Toward A Taxonomy of Techniques to Detect Cross-site Scripting and SQL Injection Vulnerabilities

Since 2002, over half of reported cyber vulnerabilities are caused by input validation vulnerabilities . Over 50 % of input validation vulnerabilities were cross-site scripting and SQL injection vulnerabilities in 2006, based on the (US) National Vulnerability Database. Techniques to mitigate cross-site scripting and SQL injection vulnerabilities have been proposed. However, applying those techniques without precise understanding can result in a false sense of security. Clearly understanding the advantages and disadvantages of each security technique can provide a basis for comparison of those techniques. This survey provides a taxonomy of techniques to detect cross-site scripting and SQL injection vulnerabilities based upon of 21 papers published in the IEEE and ACM databases. Our taxonomy characterizes the detection methods and evaluation criteria of the techniques. The taxonomy provides a foundation for comparison among techniques to detect crosssite scripting and SQL injection vulnerabilities. Organizations can use the comparison results to choose appropriate techniques depending on available resources.