MATHEMATICAL MODELS OF THE TECHNOLOGY FOR TESTING DOM XSS VULNERABILITY AND SQL INJECTIONS VULNERABILITY
DOI:
https://doi.org/10.24025/2306-4412.4.2018.162765Keywords:
testing technology DOM XSS, SQL injections, GERT-network, Web security testing, mathematical models.Abstract
The analysis of various types of statistical materials from known organizations has shown that cross-site scripting – XSS (Cross Site Scripting) is one of the most dangerous types of attacks (vulnerabilities). However, in order to identify these threats and the possible consequences of their spread in the process of safe management of IT projects and to propose the best ways to solve this problem, there is a need for mathematical formalization of the process of their initialization and dissemination. In a number of papers, attempts have been made to mathematically formalize the process of finding and eliminating vulnerabilities of this kind. However, the presented models do not take into account the latest trends in XSS vulnerability, namely the difference between their types ("stored XSS", "reflected XSS" and DOM Based XSS) and the need for their detection. The aim of the work is to develop mathematical models of the technology for testing DOM XSS vulnerability and SQL injections vulnerability.
Mathematical models for testing DOM XSS complex of vulnerabilities and the technology for testing to SQL injections vulnerability have been developed. GERT-network synthesis approach is the basis of mathematical modeling. Mathematical model for testing DOM XSS complex of vulnerabilities differs from the known ones by taking into account the specifics of complex analysis of various types of XSS vulnerabilities (stored XSS, reflected XSS and DOM Based XSS) and separate inclusion of DOM Based XSS automatic audit procedures in the algorithm. This makes possible to conduct an analytical assessment of the time spent while testing these vulnerabilities in the context of implementing a strate-gy for developing safe software. Mathematical model for testing the technology of SQL injections vul-nerability differs from the known ones by an improved method for determining the distance between injection results. The use of Jaro–Winkler criterion in the proposed method to compare the results of injecting SQL code and the introduction of a threshold value will increase the accuracy of the results of software security testing.
Downloads
How to Cite
Issue
Section
URN
License
Copyright (c) 2020 О. В. Коваленко The authors who publish in this journal agree to the following terms:The authors reserve the right to authorship of their work and give the journal the right to first publish this work under the terms of the Creative Commons Attribution License CC BY-NC, which allows other persons to freely distribute published work with a mandatory reference to authors of the original work and the first publication of the work in this journal.
Authors have the right to conclude separate additional agreements for the non-exclusive distribution of the paper in the form in which it was published by this journal (for example, posting work in electronic repository or publishing as part of a monograph), provided that the link to the first publication in this journal is maintained.
The journal policy allows and encourages authors to post on the Internet (for example, in repositories of institutions or on personal websites) the manuscript of work, both before the submission of this manuscript to the editorial staff, and during its editorial work, as it contributes to the emergence of productive scientific discussion and positively affects the efficiency and dynamics of published work citation (see The Effect of Open Access).
