Web application security assessment by fault injection and behavior monitoring

Authors:
Yao-Wen Huang;Shih-Kun Huang;Tsung-Po Lin;Chung-Hung Tsai
Affiliations:
Academia Sinica, Taipei, Taiwan;Academia Sinica, Taipei, Taiwan;Academia Sinica, Taipei, Taiwan;National Chiao Tung University, Taiwan
Venue:
WWW '03 Proceedings of the 12th international conference on World Wide Web
Year:
2003

Citing 27
Cited 44

Software fault injection: inoculating programs against errors

Software fault injection: inoculating programs against errors
SPHINX: a framework for creating personal, site-specific Web crawlers

WWW7 Proceedings of the seventh international conference on World Wide Web 7
Operating system enhancements to prevent the misuse of system calls

Proceedings of the 7th ACM conference on Computer and communications security
Security models for web-based applications

Communications of the ACM
Analysis and testing of Web applications

ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Evaluating the reverse engineering capabilities of Web tools for understanding site content and structure: a case study

ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Parallel crawlers

Proceedings of the 11th international conference on World Wide Web
Abstracting application-level web security

Proceedings of the 11th international conference on World Wide Web
The project

ACM Transactions on Internet Technology (TOIT)
MOPS: an infrastructure for examining security properties of software

Proceedings of the 9th ACM conference on Computer and communications security
Understanding and Restructuring Web Sites with ReWeb

IEEE MultiMedia
Improving Security Using Extensible Lightweight Static Analysis

IEEE Software
Quality Attributes of Web Software Applications

IEEE Software
Experiences with Specification-Based Intrusion Detection

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Crawling the Hidden Web

Proceedings of the 27th International Conference on Very Large Data Bases
WARE: A Tool for the Reverse Engineering of Web Applications

CSMR '02 Proceedings of the 6th European Conference on Software Maintenance and Reengineering
An Approach for Reverse Engineering of Web-Based Applications

WCRE '01 Proceedings of the Eighth Working Conference on Reverse Engineering (WCRE'01)
Web Application Slicing

ICSM '01 Proceedings of the IEEE International Conference on Software Maintenance (ICSM'01)
Web Site Analysis: Structure and Evolution

ICSM '00 Proceedings of the International Conference on Software Maintenance (ICSM'00)
Design and Implementation of a High-Performance Distributed Web Crawler

ICDE '02 Proceedings of the 18th International Conference on Data Engineering
Detecting and countering system intrusions using software wrappers

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Synthesizing fast intrusion prevention/detection systems from high-level specifications

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
On preventing intrusions by process behavior monitoring

ID'99 Proceedings of the 1st conference on Workshop on Intrusion Detection and Network Monitoring - Volume 1
Detours: binary interception of Win32 functions

WINSYM'99 Proceedings of the 3rd conference on USENIX Windows NT Symposium - Volume 3
WebGlimpse: combining browsing and searching

ATEC '97 Proceedings of the annual conference on USENIX Annual Technical Conference
Distributed search over the hidden web: hierarchical database sampling and selection

VLDB '02 Proceedings of the 28th international conference on Very Large Data Bases
Detecting malicious software by monitoring anomalous windows registry accesses

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

Securing web application code by static analysis and runtime protection

Proceedings of the 13th international conference on World Wide Web
Testing web database applications

ACM SIGSOFT Software Engineering Notes
Combining static analysis and runtime monitoring to counter SQL-injection attacks

WODA '05 Proceedings of the third international workshop on Dynamic analysis
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks

Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks

SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications

Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Preventing SQL injection attacks using AMNESIA

Proceedings of the 28th international conference on Software engineering
Precise alias analysis for static detection of web application vulnerabilities

Proceedings of the 2006 workshop on Programming languages and analysis for security
SecuBat: a web vulnerability scanner

Proceedings of the 15th international conference on World Wide Web
Noxes: a client-side solution for mitigating cross-site scripting attacks

Proceedings of the 2006 ACM symposium on Applied computing
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks

Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Improving test case generation for web applications using automated interface discovery

Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
An empirical approach to evaluating web application compliance across diverse client platform configurations

International Journal of Web Engineering and Technology
Proposing SQL statement coverage metrics

Proceedings of the fourth international workshop on Software engineering for secure systems
SAFELI: SQL injection scanner using symbolic execution

TAV-WEB '08 Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications
Leveraging User Interactions for In-Depth Testing of Web Applications

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Classification Agent-Based Techniques for Detecting Intrusions in Databases

HAIS '08 Proceedings of the 3rd international workshop on Hybrid Artificial Intelligence Systems
Security from the bottom-up: compliance regulations and the trend toward design-oriented web applications

Journal of Computing Sciences in Colleges
Another viewpoint on "evaluating web software reliability based on workload and failure data extracted from server logs"

Empirical Software Engineering
The life and death of statically detected vulnerabilities: An empirical study

Information and Software Technology
Precise interface identification to improve testing and analysis of web applications

Proceedings of the eighteenth international symposium on Software testing and analysis
A solution for the automated detection of clickjacking attacks

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
An automatic meta-revised mechanism for anti-malicious injection

NBiS'07 Proceedings of the 1st international conference on Network-based information systems
A semantic data validation service for web applications

Journal of Theoretical and Applied Electronic Commerce Research
A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications

Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems
Static analysis for detecting taint-style vulnerabilities in web applications

Journal of Computer Security
Perturbation-based user-input-validation testing of web applications

Journal of Systems and Software
HengHa: data harvesting detection on hidden databases

Proceedings of the 2010 ACM workshop on Cloud computing security workshop
Using allopoietic agents in replicated software to respond to errors, faults, and attacks

Proceedings of the 48th Annual Southeast Regional Conference
Coverage criteria for automatic security testing of web applications

ICISS'10 Proceedings of the 6th international conference on Information systems security
The challenge of data and application security and privacy (DASPY): are we up to it

Proceedings of the first ACM conference on Data and application security and privacy
Security sensitive data flow coverage criterion for automatic security testing of web applications

ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Preventing web application injections with complementary character coding

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Securing RFID systems from SQLIA

ICA3PP'11 Proceedings of the 11th international conference on Algorithms and architectures for parallel processing - Volume Part II
SNOOZE: toward a stateful network protocol fuzZEr

ISC'06 Proceedings of the 9th international conference on Information Security
PSIAQOP: preventing SQL injection attacks based on query optimization process

Proceedings of the Second Kuwait Conference on e-Services and e-Systems
Mitigating program security vulnerabilities: Approaches and challenges

ACM Computing Surveys (CSUR)
Enemy of the state: a state-aware black-box web vulnerability scanner

Security'12 Proceedings of the 21st USENIX conference on Security symposium
AppsPlayground: automatic security analysis of smartphone applications

Proceedings of the third ACM conference on Data and application security and privacy
Technological assessment of e-government web presence in Nigeria

Proceedings of the 6th International Conference on Theory and Practice of Electronic Governance
EARs in the wild: large-scale analysis of execution after redirect vulnerabilities

Proceedings of the 28th Annual ACM Symposium on Applied Computing
A survey on server-side approaches to securing web applications

ACM Computing Surveys (CSUR)
Automatic detection and correction of web application vulnerabilities using data mining to predict false positives

Proceedings of the 23rd international conference on World wide web
Detection of cross site scripting attack in wireless networks using n-Gram and SVM

Mobile Information Systems - Advances in Network-Based Information Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.