Learning Algorithms in Static Analysis of Web Applications

by   Akash Nagaraj, et al.

Web applications are distributed applications, they are programs that run on more than one computer and communicate through a network or server. This very distributed nature of web applications, combined with the scale and sheer complexity of modern software systems complicate manual security auditing, while also creating a huge attack surface of potential hackers. These factors are making automated analysis a necessity. Static Application Security Testing (SAST) is a method devised to automatically analyze application source code of large code bases without compiling it, and design conditions that are indicative of security vulnerabilities. However, the problem lies in the fact that the most widely used Static Application Security Testing Tools often yield unreliable results, owing to the false positive classification of vulnerabilities grossly outnumbering the classification of true positive vulnerabilities. This is one of the biggest hindrances to the proliferation of SAST testing, which leaves the user to review hundreds, if not thousands, of potential warnings, and classify them as either actionable or spurious. We try to minimize the problem of false positives by introducing a technique to filter the output of SAST tools. The aim of the project is to apply learning algorithms to the output by analyzing the true and false positives classified by OWASP Benchmark, and eliminate, or reduce the number of false positives presented to the user of the SAST Tool.


page 1

page 2

page 3


Ranking Warnings of Static Analysis Tools Using Representation Learning

Static analysis tools are frequently used to detect potential vulnerabil...

Validating Static Warnings via Testing Code Fragments

Static analysis is an important approach for finding bugs and vulnerabil...

Minimize Web Applications vulnerabilities through the early Detection of CRLF Injection

Carriage return (CR) and line feed (LF), also known as CRLF injection is...

Using ChatGPT as a Static Application Security Testing Tool

In recent years, artificial intelligence has had a conspicuous growth in...

Did JHotDraw Respect the Law of Good Style?: A deep dive into the nature of false positives of bad code smells

Developers need to make a constant effort to improve the quality of thei...

Did JHotDraw respect the Law of Good Style? – An exploratory deep dive into the nature of false positives of bad code smells

Developers need to make a constant effort to improve the quality of thei...

Nowhere to Hide: Detecting Obfuscated Fingerprinting Scripts

As the web moves away from stateful tracking, browser fingerprinting is ...

Please sign up or login with your details

Forgot password? Click here to reset