Fundamentals of software engineering
Fundamentals of software engineering
Abstracting application-level web security
Proceedings of the 11th international conference on World Wide Web
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
SharpSpider: Spidering the Web through Web Services
LA-WEB '03 Proceedings of the First Conference on Latin American Web Congress
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
A 2-Layer Model for the White-Box Testing of Web Applications
WSE '04 Proceedings of the Web Site Evolution, Sixth IEEE International Workshop
Proposing SQL statement coverage metrics
Proceedings of the fourth international workshop on Software engineering for secure systems
Leveraging User Interactions for In-Depth Testing of Web Applications
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Real-time data pre-processing technique for efficient feature extraction in large scale datasets
Proceedings of the 17th ACM conference on Information and knowledge management
Characterizing insecure javascript practices on the web
Proceedings of the 18th international conference on World wide web
Invariant-based automatic testing of AJAX user interfaces
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Automated security testing of web widget interactions
Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
SWAP: Mitigating XSS attacks using a reverse proxy
IWSESS '09 Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems
Using an Evolutionary Neural Network for web intrusion detection
AIA '08 Proceedings of the 26th IASTED International Conference on Artificial Intelligence and Applications
A solution for the automated detection of clickjacking attacks
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
An empirical investigation into open source web applications' implementation vulnerabilities
Empirical Software Engineering
Why Johnny can't pentest: an analysis of black-box web vulnerability scanners
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Practical elimination of external interaction vulnerabilities in web applications
Journal of Web Engineering
The use of application scanners in software product quality assessment
Proceedings of the 8th international workshop on Software quality
Mitigating program security vulnerabilities: Approaches and challenges
ACM Computing Surveys (CSUR)
Supporting automated vulnerability analysis using formalized vulnerability signatures
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Enemy of the state: a state-aware black-box web vulnerability scanner
Security'12 Proceedings of the 21st USENIX conference on Security symposium
VAM-aaS: online cloud services security vulnerability analysis and mitigation-as-a-service
WISE'12 Proceedings of the 13th international conference on Web Information Systems Engineering
An empirical study on the effectiveness of security code review
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
EARs in the wild: large-scale analysis of execution after redirect vulnerabilities
Proceedings of the 28th Annual ACM Symposium on Applied Computing
Finding your way in the testing jungle: a learning approach to web security testing
Proceedings of the 2013 International Symposium on Software Testing and Analysis
| Hi-index | 0.00 |
As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers.Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable.This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.