An Automated Mechanism for Secure Input Handling

Numbers of the programs are poorly written, lacking even the most basic security procedures for handling input data from users. The input validation vulnerability can be detected by many tools but few tools can fix the flaws automatically. The security gateway can used to protect vulnerable Web sites immediately but it may induce false recognition through impersonal rule. By means of hybrid analysis and injection test, the vulnerable Web pages can be listed. Only those in vulnerable list need to be checked completely, so as to mitigate the system load and false positives effectively. Moreover an algorithm based on multilevel strategy is proposed producing individual sanitizing rule automatically for every vulnerable injection point. To meet the aim of automated validation, the enhanced crawler, the testing framework and the metaprograms are integrated into a sanitizing mechanism after we analyze the data flow. According to the experimental results, the mechanism has been proved to be a more effective scheme than those traditional input handling methods for mitigating malicious injection.