Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Static Security Analysis Based on Input-Related Software Faults
CSMR '09 Proceedings of the 2009 European Conference on Software Maintenance and Reengineering
A learning-based approach to the detection of SQL attacks
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Enhancing distributed web security based on Kerberos authentication service
WISM'10 Proceedings of the 2010 international conference on Web information systems and mining
Secure negotiation approach for share-secret-key of Kerberos service
AICI'11 Proceedings of the Third international conference on Artificial intelligence and computational intelligence - Volume Part II
Hi-index | 0.00 |
This paper presents a field study on web security vulnerabilities from the programming language type system perspective. Security patches reported for a set of 11 widely used web applications written in strongly typed languages (Java, C#, VB.NET) were analyzed in order to understand the fault types that are responsible for the vulnerabilities observed (SQL injection and XSS). The results are analyzed and compared with a similar work on web applications written using a weakly typed language (PHP). This comparison points out that some of the types of defects that lead to vulnerabilities are programming language independent, while others are strongly related to the language used. Strongly typed languages do reduce the frequency of vulnerabilities, as expected, but there still is a considerable number of vulnerabilities observed in the field. The characterization of those vulnerabilities shows that they are caused by a small number of fault types. This result is relevant to train programmers and code inspectors in the manual detection of such faults, and to improve static code analyzers to automatically detect the most frequent vulnerable program structures found in the field.