Paper published in a book (Scientific congresses, symposiums and conference proceedings)
KAVe: A Tool to Detect XSS and SQLi Vulnerabilities using a Multi-Agent System over a Multi-Layer Knowledge Graph
ROSA MESQUITA RAMIRES, Rafael Francisco; PAPADAKIS, Michail; Respício, Anaet al.
2025 • In Li, Jingyue (Ed.) FSE Companion 2025 - Companion Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering
Multi-Agent System; Multi-Layer Knowledge Graph; Software Security; Static Analysis; Web Application Vulnerabilities; Application developers; Knowledge graphs; Multi-layer knowledge graph; Multi-layers; Multiagent systems (MASs); Software security; SQL injection; WEB application; Web application vulnerability; Web applications; Software
Abstract :
[en] Web applications have been widely adopted to access a myriad of services, regardless of their criticality and context. Applications developers have accelerated their efforts to meet the demands of a competitive and dynamic market for innovative products. Despite considerable efforts to detect and mitigate vulnerabilities in applications, their prevalence continues to increase, primarily due to the rapid pace of software development, which often prioritizes deployment speed, compromising security. This paper presents KAVe, a static analysis tool that leverages a multi-layer knowledge graph and a multi-agent system to detect web application vulnerabilities with high precision. This paper showcases KAVe’s implementation and ability to identify SQL injection (SQLi) and cross-site scripting (XSS) vulnerabilities in real-world PHP applications.
Disciplines :
Computer science
Author, co-author :
ROSA MESQUITA RAMIRES, Rafael Francisco ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SerVal ; LASIGE, DI, Faculdade de Ciências, Universidade de Lisboa, Portugal
PAPADAKIS, Michail ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SerVal
Respício, Ana ; LASIGE, DI, Faculdade de Ciências, Universidade de Lisboa, Portugal
Medeiros, Ibéria ; LASIGE, DI, Faculdade de Ciências, Universidade de Lisboa, Portugal
External co-authors :
yes
Language :
English
Title :
KAVe: A Tool to Detect XSS and SQLi Vulnerabilities using a Multi-Agent System over a Multi-Layer Knowledge Graph
Publication date :
28 July 2025
Event name :
Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering
Event place :
Trondheim, Nor
Event date :
23-06-2025 => 27-06-2025
Main work title :
FSE Companion 2025 - Companion Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering
ACM SIGSOFT ByteDance et al. Huawei Research Council of Norway U.S. National Science Foundation
Funding text :
This work was partially supported by P2030 through project I2DT, ref. COMPETE2030-FEDER-00389100, an ITEA4 European project (ref. 22025), and by FCT through the LASIGE Research Unit, ref. UIDB/00408/2025-LASIGE.
Pieter J. Swart Aric A. Hagberg, Daniel A. Schult. 2008. Exploring network structure, dynamics, and function using NetworkX. https://networkx.org/
Michael Backes, Konrad Rieck, Malte Skoruppa, Ben Stock, and Fabian Yamaguchi. 2017. Efficient and Flexible Discovery of PHP Application Vulnerabilities. In Proceedings of the 2017 IEEE European Symposium on Security and Privacy (EuroS&P). 334-349.
The MITRE Corporation. 2023. Common Weakness Enumeration. https://cwe.mitre.org/.
Johannes Dahse and Thorsten Holz. 2014. Simulation of Built-in PHP Features for Precise Static Code Analysis. In Proceedings of the Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February. The Internet Society. https://www.ndss- symposium.org/ndss2014/simulation- builtphp- features- precise- static- code- analysis
John Daley. 2017. Insecure Software is Eating the World: Promoting Cybersecurity in an Age of Ubiquitous Software Embedded Systems. Stanford Technology Law Review 19, 3 (2017).
Manlio De Domenico, Albert Solé-Ribalta, Emanuele Cozzo, Mikko Kivelä, Yamir Moreno, Mason A Porter, Sergio Gómez, and Alex Arenas. 2013. Mathematical formulation of multilayer networks. Physical Review X 3, 4 (2013), 041022.
Jeanne Ferrante, Karl J. Ottenstein, and Joe D. Warren. 1987. The Program Dependence Graph and Its Use in Optimization. ACM Trans. Program. Lang. Syst. 9, 3 (jul 1987), 319-349. https://doi.org/10.1145/24039.24041
OWASP Foundation. 2023. Open Web Application Security Project. https://www.owasp.org/.
N. Jovanovic, C. Kruegel, and E. Kirda. 2006. Pixy: a static analysis tool for detecting Web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy. 6 pp.-263. https://doi.org/10.1109/SP.2006.29
KirstenS. 2023. Cross Site Scripting (XSS). https://owasp.org/www-community/attacks/xss/.
Amit Klein. 2005. DOM Based Cross Site Scripting or XSS of the Third Kind. http://www.webappsec.org/projects/articles/071105.shtml.
Stephen Kost. 2007. An Introduction to SQL Injection Attacks for Oracle Developers.
Ibéria Medeiros, Nuno Neves, and Miguel Correia. 2016. Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining. IEEE Transactions on Reliability 65, 1 (2016), 54-69. https://doi.org/10.1109/TR.2015.2457411
Ricardo Morgado, Ibéria Medeiros, and Nuno Neves. 2020. Towards Web Application Security by Automated Code Correction. In Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering. 86-96.
National Institute of Standards and Technology (NIST). 2023. NIST Software Assurance Reference Dataset (SARD). https://samate.nist.gov/SARD Accessed December 15, 2023.
Paulo Nunes, José Fonseca, and Marco Vieira. 2015. phpSAFE: A Security Analysis Tool for OOP Web Application Plugins. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.
Tosin Daniel Oyetoyan, Bisera Milosheska, Mari Grini, and Daniela Soares Cruzes. 2018. Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital. In Agile Processes in Software Engineering and Extreme Programming - 19th International Conference, XP 2018, Porto, Portugal, May, Proceedings (Lecture Notes in Business Information Processing, Vol. 314), Juan Garbajosa, Xiaofeng Wang, and Ademar Aguiar (Eds.). Springer, 86-103. https://doi.org/10.1007/978-3-319-91602-6_6
Rafael Ramires. 2024. KAVe: Knowledge-Based Multi-Agent System Vulnerability Detector. https://github.com/rframires/KAVe.git.
Rafael Ramires, Ana Respício, and Ibéria Medeiros. 2024. KAVE: A Knowledge-Based Multi-Agent System for Web Vulnerability Detection. In 2024 IEEE International Conference on Web Services (ICWS). 489-500. https://doi.org/10.1109/ICWS62655.2024.00070
Veracode. 2023. State of Software Security 2023. Annual Report on the State of Application Security. https://info.veracode.com/rs/790-ZKW-291/images/Veracode_State_of_Software_Security_2023.pdf.
Dave Wichers, Arshan Dabirsiaghi, Stefano Di Paolo, Mario Heiderich, Eduardo Alberto Vela Nava, and Jeff Williams. 2023. Types of XSS. https://owasp.org/wwwcommunity/Types_of_Cross-Site_Scripting.
Merijn Wijngaard. 2016. Dependence Analysis in PHP. http://www.scriptiesonline.uba.uva.nl/618176
F. Yamaguchi, N. Golde, D. Arp, and K. Rieck. 2014. Modeling and Discovering Vulnerabilities with Code Property Graphs. In Proceedings of the 2014 IEEE Symposium on Security and Privacy. 590-604.
