Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
Large-scale vulnerability analysis
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Have things changed now?: an empirical study of bug characteristics in modern open source software
Proceedings of the 1st workshop on Architectural and system support for improving software dependability
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Sound and precise analysis of web applications for injection vulnerabilities
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Using web application construction frameworks to protect against code injection attacks
Proceedings of the 2007 workshop on Programming languages and analysis for security
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Better abstractions for secure server-side scripting
Proceedings of the 17th international conference on World Wide Web
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
Ripley: automatically securing web 2.0 applications through replicated execution
Proceedings of the 16th ACM conference on Computer and communications security
Regular expressions considered harmful in client-side XSS filters
Proceedings of the 19th international conference on World wide web
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Security Trend Analysis with CVE Topic Models
ISSRE '10 Proceedings of the 2010 IEEE 21st International Symposium on Software Reliability Engineering
Proceedings of the 26th Annual Computer Security Applications Conference
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Secure code generation for web applications
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
An empirical analysis of input validation mechanisms in web applications and languages
Proceedings of the 27th Annual ACM Symposium on Applied Computing
Automated detection of client-state manipulation vulnerabilities
Proceedings of the 34th International Conference on Software Engineering
Security through extensible type systems
Proceedings of the 3rd annual conference on Systems, programming, and applications: software for humanity
An empirical study of vulnerability rewards programs
SEC'13 Proceedings of the 22nd USENIX conference on Security
| Hi-index | 0.00 |
Web applications have become important services in our daily lives. Millions of users use web applications to obtain information, perform financial transactions, have fun, socialize, and communicate. Unfortunately, web applications are also frequently targeted by attackers. Recent data from SANS institute estimates that up to 60% of Internet attacks target web applications. In this paper, we perform an empirical analysis of a large number of web vulnerability reports with the aim of understanding how input validation flaws have evolved in the last decade. In particular, we are interested in finding out if developers are more aware of web security problems today than they used to be in the past. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Hence, despite awareness programs provided by organizations such as MITRE, SANS Institute and OWASP, application developers seem to be either not aware of these classes of vulnerabilities, or unable to implement effective countermeasures. Therefore, we believe that there is a growing need for languages and application platforms that attack the root of the problem and secure applications by design.