Web Application Weakness Ontology Based on Vulnerability Data

Web applications are becoming more ubiquitous. All manner of physical devices are now connected and often have a variety of web applications and web-interfaces. This proliferation of web applications has been accompanied by an increase in reported software vulnerabilities. The objective of this analysis of vulnerability data is to understand the current landscape of reported web application flaws. Along those lines, this work reviews ten years (2011 - 2020) of vulnerability data in the National Vulnerability Database. Based on this data, most common web application weaknesses are identified and their profiles presented. A weakness ontology is developed to capture the attributes of these weaknesses. These include their attack method and attack vectors. Also described is the impact of the weaknesses to software quality attributes. Additionally, the technologies that are susceptible to each weakness are presented, they include programming languages, frameworks, communication protocols, and data formats.