Aditya Kurniawan - 1840001412
Research Background
The Open Web Application Security Project (OWASP) said that the top three web attack from top ten biggest attack list in 2013 consisted of Injection, Broken Authentication and Session
Management, and Cross-Site Scripting. Injection attack is a hacker’s attack favorite because hacker can directly utilize a data input form for inject a malicious script code that desire. Broken
Authentication and session management attack is an attack that hacker uses leaks or flaws in the authentication or session management function (e.g exposed account, password, session ID) to impersonate users (OWASP, 2014). Cross-Site Scripting (XSS) attack are a type of injection, in which malicious scripts like javascript or vbscript to be excuted in client-side .
Ways of prevent the most basic of sanitary injection attacks is input to web applications.
The web application can be sanitized using functions such as using a regular expression sanitation. Regular expression technique has a high level of complexity to generate the correct input sanitation for all cases, and sometimes when the regular expression gives false alarms or false positives (BANDHAKAVI, 2011). Hackers use tools instruments and software to automate attacks against the system. If hackers use automation tool instrument, what if the defense system is also automated as well (Rieck, 2011). Automated error detection code using machine learning has been started from detection FFmpeg library API (Yamaguchi, Lindner, and Rieck, 2010),
Automated code checking system can use machine learning algorithms to detect patterns of code.
Detection of weakness codes are automated using machine learning has been started from detection library API FFmpeg (Yamaguchi, Lindner, and Rieck, 2010) and these studies have evolved to detect the weakness of the code in general or general the functions indicated vulnerable, just like LibTIFF, FFmpeg, Pidgin, and Asterisk using the Abstract Syntax Tree
(Yamaguchi, Lottmann, and Rieck, 2012). Machine learning is also used in the detection structure malware on mobile platforms Android using the Embedded Call Graphs (Gascon,
Yamaguchi, Rieck, & Arp, 2013) and recent research is the detection of weaknesses code against buffer overflow, integer flow, weakness format string and memory disclosure with meenggunakan Property Code Graph on the Linux Kernel (Yamaguchi, Golde, Arp, and Rieck,
2014)

Problem Statement
Web is the primary attack vector for hackers because the internet web are always open to attack. Detection of web weakness through software which can test a web weakness is to simulate a code injection attacks often give false-positive or false detection so required a different approach, namely direct detection code to the web. Repair crucial weakness web code to prevent hacking attacks. The complexity of the architecture of web applications require a lot of time to audit one by one code web indicated as security loopholes and because the layer web architecture of complex cause-type injection attack code made hacking attacks have categories different to the pattern of the weakness of his code of different anyway. The use of machine learning in detecting weakness web code represents a significant contribution in the field of cyber security
Research Methodology
The research method is divided into four steps with describe as follows: literature view, problem analysis, develop algorithm, implementation, and evaluation. The literature study that was done a study of the literature on the code SQL injection and cross-site Scripting (XSS).
Analysis of the problems in this step is done on the problems in the injection and XSS SQLIA codes and codes are indicated as a web security hole that can be attacked by hackers so that in this step can be found patterns of code this vulnerability. The development of machine learning algorithm starts from the development of classifications and categories of patterns such web code and data was collected as machine learning training materials. After that the next step can choose the new machine learning algorithms that fit the pattern of the code. The implementation phase starts from coding algorithms from the previous step into the system. Technology and programming language use due to excess use of python python is intended to process the computing coined many algorithms and mathematical equations. After the coding algorithm has been completed in the training of the data pattern classification codes of the web. Once training is completed, then the detection system weaknesses automated web code can be tested and the obtained results. The last step is the step of evaluation of the test results to determine how effective the system algorithm that has been coded into the system.

References
BANDHAKAVI, S. (2011). AUTOMATED DETECTION OF INJECTION VULNERABILITIES
IN WEB APPLICATIONS . University of Illinois.
Gascon, H., Yamaguchi, F., Rieck, K., & Arp, D. (2013). Structural Detection of Android
Malware using Embedded Call Graphs Categories and Subject Descriptors.
Jovanovic, N. (2007). Web Application Security . Vienna University.
OWASP. (2014). OWASP Top 10 - 2013 . Retrieved from https://www.owasp.org/index.php/Top_10_2013-Top_10
Yamaguchi, F. (2011). Automated Extraction of API Usage Patterns from Source
Code for Vulnerability Identification
. Technische Universität Berlin.
Yamaguchi, F., Golde, N., Arp, D., & Rieck, K. (2014). Modeling and Discovering
Vulnerabilities with Code Property Graphs. 2014 IEEE Symposium on Security and Privacy ,
590–604. doi:10.1109/SP.2014.44
Yamaguchi, F., Lindner, F. F. X., & Rieck, K. (2010). Vulnerability Extrapolation : Assisted
Discovery of Vulnerabilities using Machine Learning.
Yamaguchi, F., Lottmann, M., & Rieck, K. (2012). Generalized vulnerability extrapolation using abstract syntax trees. Proceedings of the 28th Annual Computer Security Applications
Conference on - ACSAC ’12 , 359. doi:10.1145/2420950.2421003