Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Automatic analysis of firewall and network intrusion detection system configurations
Proceedings of the 2004 ACM workshop on Formal methods in security engineering
Bypass Testing of Web Applications
ISSRE '04 Proceedings of the 15th International Symposium on Software Reliability Engineering
An overview of JML tools and applications
International Journal on Software Tools for Technology Transfer (STTT) - Special section on formal methods for industrial critical systems
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Dynamic Taint Propagation for Java
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Safe Concurrency for Aggregate Objects with Invariants
SEFM '05 Proceedings of the Third IEEE International Conference on Software Engineering and Formal Methods
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Static verification of indirect data sharing in loosely-coupled component systems
SC'06 Proceedings of the 5th international conference on Software Composition
A formal logic approach to firewall packet filtering analysis and generation
Artificial Intelligence Review
| Hi-index | 0.00 |
Web applications are the Achilles heel of our current ICT infrastructure. NIST's national vulnerability database clearly shows that the percentage of vulnerabilities located in the application layer increases steadily. Web Application Firewalls (WAFs) play an important role in preventing exploitation of vulnerabilities in web applications. However, WAFs are very pragmatic and ad hoc, and it is very hard to state precisely what security guarantees they offer.The main contribution of this paper is that it shows how, through a combination of static and dynamic verification, WAFs can formally guarantee the absence of certain kinds of erroneous behaviour in web applications. We have done a prototype implementation of our approach building on an existing static verification tool for Java, and we have applied our approach to a medium-sized J2EE based web application.