Software fault injection: inoculating programs against errors
Software fault injection: inoculating programs against errors
SPHINX: a framework for creating personal, site-specific Web crawlers
WWW7 Proceedings of the seventh international conference on World Wide Web 7
Operating system enhancements to prevent the misuse of system calls
Proceedings of the 7th ACM conference on Computer and communications security
Security models for web-based applications
Communications of the ACM
Analysis and testing of Web applications
ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Proceedings of the 11th international conference on World Wide Web
Abstracting application-level web security
Proceedings of the 11th international conference on World Wide Web
ACM Transactions on Internet Technology (TOIT)
MOPS: an infrastructure for examining security properties of software
Proceedings of the 9th ACM conference on Computer and communications security
Understanding and Restructuring Web Sites with ReWeb
IEEE MultiMedia
Quality Attributes of Web Software Applications
IEEE Software
Experiences with Specification-Based Intrusion Detection
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Proceedings of the 27th International Conference on Very Large Data Bases
WARE: A Tool for the Reverse Engineering of Web Applications
CSMR '02 Proceedings of the 6th European Conference on Software Maintenance and Reengineering
An Approach for Reverse Engineering of Web-Based Applications
WCRE '01 Proceedings of the Eighth Working Conference on Reverse Engineering (WCRE'01)
ICSM '01 Proceedings of the IEEE International Conference on Software Maintenance (ICSM'01)
Web Site Analysis: Structure and Evolution
ICSM '00 Proceedings of the International Conference on Software Maintenance (ICSM'00)
Design and Implementation of a High-Performance Distributed Web Crawler
ICDE '02 Proceedings of the 18th International Conference on Data Engineering
Detecting and countering system intrusions using software wrappers
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Synthesizing fast intrusion prevention/detection systems from high-level specifications
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
On preventing intrusions by process behavior monitoring
ID'99 Proceedings of the 1st conference on Workshop on Intrusion Detection and Network Monitoring - Volume 1
Detours: binary interception of Win32 functions
WINSYM'99 Proceedings of the 3rd conference on USENIX Windows NT Symposium - Volume 3
WebGlimpse: combining browsing and searching
ATEC '97 Proceedings of the annual conference on USENIX Annual Technical Conference
Distributed search over the hidden web: hierarchical database sampling and selection
VLDB '02 Proceedings of the 28th international conference on Very Large Data Bases
Detecting malicious software by monitoring anomalous windows registry accesses
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Testing web database applications
ACM SIGSOFT Software Engineering Notes
Combining static analysis and runtime monitoring to counter SQL-injection attacks
WODA '05 Proceedings of the third international workshop on Dynamic analysis
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks
SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Preventing SQL injection attacks using AMNESIA
Proceedings of the 28th international conference on Software engineering
Precise alias analysis for static detection of web application vulnerabilities
Proceedings of the 2006 workshop on Programming languages and analysis for security
SecuBat: a web vulnerability scanner
Proceedings of the 15th international conference on World Wide Web
Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Improving test case generation for web applications using automated interface discovery
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
International Journal of Web Engineering and Technology
Proposing SQL statement coverage metrics
Proceedings of the fourth international workshop on Software engineering for secure systems
SAFELI: SQL injection scanner using symbolic execution
TAV-WEB '08 Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications
Leveraging User Interactions for In-Depth Testing of Web Applications
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Classification Agent-Based Techniques for Detecting Intrusions in Databases
HAIS '08 Proceedings of the 3rd international workshop on Hybrid Artificial Intelligence Systems
Journal of Computing Sciences in Colleges
Empirical Software Engineering
The life and death of statically detected vulnerabilities: An empirical study
Information and Software Technology
Precise interface identification to improve testing and analysis of web applications
Proceedings of the eighteenth international symposium on Software testing and analysis
A solution for the automated detection of clickjacking attacks
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
An automatic meta-revised mechanism for anti-malicious injection
NBiS'07 Proceedings of the 1st international conference on Network-based information systems
A semantic data validation service for web applications
Journal of Theoretical and Applied Electronic Commerce Research
A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications
Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems
Static analysis for detecting taint-style vulnerabilities in web applications
Journal of Computer Security
Perturbation-based user-input-validation testing of web applications
Journal of Systems and Software
HengHa: data harvesting detection on hidden databases
Proceedings of the 2010 ACM workshop on Cloud computing security workshop
Using allopoietic agents in replicated software to respond to errors, faults, and attacks
Proceedings of the 48th Annual Southeast Regional Conference
Coverage criteria for automatic security testing of web applications
ICISS'10 Proceedings of the 6th international conference on Information systems security
The challenge of data and application security and privacy (DASPY): are we up to it
Proceedings of the first ACM conference on Data and application security and privacy
Security sensitive data flow coverage criterion for automatic security testing of web applications
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Preventing web application injections with complementary character coding
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Securing RFID systems from SQLIA
ICA3PP'11 Proceedings of the 11th international conference on Algorithms and architectures for parallel processing - Volume Part II
SNOOZE: toward a stateful network protocol fuzZEr
ISC'06 Proceedings of the 9th international conference on Information Security
PSIAQOP: preventing SQL injection attacks based on query optimization process
Proceedings of the Second Kuwait Conference on e-Services and e-Systems
Mitigating program security vulnerabilities: Approaches and challenges
ACM Computing Surveys (CSUR)
Enemy of the state: a state-aware black-box web vulnerability scanner
Security'12 Proceedings of the 21st USENIX conference on Security symposium
AppsPlayground: automatic security analysis of smartphone applications
Proceedings of the third ACM conference on Data and application security and privacy
Technological assessment of e-government web presence in Nigeria
Proceedings of the 6th International Conference on Theory and Practice of Electronic Governance
EARs in the wild: large-scale analysis of execution after redirect vulnerabilities
Proceedings of the 28th Annual ACM Symposium on Applied Computing
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
Proceedings of the 23rd international conference on World wide web
Detection of cross site scripting attack in wireless networks using n-Gram and SVM
Mobile Information Systems - Advances in Network-Based Information Systems
Hi-index | 0.00 |
As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.