JCC  Vol.3 No.9 , September 2015
Systematic Review of Web Application Security Vulnerabilities Detection Methods
Abstract: In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed either to using an inappropriate software development model to guide the development process, or the use of a software development model that does not consider security as a key factor. Therefore, this systematic literature review is conducted to investigate the various security vulnerabilities used to secure the web application layer, the security approaches or techniques used in the process, the stages in the software development in which the approaches or techniques are emphasized, and the tools and mechanisms used to detect vulnerabilities. The study extracted 519 publications from respectable scientific sources, i.e. the IEEE Computer Society, ACM Digital Library, Science Direct, Springer Link. After detailed review process, only 56 key primary studies were considered for this review based on defined inclusion and exclusion criteria. From the review, it appears that no one software is referred to as a standard or preferred software product for web application development. In our SLR, we have performed a deep analysis on web application security vulnerabilities detection methods which help us to identify the scope of SLR for comprehensively investigation in the future research. Further in this SLR considering OWASP Top 10 web application vulnerabilities discovered in 2012, we will attempt to categories the accessible vulnerabilities. OWASP is major source to construct and validate web security processes and standards.
Cite this paper: Rafique, S. , Humayun, M. , Gul, Z. , Abbas, A. and Javed, H. (2015) Systematic Review of Web Application Security Vulnerabilities Detection Methods. Journal of Computer and Communications, 3, 28-40. doi: 10.4236/jcc.2015.39004.

[1]   Ge, X., Paige, R.F., Polack, F.A., Chivers, H. and Brooke, P.J. (2006) Agile Development of Secure Web Applications. Proceedings of the 6th International Conference on Web Engineering. Palo Alto, 11-14 July 2006, 305-312.

[2]   Norwawi, N.M. and Selamat, M.H. (2011) Secure E-Commerce Web Development Framework. Infor-mation Technology Journal, 10, 769-778.

[3]   McGraw, G. and Viega, J. (2002) Building Secure Software. In RTO/NATO Real-Time Intrusion Detection Symp.

[4]   Mouratidis, H., Jürjens, J. and Fox, J. (2006) Towards a Comprehensive Framework for Secure Systems Development. Advanced Information Systems Engineering. Springer, Berlin Heidelberg, 48-62.

[5]   Keele, S. (2007) Guidelines for Performing Systematic Literature Reviews in Software Engineering. Technical Report, EBSE Technical Report EBSE-2007-01, 1-57.

[6]   Cachia, E. and Micallef, M. (2007) A Multi-Tier, Multi-Role Security Framework for E-Commerce Systems. 14th Annual IEEE International Conference and Workshops on the Engineering of Compu-ter-Based Systems, Tucson, 26-29 March 2007, 422-432.

[7]   Lipner, S. (2004) The Trustworthy Computing Security Development Lifecycle. 20th Annual Computer Security Applications Conference, Washington, 6-10 December 2004, 2-13.

[8]   Sulayman, M. and Mendes, E. (2009) A Systematic Literature Review of Software Process Improvement in Small and Medium Web Companies. Advances in Software Engineering. Springer, Berlin Heidelberg, 1-8.

[9]   Shar, L.K. and Tan, H.B.K. (2012) Automated Removal of Cross Site Scripting Vulnerabilities in Web Applications. Information and Software Technology, 54, 467-478.

[10]   Avancini, A. and Ceccato, M. (2013) Comparison and Integration of Genetic Algorithms and Dynamic Symbolic Execution for Security Testing of Cross-Site Scripting Vulnerabilities. Information and Software Technology, 55, 2209-2222.

[11]   Jang, Y.S. and Choi, J.Y. (2014) Detecting SQL Injection Attacks Using Query Result Size. Computers & Security, 44, 104-118.

[12]   Goseva-Popstojanova, K., Anastasovski, G., Dimitrijevikj, A., Pantev, R. and Miller, B. (2014) Characterization and Classification of Malicious Web Traffic. Computers & Security, 42, 92-115.

[13]   Shahriar, H., Weldemariam, K., Zulkernine, M. and Lutellier, T. (2014) Effective Detection of Vulnerable and Malicious Browser Extensions. Computers & Security, 47, 66-84.

[14]   Scholte, T., Balzarotti, D. and Kirda, E. (2012) Have Things Changed Now? An Empirical Study on Input Validation Vulnerabilities in Web Applications. Computers & Security, 31, 344-356.

[15]   Woo, S.W., Joh, H., Alhazmi, O.H. and Malaiya, Y.K. (2011) Modeling Vulnerability Discovery Process in Apache and IIS HTTP Servers. Computers & Security, 30, 50-62.

[16]   Awoleye, O.M., Ojuloge, B. and Ilori, M.O. (2014) Web Application Vulnerability Assessment and Policy Direction towards a Secure Smart Government. Government Information Quarterly, 31, S118-S125.

[17]   Buja, G., Bin Abd Jalil, K., Bt Hj Mohd Ali, F. and Rahman, T.F.A. (2014) Detection Model for SQL Injection Attack: An Approach for Preventing a Web Application from the SQL Injection Attack. Proceedings of the 2014 IEEE Symposium on Computer Applications and Industrial Electronics (ISCAIE), Penang, 7-8 April 2014, 60-64.

[18]   Salas, M.I.P. and Martins, E. (2014) Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security. Electronic Notes in Theoretical Computer Science, 302, 133-154.

[19]   Shar, L.K. and Tan, H.B.K. (2013) Predicting SQL Injection and Cross Site Scripting Vulnerabilities through Mining Input Sanitization Patterns. Information and Software Technology, 55, 1767-1780.

[20]   Katkar Anjali, S. and Kulkarni Raj, B. (2012) Web Vulnerability Detection and Security Mechanism. International Journal of Soft Computing and Engineering (IJSCE), 2, 237-241.

[21]   Wang, S., Gong, Y., Chen, G., Sun, Q. and Yang, F. (2013) Service Vulnerability Scanning Based on Service-Oriented Architecture in Web Service Environments. Journal of Systems Architecture, 59, 731-739.