The present invention, in some embodiments thereof, relates to a method and a system for assessment of applications and services and, more particularly, but not exclusively, to a method and a system for correlation assessment of applications and services according to actual data flow analysis.
Computer security issues are becoming more widespread as an ever-increasing number of diverse computer applications are developed. Problems such as viruses, worms, rootkits, spyware, and theft are plaguing the population of computer users and web services. Additionally, as the Internet connects more people to each other, it also is fueling security problems because confidential information is more easily compromised.
In their attempt to address Web application security, Scott and Sharp selected three types of security vulnerabilities they believed to be particularly important: form modification, SQL injection, and cross-site scripting (XSS), see D. Scott, R. Sharp, Abstracting application-level Web security, in: The 11th International Conference on the World Wide Web, Honolulu, Hi., May 2002, pp. 396-407 and D. Scott, R. Sharp, Developing secure Web applications, IEEE Internet Computing 6 (6) (2002) 38-45, which are incorporated herein by reference. They also suggested that form modification is often used in conjunction with other forms of attacks, for example, structured query language (SQL) injection. SQL injection and XSS account for the majority of Web application security vulnerabilities, see M. Curphey, D. Endler, W. Hau, S. Taylor, T. Smith, A. Russell, G. McKenna, R. Parke, K. McLaughlin, N. Tranter, A. Klien, D. Groves, I. By-Gad, S. Huseby, M. Eizner, R. McNamara, A guide to building secure Web applications. The Open Web Application Security Project v.1.1.1, September 2002, which is incorporated herein by reference.
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by a memory unit, such as a server, and then retrieved, for example permanently displayed on webpages returned to other users, in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read. In some Persistent XSS, an attacker's malicious script is rendered automatically, without the need to individually target victims or lure them to a third-party website. Particularly in the case of social networking sites, the code would be further designed to self-propagate across accounts, creating a type of a client-side worm. The methods of injection can vary a great deal: in some cases, the attacker may not even need to directly interact with the web functionality itself to exploit such a hole. Any data received by the web application (via email, system logs, etc) that can be controlled by an attacker could become an injection vector.