Abstracting application-level web security
Proceedings of the 11th international conference on World Wide Web
Proceedings of the 27th International Conference on Very Large Data Bases
WARE: A Tool for the Reverse Engineering of Web Applications
CSMR '02 Proceedings of the 6th European Conference on Software Maintenance and Reengineering
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
SecuBat: a web vulnerability scanner
Proceedings of the 15th international conference on World Wide Web
Multi-module vulnerability analysis of web-based applications
Proceedings of the 14th ACM conference on Computer and communications security
DSD-Crasher: A hybrid analysis tool for bug finding
ACM Transactions on Software Engineering and Methodology (TOSEM)
SIF: enforcing confidentiality and integrity in web applications
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Leveraging User Interactions for In-Depth Testing of Web Applications
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Crawling AJAX by Inferring User Interface State Changes
ICWE '08 Proceedings of the 2008 Eighth International Conference on Web Engineering
Reverse Engineering Finite State Machines from Rich Internet Applications
WCRE '08 Proceedings of the 2008 15th Working Conference on Reverse Engineering
Penetration Testing with Improved Input Vector Identification
ICST '09 Proceedings of the 2009 International Conference on Software Testing Verification and Validation
The Eucalyptus Open-Source Cloud-Computing System
CCGRID '09 Proceedings of the 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid
Swaddler: an approach for the anomaly-based detection of state violations in web applications
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Regular inference for state machines using domains with equality tests
FASE'08/ETAPS'08 Proceedings of the Theory and practice of software, 11th international conference on Fundamental approaches to software engineering
Static analysis for detecting taint-style vulnerabilities in web applications
Journal of Computer Security
State of the Art: Automated Black-Box Web Application Vulnerability Testing
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking
IEEE Transactions on Software Engineering
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Why Johnny can't pentest: an analysis of black-box web vulnerability scanners
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Toward automated detection of logic vulnerabilities in web applications
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Fear the EAR: discovering and mitigating execution after redirect vulnerabilities
Proceedings of the 18th ACM conference on Computer and communications security
BLOCK: a black-box approach for detection of state violation attacks towards web applications
Proceedings of the 27th Annual Computer Security Applications Conference
SENTINEL: securing database from logic flaws in web applications
Proceedings of the second ACM conference on Data and Application Security and Privacy
Finding your way in the testing jungle: a learning approach to web security testing
Proceedings of the 2013 International Symposium on Software Testing and Analysis
Explicating SDKs: uncovering assumptions underlying secure authentication and authorization
SEC'13 Proceedings of the 22nd USENIX conference on Security
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
KameleonFuzz: evolutionary fuzzing for black-box XSS detection
Proceedings of the 4th ACM conference on Data and application security and privacy
Automated black-box detection of access control vulnerabilities in web applications
Proceedings of the 4th ACM conference on Data and application security and privacy
| Hi-index | 0.00 |
Black-box web vulnerability scanners are a popular choice for finding security vulnerabilities in web applications in an automated fashion. These tools operate in a point-and-shootmanner, testing any web application-- regardless of the server-side language--for common security vulnerabilities. Unfortunately, black-box tools suffer from a number of limitations, particularly when interacting with complex applications that have multiple actions that can change the application's state. If a vulnerability analysis tool does not take into account changes in the web application's state, it might overlook vulnerabilities or completely miss entire portions of the web application. We propose a novel way of inferring the web application's internal state machine from the outside--that is, by navigating through the web application, observing differences in output, and incrementally producing a model representing the web application's state. We utilize the inferred state machine to drive a black-box web application vulnerability scanner. Our scanner traverses a web application's state machine to find and fuzz user-input vectors and discover security flaws. We implemented our technique in a prototype crawler and linked it to the fuzzing component from an open-source web vulnerability scanner. We show that our state-aware black-box web vulnerability scanner is able to not only exercise more code of the web application, but also discover vulnerabilities that other vulnerability scanners miss.