Selecting Software Test Data Using Data Flow Information
IEEE Transactions on Software Engineering
An Applicable Family of Data Flow Testing Criteria
IEEE Transactions on Software Engineering
Performing data flow testing on classes
SIGSOFT '94 Proceedings of the 2nd ACM SIGSOFT symposium on Foundations of software engineering
Black-box testing: techniques for functional testing of software and systems
Black-box testing: techniques for functional testing of software and systems
JavaScript (2nd ed.): the definitive guide
JavaScript (2nd ed.): the definitive guide
SPHINX: a framework for creating personal, site-specific Web crawlers
WWW7 Proceedings of the seventh international conference on World Wide Web 7
Certification of programs for secure information flow
Communications of the ACM
Abstracting application-level web security
Proceedings of the 11th international conference on World Wide Web
Web Database Applications with Php and Mysql
Web Database Applications with Php and Mysql
Software Requirements
Art of Software Testing
Mysql Reference Manual
MySQL: The Complete Reference
Writing Secure Code
Mercator: A scalable, extensible Web crawler
World Wide Web
HTML and XHTML: The Definitive Guide
HTML and XHTML: The Definitive Guide
XML Data Management: Native XML and XML Enabled DataBase Systems
XML Data Management: Native XML and XML Enabled DataBase Systems
Unraveling the Web Services Web: An Introduction to SOAP, WSDL, and UDDI
IEEE Internet Computing
COTS Integration: Plug and Pray?
Computer
Proceedings of the 27th International Conference on Very Large Data Bases
Using CQUAL for Static Analysis of Authorization Hook Placement
Proceedings of the 11th USENIX Security Symposium
Structural Testing of Web Applications
ISSRE '00 Proceedings of the 11th International Symposium on Software Reliability Engineering
Security and Source Code Access: Issues and Realities
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
IEEE Security and Privacy
SharpSpider: Spidering the Web through Web Services
LA-WEB '03 Proceedings of the First Conference on Latin American Web Congress
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Bypass Testing of Web Applications
ISSRE '04 Proceedings of the 15th International Symposium on Software Reliability Engineering
Practical Development Environments
Practical Development Environments
Finding application errors and security flaws using PQL: a program query language
OOPSLA '05 Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks
SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Agile Security Testing of Web-Based Systems via HTTPUnit
ADC '05 Proceedings of the Agile Development Conference
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
SecuBat: a web vulnerability scanner
Proceedings of the 15th international conference on World Wide Web
An Automatic Revised Tool for Anti-Malicious Injection
CIT '06 Proceedings of the Sixth IEEE International Conference on Computer and Information Technology
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Detecting format string vulnerabilities with type qualifiers
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Finding user/kernel pointer bugs with type inference
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Methodology for the Generation of Program Test Data
IEEE Transactions on Computers
A Data Flow Oriented Program Testing Strategy
IEEE Transactions on Software Engineering
Experience with Path Analysis and Testing of Programs
IEEE Transactions on Software Engineering
CANDID: preventing sql injection attacks using dynamic candidate evaluations
Proceedings of the 14th ACM conference on Computer and communications security
Multi-module vulnerability analysis of web-based applications
Proceedings of the 14th ACM conference on Computer and communications security
International Journal of Web Engineering and Technology
IEEE Security and Privacy
Automatic generation of XSS and SQL injection attacks with goal-directed model checking
SS'08 Proceedings of the 17th conference on Security symposium
Web Services: Concepts, Architectures and Applications
Web Services: Concepts, Architectures and Applications
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.00 |
External Interaction Vulnerabilities (EIVs) are currently the most common vulnerability for web applications. These vulnerabilities allow attackers to use vulnerable web applications as a vessel to transmit malicious code to external systems that interact with the web applications. The malicious code will modify the semantic content of the information sent to the external application. Current vulnerability detection approaches are black-box oriented and do not take advantage of the data flow information which is available in the source code. In this paper, we introduce a white-box approach called EIV analysis to eliminate web applications' vulnerabilities. This strategy allows investigators to accurately identify all inputs entering the web application and model the input as it reaches external systems acting as data sinks. The strategy is partially automated resulting in substantial effort savings when compared with common industrial approaches; while also providing superior performance in terms vulnerability detection. A case study using a commercial, currently deployed, mission-critical web application is presented to demonstrate the validity of these claims.