research-article

A survey on server-side approaches to securing web applications

Authors:
Xiaowei Li

Vanderbilt University, Nashville, TN

Vanderbilt University, Nashville, TN
View Profile

,
Yuan Xue

Vanderbilt University, Nashville, TN

Vanderbilt University, Nashville, TN
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 46 Issue 4Article No.: 54pp 1–29https://doi.org/10.1145/2541315

Published:01 March 2014Publication History

ACM Computing Surveys

Abstract

Web applications are one of the most prevalent platforms for information and service delivery over the Internet today. As they are increasingly used for critical services, web applications have become a popular and valuable target for security attacks. Although a large body of techniques have been developed to fortify web applications and mitigate attacks launched against them, there has been little effort devoted to drawing connections among these techniques and building the big picture of web application security research.

This article surveys the area of securing web applications from the server side, with the aim of systematizing the existing techniques into a big picture that promotes future research. We first present the unique aspects of the web application development that cause inherent challenges in building secure web applications. We then discuss three commonly seen security vulnerabilities within web applications: input validation vulnerabilities, session management vulnerabilities, and application logic vulnerabilities, along with attacks that exploit these vulnerabilities. We organize the existing techniques along two dimensions: (1) the security vulnerabilities and attacks that they address and (2) the design objective and the phases of a web application during which they can be carried out. These phases are secure construction of new web applications, security analysis/testing of legacy web applications, and runtime protection of legacy web applications. Finally, we summarize the lessons learned and discuss future research opportunities in this area.

References

MySpace. 2005. MySpace Samy Worm. http://namb.la/popular/tech.html.Google Scholar
Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda. 2011. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS'11: Proceedings of the 8th Annual Network and Distributed System Security Symposium.Google Scholar
Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Oakland'08: Proceedings of the 29th IEEE Symposium on Security and Privacy. 387--401. Google ScholarDigital Library
Davide Balzarotti, Marco Cova, Viktoria V. Felmetsger, and Giovanni Vigna. 2007. Multi-module vulnerability analysis of web-based applications. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security. 25--35. Google ScholarDigital Library
Sruthi Bandhakavi, Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. 2007. CANDID: Preventing SQL injection attacks using dynamic candidate evaluations. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security. 12--24. Google ScholarDigital Library
Adam Barth, Juan Caballero, and Dawn Song. 2009. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy. 360--371. Google ScholarDigital Library
Adam Barth, Collin Jackson, and John C. Mitchell. 2008. Robust defenses for cross-site request forgery. In CCS'08: Proceedings of the 15th ACM Conference on Computer and Communications Security. 75--88. Google ScholarDigital Library
Jason Bau, Elie Bursztein, Divij Gupta, and John Mitchell. 2010. State of the art: Automated black-box web application vulnerability testing. In Oakland'10: Proceedings of the 31st IEEE Symposium on Security and Privacy. 332--345. Google ScholarDigital Library
Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, and V. N. Venkatakrishnan. 2010a. NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In CCS'10: Proceedings of the 17th ACM Conference on Computer and Communications Security. Google ScholarDigital Library
Prithvi Bisht, A. Prasad Sistla, and V. N. Venkatakrishnan. 2010b. Automatically Preparing Safe SQL Queries. In FC'10: Proceedings of the 14th International Conference on Financial Cryptography and Data Security. Google ScholarDigital Library
Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, and V. N. Venkatakrishnan. 2011. WAPTEC: Whitebox analysis of web applications for parameter tampering exploit construction. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 575--586. Google ScholarDigital Library
Prithvi Bisht and V. N. Venkatakrishnan. 2008. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In DIMVA'08: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Google ScholarDigital Library
Stephen W. Boyd and Angelos D. Keromytis. 2004. SQLrand: Preventing SQL injection attacks. In ACNS'04: Proceedings of the 2nd Applied Cryptography and Network Security Conference. 292--302.Google Scholar
Avik Chaudhuri and Jeffrey S. Foster. 2010. Symbolic security analysis of ruby-on-rails web applications. In CCS'10: Proceedings of the 17th ACM Conference on Computer and Communications Security. Google ScholarDigital Library
Erika Chin and David Wagner. 2009. Efficient character-level taint tracking for Java. In Proceedings of the 2009 ACM Workshop on Secure Web Services (SWS'09). 3--12. Google ScholarDigital Library
Adam Chlipala. 2010. Static checking of dynamically-varying security policies in database-backed applications. In OSDI'10: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. Google ScholarDigital Library
Stephen Chong, K. Vikram, and Andrew C. Myers. 2007a. SIF: Enforcing confidentiality and integrity in web applications. In USENIX'07: Proceedings of the 16th Conference on USENIX Security Symposium. Google ScholarDigital Library
Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng. 2007b. Secure web applications via automatic partitioning. In SOSP'07: Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles. 31--44. Google ScholarDigital Library
Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. 2009. Cross-tier, label-based security enforcement for web applications. In SIGMOD'09: Proceedings of the 35th SIGMOD International Conference on Management of Data. 269--282. Google ScholarDigital Library
Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni Vigna. 2007a. Swaddler: An approach for the anomaly-based detection of state violations in web applications. In RAID'07: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection. 63--86. Google ScholarDigital Library
Marco Cova, Viktoria Felmetsger, and Giovanni Vigna. 2007b. Vulnerability analysis of web applications. In Testing and Analysis of Web Services, L. Baresi and E. Dinitto (Eds.). Springer.Google Scholar
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich. 2009. Nemesis: Preventing authentication and access control vulnerabilities in web applications. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 267--282. Google ScholarDigital Library
Adam Doupé, Bryce Boe, Christopher Kruegel, and Giovanni Vigna. 2011. Fear the EAR: Discovering and mitigating execution after redirect vulnerabilities. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. Google ScholarDigital Library
Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box vulnerability scanner. In USENIX'12: Proceedings of the USENIX Security Symposium. Bellevue, WA. Google ScholarDigital Library
Adam Doupé, Marco Cova, and Giovanni Vigna. 2010. Why Johnny can't pentest: An analysis of black-box web vulnerability scanners. In DIMVA'10: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Google ScholarDigital Library
Facebook. Facebook Bounty Program. https://www.facebook.com/whitehat.Google Scholar
Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2010. Toward automated detection of logic vulnerabilities in web applications. In USENIX'10: Proceedings of the 19th USENIX Security Symposium. Google ScholarDigital Library
Harrison Fisk. 2004. Prepared Statements. http://en.wikipedia.org/wiki/Prepared_statement.Google Scholar
Joaquin Garcia-Alfaro and Guillermo Navarro-Arribas. 2008. A survey on detection techniques to prevent cross-site scripting attacks on current web applications. In CRITIS'07: Proceedings of the Second International Conference on Critical Information Infrastructures Security. 287--298. Google ScholarDigital Library
Joaquín García-Alfaro and Guillermo Navarro-Arribas. 2009. A survey on cross-site scripting attacks. CoRR: Computing Research Repository. http://arxiv.org/abs/0905.4850.Google Scholar
Gmail CSRF Security Flaw. 2007. http://ajaxian.com/archives/gmail-csrf-security-flaw.Google Scholar
Google. Google Bounty Program. http://www.google.com/about/appsecurity/reward-program/.Google Scholar
Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. 2009. Using static analysis for Ajax intrusion detection. In WWW'09: Proceedings of the 18th International Conference on World Wide Web. 561--570. Google ScholarDigital Library
Matthew Van Gundy and Hao Chen. 2009. Noncespaces: Using randomization to enforce information flow tracking and thwart XSS attacks. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.Google Scholar
Vivek Haldar, Deepak Chandra, and Michael Franz. 2005. Dynamic taint propagation for Java. In ACSAC'05: Proceedings of the 21st Annual Computer Security Applications Conference. 303--311. Google ScholarDigital Library
William G. J. Halfond and Alessandro Orso. 2005. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In ASE'05: Proceedings of the 20th IEEE and ACM International Conference on Automated Software Engineering. Google ScholarDigital Library
William G. J. Halfond, Jeremy Viegas, and Alessandro Orso. 2006a. A cassification of SQL-injection attacks and countermeasures. In Proceedings of the International Symposium on Secure Software Engineering.Google Scholar
William G. J. Halfond, Alessandro Orso, and Panagiotis Manolios. 2006b. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In SIGSOFT'06/FSE-14: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 175--185. Google ScholarDigital Library
Pieter Hooimeijer, Benjamin Livshits, David Molnar, Prateek Saxena, and Margus Veanes. 2011. Fast and precise sanitizer analysis with BEK. In Proceedings of the 20th USENIX Conference on Security (SEC'11). Google ScholarDigital Library
Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai. 2003. Web application security assessment by fault injection and behavior monitoring. In WWW'03: Proceedings of the 12th International Conference on World Wide Web. 148--159. Google ScholarDigital Library
Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. 2004. Securing web application code by static analysis and runtime protection. In WWW'04: Proceedings of the 13th International Conference on World Wide Web. 40--52. Google ScholarDigital Library
Kenneth L. Ingham and Hajime Inoue. 2007. Comparing anomaly detection techniques for HTTP. In RAID'07: Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection. 42--62. Google ScholarDigital Library
Kenneth L. Ingham, Anil Somayaji, John Burge, and Stephanie Forrest. 2007. Learning DFA representations of HTTP for protecting web applications. Computer Networks 51, 1239--1255. Google ScholarDigital Library
Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In WWW'07: Proceedings of the 16th International Conference on World Wide Web. 601--610. Google ScholarDigital Library
Martin Johns, Bjorn Engelmann, and Joachim Posegga. 2008. XSSDS: Server-side detection of cross-site scripting attacks. In ACSAC'08: Proceedings of the 24th Annual Computer Security Applications Conference. 335--344. Google ScholarDigital Library
Paul Johnston. 2004. Authentication and Session Management on the Web. http://www.sans.org/reading_ room/whitepapers/webservers/authent ication-session-management-web_1545.Google Scholar
Martin Johns and Justus Winter. 2006. RequestRodeo: Client-side protection against session riding. In OWASP AppSec Europe.Google Scholar
Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006a. Preventing Cross Site Request Forgery Attacks. In SecureComm'06: 2nd International Conference on Security and Privacy in Communication Networks. 1--10.Google Scholar
Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006b. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Oakland'06: Proceedings of the 27th IEEE Symposium on Security and Privacy. 258--263. Google ScholarDigital Library
Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006c. Precise Alias Analysis for Syntactic Detection of Web Application Vulnerabilities. ACM SIGPLAN Workshop on Programming Languages and Analysis for Security. Google ScholarDigital Library
Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. 2003. Countering code-injection attacks with instruction-set randomization. In CCS'03: Proceedings of the 10th ACM Conference on Computer and Communications Security. 272--280. Google ScholarDigital Library
Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. 2009. Automatic creation of SQL injection and cross-site scripting attacks. In ICSE'09: Proceedings of the 31st International Conference on Software Engineering. 199--209. Google ScholarDigital Library
Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. 2006. Noxes: A client-side solution for mitigating cross-site scripting attacks. In SAC'06: Proceedings of the 2006 ACM Symposium on Applied Computing. 330--337. Google ScholarDigital Library
Akshay Krishnamurthy, Adrian Mettler, and David Wagner. 2010. Fine-grained privilege separation for web applications. In WWW'10: Proceedings of the 19th International Conference on World Wide Web. 551--560. Google ScholarDigital Library
Christopher Kruegel and Giovanni Vigna. 2003. Anomaly detection of web-based attacks. In CCS'03: Proceedings of the 10th ACM Conference on Computer and Communication Security. 251--261. Google ScholarDigital Library
Christopher Kruegel, Giovanni Vigna, and William Robertson. 2005. A multi-model approach to the detection of web-based attacks. Computer Networks 48, 5 (August 2005), 717--738. Google ScholarDigital Library
Monica S. Lam, Michael Martin, Benjamin Livshits, and John Whaley. 2008. Securing web applications with static and dynamic information flow tracking. In PEPM'08: Proceedings of the 2008 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation. 3--12. Google ScholarDigital Library
Xiaowei Li and Yuan Xue. 2011. BLOCK: A black-box approach for detection of state violation attacks towards web applications. In ACSAC'11: Proceedings of the 27th Annual Computer Security Applications Conference. Google ScholarDigital Library
Xiaowei Li and Yuan Xue. 2013. LogicScope: Automatic discovery of logic vulnerabilities within web applications. In ASIACCS'13: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security. Google ScholarDigital Library
Xiaowei Li, Wei Yan, and Yuan Xue. 2012. SENTINEL: Securing database from logic flaws in web applications. In CODASPY'12: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 25--36. Google ScholarDigital Library
V. Benjamin Livshits and Monica S. Lam. 2005. Finding security vulnerabilities in Java applications with static analysis. In USENIX'05: Proceedings of the 14th Conference on USENIX Security Symposium. 18. Google ScholarDigital Library
Federico Maggi, William Robertson, Christopher Kruegel, and Giovanni Vigna. 2009. Protecting a moving target: Addressing web application concept drift. In RAID'09: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. 21--40. Google ScholarDigital Library
Ziqing Mao, Ninghui Li, and Ian Molloy. 2009. Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In FC'09: Proceedings of the 13th International Conference on Financial Cryptography and Data Security. 238--255. Google ScholarDigital Library
Gervase Markham. 2006. Content Restrictions. http://www.gerv.net/security/content-restrictions/.Google Scholar
Michael Martin and Monica S. Lam. 2008. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In USENIX'08: Proceedings of the 17th Conference on USENIX Security Symposium. 31--43. Google ScholarDigital Library
Sean Mcallister, Engin Kirda, and Christopher Kruegel. 2008. Leveraging user interactions for in-depth testing of web applications. In RAID'08: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection. 191--210. Google ScholarDigital Library
Russell A. McClure and Ingolf H. Krüger. 2005. SQL DOM: Compile time checking of dynamic SQL statements. In ICSE'05: Proceedings of the 27th International Conference on Software Engineering. 88--96. Google ScholarDigital Library
Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A security-oriented subset of Java. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium. 357--374.Google Scholar
Yasuhiko Minamide. 2005. Static approximation of dynamically generated web pages. In WWW'05: Proceedings of the 14th International Conference on World Wide Web. 432--441. Google ScholarDigital Library
Andrew C. Myers, Lantian Zheng, Steve Zdancewic, Stephen Chong, and Nathaniel Nystrom. n.d. Jif: Java Information Flow. http://www.cs.cornell.edu/jif.Google Scholar
Yacin Nadji, Prateek Saxena, and Dawn Song. 2009. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.Google Scholar
Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2007. Cross-site scripting prevention with dynamic data tainting and static analysis. In NDSS'07: Proceedings of the 14th Network and Distributed System Security Symposium.Google Scholar
Anh Nguyen-tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. 2005. Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference. 372--382.Google Scholar
NoScript. NoScript Features: Anti-XSS Protection. http://noscript.net/.Google Scholar
OWASP Top 10. 2013. Open Web Application Security Project Top Ten Security Risk (Feburary 2013). http://www.owasp.org/index.php/Top_10_2013Google Scholar
Chris Palmer. 2008. Secure Session Management with Cookies for Web Applications. https://www.isecpartners.com/media/12009/web-session-management.pdf.Google Scholar
Bryan Parno, Jonathan M. McCune, Dan Wendlandt, David G. Andersen, and Adrian Perrig. 2009. CLAMP: Practical prevention of large-scale data leaks. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy. Google ScholarDigital Library
Tadeusz Pietraszek and Chris Vanden Berghe. 2005. Defending against injection attacks through context-sensitive string evaluation. In RAID'05: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection. Google ScholarDigital Library
Rails. Ruby-on-Rails Security Guide. http://guides.rubyonrails.org/security.html.Google Scholar
Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. 2006. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In OSDI'06: Proceedings of the 7th Symposium on Operating Systems Design and Implementation. 61--74. Google ScholarDigital Library
William Robertson and Giovanni Vigna. 2009. Static enforcement of web application integrity through strong typing. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 283--298. Google ScholarDigital Library
William Robertson, Giovanni Vigna, Christopher Kruegel, and Richard Kemmerer. 2006. Using generalization and characterization techniques in the anomaly-based detection of web attacks. In NDSS'06: Proceedings of the 13th Network and Distributed System Security Symposium.Google Scholar
David Ross. 2008. IE 8 XSS Filter Architecture. http://blogs.technet.com/swi/archive/2008/08/19/ie-8-xss-filter -architecture-implementation.aspx.Google Scholar
Mike Samuel, Prateek Saxena, and Dawn Song. 2011. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 587--600. Google ScholarDigital Library
Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. 2010a. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium.Google Scholar
Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010b. A Symbolic Execution Framework for JavaScript. In SP'10: Proceedings of the 2010 IEEE Symposium on Security and Privacy. 513--528. Google ScholarDigital Library
Prateek Saxena, David Molnar, and Benjamin Livshits. 2011. SCRIPTGUARD: Automatic context-sensitive sanitization for large-scale legacy web applications. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 601--614. Google ScholarDigital Library
Theodoor Scholte, William Robertson, Davide Balzarotti, and Engin Kirda. 2012. Preventing input validation vulnerabilities in web applications through automated type analysis. In COMPSAC'12: Proceedings of the IEEE 36th Annual Computer Software and Applications Conference. Google ScholarDigital Library
David Scott and Richard Sharp. 2002. Abstracting application-level web security. In WWW'02: Proceedings of the 11th International Conference on World Wide Web. 396--407. Google ScholarDigital Library
R. Sekar. 2009. An efficient black-box technique for defeating web application attacks. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.Google Scholar
Eric Sheridan. 2008. OWASP CSRFGuard Project. http://www.owasp.org/index.php/CSRF_Guard.Google Scholar
Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2011. RoleCast: Finding missing security checks when you do not know what checks are. In OOPSLA'11: Proceedings of the 26th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications. 1069--1084. Google ScholarDigital Library
Yingbo Song, Angelos D. Keromytis, and Salvatore J. Stolfo. 2009. Spectrogram: A mixture-of-Markov-chains model for anomaly detection in web traffic. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.Google Scholar
Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In Proceedings of the 19th International Conference on World Wide Web(WWW'10). 921--930. Google ScholarDigital Library
Zhendong Su and Gary Wassermann. 2006. The essence of command injection attacks in web applications. In POPL'06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 372--382. Google ScholarDigital Library
Fangqi Sun, Liang Xu, and Zhendong Su. 2011. Static detection of access control vulnerabilities in web applications. In USENIX'11: Proceedings of the 20th USENIX Security Symposium. Google ScholarDigital Library
Nikhil Swamy, Brian J. Corcoran, and Michael Hicks. 2008. Fable: A language for enforcing user-defined security policies. In Oakland'08: Proceedings of the 29th IEEE Symposium on Security and Privacy. 369--383. Google ScholarDigital Library
Shuo Tang, Haohui Mai, and Samuel T. King. 2010. Trust and protection in the Illinois browser operating system. In OSDI'10: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. 1--8. Google ScholarDigital Library
Mike Ter Louw and V. N. Venkatakrishnan. 2009. Blueprint: Precise browser-neutral prevention of cross-site scripting attacks. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy.Google Scholar
Fredrik Valeur, Darren Mutz, and Giovanni Vigna. 2005. A learning-based approach to the detection of SQL attacks. In DIMVA'05: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment. 123--140. Google ScholarDigital Library
Verizon. 2010. Verizon 2010 Data Breach Investigations Report. http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf.Google Scholar
K. Vikram, Abhishek Prateek, and Benjamin Livshits. 2009. Ripley: Automatically securing web 2.0 applications through replicated execution. In CCS'09: Proceedings of the 16th ACM Conference on Computer and Communications Security. 173--186. Google ScholarDigital Library
Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. 2009. The multi-principal OS construction of the gazelle web browser. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 417--432. Google ScholarDigital Library
Rui Wang, Shuo Chen, XiaoFeng Wang, and Shaz Qadeer. 2011. How to shop for free online—security analysis of cashier-as-a-service based web stores. In Oakland'11: Proceedings of the 32nd IEEE Symposium on Security and Privacy. Google ScholarDigital Library
WASS. 2007. 2007 Web Application Security Statistics. http://projects.webappsec.org/w/page/13246989/WebApplication/SecurityStatistics.Google Scholar
Gary Wassermann and Zhendong Su. 2007. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI'07: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation. 32--41. Google ScholarDigital Library
Gary Wassermann and Zhendong Su. 2008. Static detection of cross-site scripting vulnerabilities. In ICSE'08: Proceedings of the ACM/IEEE 30th International Conference on Software Engineering. Google ScholarDigital Library
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song. 2011. A systematic analysis of XSS sanitization in web application frameworks. In ESORICS'11: Proceedings of the 16th European Symposium on Research in Computer Security. Google ScholarDigital Library
WhiteHat. 2010. WhiteHat Website Security Statistic Report 2010. https://www.whitehatsec.com/resource/stats.html.Google Scholar
Yichen Xie and Alex Aiken. 2006. Static detection of security vulnerabilities in scripting languages. In USENIX'06: Proceedings of the 15th Conference on USENIX Security Symposium. Google ScholarDigital Library
Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2009. Improving application security with data flow assertions. In SOSP'09: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. 291--304. Google ScholarDigital Library
Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. 2007. JavaScript instrumentation for browser security. In POPL'07: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 237--249. Google ScholarDigital Library

Index Terms

A survey on server-side approaches to securing web applications
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Read More
Securing native XML database-driven web applications from XQuery injection vulnerabilities

Detects XQuery injection vulnerabilities in web applications using native XML DBs.Implements a prototype system "XQueryFuzzer" based on the proposed approach.Demonstrates the effectiveness of the prototype on benchmark web applications.Three types of ...
Read More
Exposing private information by timing web applications
WWW '07: Proceedings of the 16th international conference on World Wide Web

We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

ACM Computing Surveys Volume 46, Issue 4
April 2014
463 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2597757
Issue’s Table of Contents

Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 March 2014
- Accepted: 1 October 2013
- Revised: 1 June 2013
- Received: 1 March 2012
Published in csur Volume 46, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Web application security
application logic vulnerability
input validation vulnerability
session management vulnerability
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 96
  Total Citations
  View Citations
- 2,487
  Total Downloads
- Downloads (Last 12 months)156
- Downloads (Last 6 weeks)23
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A survey on server-side approaches to securing web applications

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Securing web applications from injection and logic vulnerabilities

Securing native XML database-driven web applications from XQuery injection vulnerabilities

Exposing private information by timing web applications

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

A survey on server-side approaches to securing web applications

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Securing web applications from injection and logic vulnerabilities

Securing native XML database-driven web applications from XQuery injection vulnerabilities

Exposing private information by timing web applications

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media