paulo Nunes Jose Fonseca Marco Vieira |
| author_facet | Paulo Nunes Jose Fonseca Marco Vieira |
| author_sort | Paulo Nunes |
| collection | DOAJ |
| description | Static Analysis (SA) and Dynamic Analysis (DA) are complementary techniques for searching web application vulnerabilities. Typically, SA detects more vulnerabilities but reports a higher number of false positives, whereas DA finds less but with better precision. In this paper, we blend SA and DA to simultaneously improve the detection and decrease the false alarms. Our approach starts with SA to identify an initial set of potential vulnerabilities. Then, the target application is executed to obtain specific runtime information. These data are used to automatically configure the DA, improving its ability to confirm if the vulnerabilities reported by the SA are indeed exploitable. We evaluated the proposed approach using 49 WordPress plugins with more than 450 SQLi vulnerabilities. Our approach was able to confirm either as a vulnerability or a false alarm 76.7% of the results reported by the SA, decreasing tremendously the usual need for manual work, which is a huge improvement for security practitioners. |
| format | Article |
| id | doaj-art-f3009e1a914348b6a3fbfdee09a50449 |
| institution | Kabale University |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-f3009e1a914348b6a3fbfdee09a504492025-01-07T00:02:14ZengIEEEIEEE Access2169-35362025-01-01133139315310.1109/ACCESS.2024.352209410813334Blending Static and Dynamic Analysis for Web Application Vulnerability Detection: Methodology and Case StudyPaulo Nunes0https://orcid.org/0000-0002-2719-9318Jose Fonseca1https://orcid.org/0000-0003-4710-9292Marco Vieira2https://orcid.org/0000-0001-5103-8541Polytechnic of Guarda, University of Coimbra, CISUC, Coimbra, PortugalPolytechnic of Guarda, University of Coimbra, CISUC, Coimbra, PortugalUniversity of North Carolina at Charlotte, Charlotte, NC, USAStatic Analysis (SA) and Dynamic Analysis (DA) are complementary techniques for searching web application vulnerabilities. Typically, SA detects more vulnerabilities but reports a higher number of false positives, whereas DA finds less but with better precision. In this paper, we blend SA and DA to simultaneously improve the detection and decrease the false alarms. Our approach starts with SA to identify an initial set of potential vulnerabilities. Then, the target application is executed to obtain specific runtime information. These data are used to automatically configure the DA, improving its ability to confirm if the vulnerabilities reported by the SA are indeed exploitable. We evaluated the proposed approach using 49 WordPress plugins with more than 450 SQLi vulnerabilities. Our approach was able to confirm either as a vulnerability or a false alarm 76.7% of the results reported by the SA, decreasing tremendously the usual need for manual work, which is a huge improvement for security practitioners.https://ieeexplore.ieee.org/document/10813334/Static analysisdynamic analysisvulnerability detectionexecution tracesSQLiblend analysis |
| spellingShingle | Paulo Nunes Jose Fonseca Marco Vieira Blending Static and Dynamic Analysis for Web Application Vulnerability Detection: Methodology and Case Study IEEE Access Static analysis dynamic analysis vulnerability detection execution traces SQLi blend analysis |
| title | Blending Static and Dynamic Analysis for Web Application Vulnerability Detection: Methodology and Case Study |
| title_full | Blending Static and Dynamic Analysis for Web Application Vulnerability Detection: Methodology and Case Study |
| title_fullStr | Blending Static and Dynamic Analysis for Web Application Vulnerability Detection: Methodology and Case Study |
| title_full_unstemmed | Blending Static and Dynamic Analysis for Web Application Vulnerability Detection: Methodology and Case Study |
| title_short | Blending Static and Dynamic Analysis for Web Application Vulnerability Detection: Methodology and Case Study |
| title_sort | blending static and dynamic analysis for web application vulnerability detection methodology and case study |
| topic | Static analysis dynamic analysis vulnerability detection execution traces SQLi blend analysis |
| url | https://ieeexplore.ieee.org/document/10813334/ |
| work_keys_str_mv | AT paulonunes blendingstaticanddynamicanalysisforwebapplicationvulnerabilitydetectionmethodologyandcasestudy AT josefonseca blendingstaticanddynamicanalysisforwebapplicationvulnerabilitydetectionmethodologyandcasestudy AT marcovieira blendingstaticanddynamicanalysisforwebapplicationvulnerabilitydetectionmethodologyandcasestudy |