Web Application Weakness Ontology Based on Vulnerability Data

TL;DR

This paper analyzes ten years of vulnerability data to identify common web application weaknesses, developing an ontology to categorize their attributes, attack methods, and impacted technologies, aiding in understanding and mitigating these flaws.

Contribution

It introduces a comprehensive web application weakness ontology based on extensive vulnerability data, capturing attributes, attack vectors, impacts, and susceptible technologies.

Findings

Identified the most common web application weaknesses from 2011-2020.

Developed an ontology capturing weakness attributes and attack methods.

Mapped weaknesses to specific technologies and impact profiles.

Abstract

Web applications are becoming more ubiquitous. All manner of physical devices are now connected and often have a variety of web applications and web-interfaces. This proliferation of web applications has been accompanied by an increase in reported software vulnerabilities. The objective of this analysis of vulnerability data is to understand the current landscape of reported web application flaws. Along those lines, this work reviews ten years (2011 - 2020) of vulnerability data in the National Vulnerability Database. Based on this data, most common web application weaknesses are identified and their profiles presented. A weakness ontology is developed to capture the attributes of these weaknesses. These include their attack method and attack vectors. Also described is the impact of the weaknesses to software quality attributes. Additionally, the technologies that are susceptible to each weakness are presented, they include programming languages, frameworks, communication protocols, and data formats.