WebAppArmor: a framework for robust prevention of attacks on web applications

Authors:
V. N. Venkatakrishnan;Prithvi Bisht;Mike Ter Louw;Michelle Zhou;Kalpana Gondi;Karthik Thotta Ganesh
Affiliations:
Department of Computer Science, University of Illinois at Chicago;Department of Computer Science, University of Illinois at Chicago;Department of Computer Science, University of Illinois at Chicago;Department of Computer Science, University of Illinois at Chicago;Department of Computer Science, University of Illinois at Chicago;Department of Computer Science, University of Illinois at Chicago
Venue:
ICISS'10 Proceedings of the 6th international conference on Information systems security
Year:
2010

Citing 28
Cited 0

Using parse tree validation to prevent SQL injection attacks

SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications

Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Noxes: a client-side solution for mitigating cross-site scripting attacks

Proceedings of the 2006 ACM symposium on Applied computing
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks

Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
JavaScript instrumentation for browser security

Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Defeating script injection attacks with browser-enforced embedded policies

Proceedings of the 16th international conference on World Wide Web
Subspace: secure cross-domain communication for web mashups

Proceedings of the 16th international conference on World Wide Web
Finding security vulnerabilities in java applications with static analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
BrowserShield: vulnerability-driven filtering of dynamic HTML

OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of cross-site scripting vulnerabilities

Proceedings of the 30th international conference on Software engineering
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Talking to strangers without taking their candy: isolating proxied content

Proceedings of the 1st Workshop on Social Network Systems
JavaScript Instrumentation in Practice

APLAS '08 Proceedings of the 6th Asian Symposium on Programming Languages and Systems
Securing frame communication in browsers

SS'08 Proceedings of the 17th conference on Security symposium
Lightweight self-protecting JavaScript

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Language-Based Isolation of Untrusted JavaScript

CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks

ACM Transactions on Information and System Security (TISSEC)
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications

Proceedings of the 17th ACM conference on Computer and communications security
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation

ICISS'10 Proceedings of the 6th international conference on Information systems security
Defending against injection attacks through context-sensitive string evaluation

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Automatically preparing safe SQL queries

FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

As the World Wide Web continues to evolve, the number of web-based attacks that target web applications is on the rise. Attacks such as Cross-site Scripting (XSS), SQL Injection and Cross-site Request Forgery (XSRF) are among the topmost threats on the Web, and defending against these attacks is a growing concern. In this paper, we describe WEBAPPARMOR, a framework that is aimed at preventing these attacks on existing (legacy) web applications. The main feature of this framework is that it offers a unified perspective to address these problems in the context of existing web applications. The framework incorporates techniques based on static and dynamic analysis, symbolic evaluation and execution monitoring to retrofit existing web applications to be resilient to these attacks.