“Towards Web Application Security by Automated Code Correction”
in In Proceedings of the International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE), May 2020.
Abstract: Web applications are commonly used to provide access to the services and resources offered bycompanies. However, they are known to contain vulnerabilities in their source code, which, whenexploited, can cause serious damage to organizations, such as the theft of millions of user creden-tials. For this reason, it is crucial to protect critical services, such as health care and financialservices, with safe web applications. Often, vulnerabilities are left in the source code uninten-tionally by programmers because they have insufficient knowledge on how to write secure code.For example, developers many times employ sanitization functions of the programming language,believing that they will defend their applications. However, some of those functions do not invali-date all attacks, leaving applications still vulnerable. This paper presents an approach and a toolcapable of automatically correcting web applications from relevant classes of vulnerabilities (XSSand SQL Injection). The tool was evaluated with both benchmark test cases and real code, andthe results are very encouraging. They show that the tool can insert safe and right correctionswhile maintaining the original behavior of the web applications in the vast majority of the case
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)