Abstract
Web applications are one of the most prevalent platforms for information and service delivery over the Internet today. As they are increasingly used for critical services, web applications have become a popular and valuable target for security attacks. Although a large body of techniques have been developed to fortify web applications and mitigate attacks launched against them, there has been little effort devoted to drawing connections among these techniques and building the big picture of web application security research.
This article surveys the area of securing web applications from the server side, with the aim of systematizing the existing techniques into a big picture that promotes future research. We first present the unique aspects of the web application development that cause inherent challenges in building secure web applications. We then discuss three commonly seen security vulnerabilities within web applications: input validation vulnerabilities, session management vulnerabilities, and application logic vulnerabilities, along with attacks that exploit these vulnerabilities. We organize the existing techniques along two dimensions: (1) the security vulnerabilities and attacks that they address and (2) the design objective and the phases of a web application during which they can be carried out. These phases are secure construction of new web applications, security analysis/testing of legacy web applications, and runtime protection of legacy web applications. Finally, we summarize the lessons learned and discuss future research opportunities in this area.
- MySpace. 2005. MySpace Samy Worm. http://namb.la/popular/tech.html.Google Scholar
- Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda. 2011. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS'11: Proceedings of the 8th Annual Network and Distributed System Security Symposium.Google Scholar
- Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Oakland'08: Proceedings of the 29th IEEE Symposium on Security and Privacy. 387--401. Google ScholarDigital Library
- Davide Balzarotti, Marco Cova, Viktoria V. Felmetsger, and Giovanni Vigna. 2007. Multi-module vulnerability analysis of web-based applications. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security. 25--35. Google ScholarDigital Library
- Sruthi Bandhakavi, Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. 2007. CANDID: Preventing SQL injection attacks using dynamic candidate evaluations. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security. 12--24. Google ScholarDigital Library
- Adam Barth, Juan Caballero, and Dawn Song. 2009. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy. 360--371. Google ScholarDigital Library
- Adam Barth, Collin Jackson, and John C. Mitchell. 2008. Robust defenses for cross-site request forgery. In CCS'08: Proceedings of the 15th ACM Conference on Computer and Communications Security. 75--88. Google ScholarDigital Library
- Jason Bau, Elie Bursztein, Divij Gupta, and John Mitchell. 2010. State of the art: Automated black-box web application vulnerability testing. In Oakland'10: Proceedings of the 31st IEEE Symposium on Security and Privacy. 332--345. Google ScholarDigital Library
- Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, and V. N. Venkatakrishnan. 2010a. NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In CCS'10: Proceedings of the 17th ACM Conference on Computer and Communications Security. Google ScholarDigital Library
- Prithvi Bisht, A. Prasad Sistla, and V. N. Venkatakrishnan. 2010b. Automatically Preparing Safe SQL Queries. In FC'10: Proceedings of the 14th International Conference on Financial Cryptography and Data Security. Google ScholarDigital Library
- Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, and V. N. Venkatakrishnan. 2011. WAPTEC: Whitebox analysis of web applications for parameter tampering exploit construction. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 575--586. Google ScholarDigital Library
- Prithvi Bisht and V. N. Venkatakrishnan. 2008. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In DIMVA'08: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Google ScholarDigital Library
- Stephen W. Boyd and Angelos D. Keromytis. 2004. SQLrand: Preventing SQL injection attacks. In ACNS'04: Proceedings of the 2nd Applied Cryptography and Network Security Conference. 292--302.Google Scholar
- Avik Chaudhuri and Jeffrey S. Foster. 2010. Symbolic security analysis of ruby-on-rails web applications. In CCS'10: Proceedings of the 17th ACM Conference on Computer and Communications Security. Google ScholarDigital Library
- Erika Chin and David Wagner. 2009. Efficient character-level taint tracking for Java. In Proceedings of the 2009 ACM Workshop on Secure Web Services (SWS'09). 3--12. Google ScholarDigital Library
- Adam Chlipala. 2010. Static checking of dynamically-varying security policies in database-backed applications. In OSDI'10: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. Google ScholarDigital Library
- Stephen Chong, K. Vikram, and Andrew C. Myers. 2007a. SIF: Enforcing confidentiality and integrity in web applications. In USENIX'07: Proceedings of the 16th Conference on USENIX Security Symposium. Google ScholarDigital Library
- Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng. 2007b. Secure web applications via automatic partitioning. In SOSP'07: Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles. 31--44. Google ScholarDigital Library
- Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. 2009. Cross-tier, label-based security enforcement for web applications. In SIGMOD'09: Proceedings of the 35th SIGMOD International Conference on Management of Data. 269--282. Google ScholarDigital Library
- Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni Vigna. 2007a. Swaddler: An approach for the anomaly-based detection of state violations in web applications. In RAID'07: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection. 63--86. Google ScholarDigital Library
- Marco Cova, Viktoria Felmetsger, and Giovanni Vigna. 2007b. Vulnerability analysis of web applications. In Testing and Analysis of Web Services, L. Baresi and E. Dinitto (Eds.). Springer.Google Scholar
- Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich. 2009. Nemesis: Preventing authentication and access control vulnerabilities in web applications. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 267--282. Google ScholarDigital Library
- Adam Doupé, Bryce Boe, Christopher Kruegel, and Giovanni Vigna. 2011. Fear the EAR: Discovering and mitigating execution after redirect vulnerabilities. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. Google ScholarDigital Library
- Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box vulnerability scanner. In USENIX'12: Proceedings of the USENIX Security Symposium. Bellevue, WA. Google ScholarDigital Library
- Adam Doupé, Marco Cova, and Giovanni Vigna. 2010. Why Johnny can't pentest: An analysis of black-box web vulnerability scanners. In DIMVA'10: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Google ScholarDigital Library
- Facebook. Facebook Bounty Program. https://www.facebook.com/whitehat.Google Scholar
- Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2010. Toward automated detection of logic vulnerabilities in web applications. In USENIX'10: Proceedings of the 19th USENIX Security Symposium. Google ScholarDigital Library
- Harrison Fisk. 2004. Prepared Statements. http://en.wikipedia.org/wiki/Prepared_statement.Google Scholar
- Joaquin Garcia-Alfaro and Guillermo Navarro-Arribas. 2008. A survey on detection techniques to prevent cross-site scripting attacks on current web applications. In CRITIS'07: Proceedings of the Second International Conference on Critical Information Infrastructures Security. 287--298. Google ScholarDigital Library
- Joaquín García-Alfaro and Guillermo Navarro-Arribas. 2009. A survey on cross-site scripting attacks. CoRR: Computing Research Repository. http://arxiv.org/abs/0905.4850.Google Scholar
- Gmail CSRF Security Flaw. 2007. http://ajaxian.com/archives/gmail-csrf-security-flaw.Google Scholar
- Google. Google Bounty Program. http://www.google.com/about/appsecurity/reward-program/.Google Scholar
- Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. 2009. Using static analysis for Ajax intrusion detection. In WWW'09: Proceedings of the 18th International Conference on World Wide Web. 561--570. Google ScholarDigital Library
- Matthew Van Gundy and Hao Chen. 2009. Noncespaces: Using randomization to enforce information flow tracking and thwart XSS attacks. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.Google Scholar
- Vivek Haldar, Deepak Chandra, and Michael Franz. 2005. Dynamic taint propagation for Java. In ACSAC'05: Proceedings of the 21st Annual Computer Security Applications Conference. 303--311. Google ScholarDigital Library
- William G. J. Halfond and Alessandro Orso. 2005. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In ASE'05: Proceedings of the 20th IEEE and ACM International Conference on Automated Software Engineering. Google ScholarDigital Library
- William G. J. Halfond, Jeremy Viegas, and Alessandro Orso. 2006a. A cassification of SQL-injection attacks and countermeasures. In Proceedings of the International Symposium on Secure Software Engineering.Google Scholar
- William G. J. Halfond, Alessandro Orso, and Panagiotis Manolios. 2006b. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In SIGSOFT'06/FSE-14: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 175--185. Google ScholarDigital Library
- Pieter Hooimeijer, Benjamin Livshits, David Molnar, Prateek Saxena, and Margus Veanes. 2011. Fast and precise sanitizer analysis with BEK. In Proceedings of the 20th USENIX Conference on Security (SEC'11). Google ScholarDigital Library
- Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai. 2003. Web application security assessment by fault injection and behavior monitoring. In WWW'03: Proceedings of the 12th International Conference on World Wide Web. 148--159. Google ScholarDigital Library
- Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. 2004. Securing web application code by static analysis and runtime protection. In WWW'04: Proceedings of the 13th International Conference on World Wide Web. 40--52. Google ScholarDigital Library
- Kenneth L. Ingham and Hajime Inoue. 2007. Comparing anomaly detection techniques for HTTP. In RAID'07: Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection. 42--62. Google ScholarDigital Library
- Kenneth L. Ingham, Anil Somayaji, John Burge, and Stephanie Forrest. 2007. Learning DFA representations of HTTP for protecting web applications. Computer Networks 51, 1239--1255. Google ScholarDigital Library
- Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In WWW'07: Proceedings of the 16th International Conference on World Wide Web. 601--610. Google ScholarDigital Library
- Martin Johns, Bjorn Engelmann, and Joachim Posegga. 2008. XSSDS: Server-side detection of cross-site scripting attacks. In ACSAC'08: Proceedings of the 24th Annual Computer Security Applications Conference. 335--344. Google ScholarDigital Library
- Paul Johnston. 2004. Authentication and Session Management on the Web. http://www.sans.org/reading_ room/whitepapers/webservers/authent ication-session-management-web_1545.Google Scholar
- Martin Johns and Justus Winter. 2006. RequestRodeo: Client-side protection against session riding. In OWASP AppSec Europe.Google Scholar
- Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006a. Preventing Cross Site Request Forgery Attacks. In SecureComm'06: 2nd International Conference on Security and Privacy in Communication Networks. 1--10.Google Scholar
- Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006b. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Oakland'06: Proceedings of the 27th IEEE Symposium on Security and Privacy. 258--263. Google ScholarDigital Library
- Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006c. Precise Alias Analysis for Syntactic Detection of Web Application Vulnerabilities. ACM SIGPLAN Workshop on Programming Languages and Analysis for Security. Google ScholarDigital Library
- Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. 2003. Countering code-injection attacks with instruction-set randomization. In CCS'03: Proceedings of the 10th ACM Conference on Computer and Communications Security. 272--280. Google ScholarDigital Library
- Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. 2009. Automatic creation of SQL injection and cross-site scripting attacks. In ICSE'09: Proceedings of the 31st International Conference on Software Engineering. 199--209. Google ScholarDigital Library
- Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. 2006. Noxes: A client-side solution for mitigating cross-site scripting attacks. In SAC'06: Proceedings of the 2006 ACM Symposium on Applied Computing. 330--337. Google ScholarDigital Library
- Akshay Krishnamurthy, Adrian Mettler, and David Wagner. 2010. Fine-grained privilege separation for web applications. In WWW'10: Proceedings of the 19th International Conference on World Wide Web. 551--560. Google ScholarDigital Library
- Christopher Kruegel and Giovanni Vigna. 2003. Anomaly detection of web-based attacks. In CCS'03: Proceedings of the 10th ACM Conference on Computer and Communication Security. 251--261. Google ScholarDigital Library
- Christopher Kruegel, Giovanni Vigna, and William Robertson. 2005. A multi-model approach to the detection of web-based attacks. Computer Networks 48, 5 (August 2005), 717--738. Google ScholarDigital Library
- Monica S. Lam, Michael Martin, Benjamin Livshits, and John Whaley. 2008. Securing web applications with static and dynamic information flow tracking. In PEPM'08: Proceedings of the 2008 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation. 3--12. Google ScholarDigital Library
- Xiaowei Li and Yuan Xue. 2011. BLOCK: A black-box approach for detection of state violation attacks towards web applications. In ACSAC'11: Proceedings of the 27th Annual Computer Security Applications Conference. Google ScholarDigital Library
- Xiaowei Li and Yuan Xue. 2013. LogicScope: Automatic discovery of logic vulnerabilities within web applications. In ASIACCS'13: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security. Google ScholarDigital Library
- Xiaowei Li, Wei Yan, and Yuan Xue. 2012. SENTINEL: Securing database from logic flaws in web applications. In CODASPY'12: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 25--36. Google ScholarDigital Library
- V. Benjamin Livshits and Monica S. Lam. 2005. Finding security vulnerabilities in Java applications with static analysis. In USENIX'05: Proceedings of the 14th Conference on USENIX Security Symposium. 18. Google ScholarDigital Library
- Federico Maggi, William Robertson, Christopher Kruegel, and Giovanni Vigna. 2009. Protecting a moving target: Addressing web application concept drift. In RAID'09: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. 21--40. Google ScholarDigital Library
- Ziqing Mao, Ninghui Li, and Ian Molloy. 2009. Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In FC'09: Proceedings of the 13th International Conference on Financial Cryptography and Data Security. 238--255. Google ScholarDigital Library
- Gervase Markham. 2006. Content Restrictions. http://www.gerv.net/security/content-restrictions/.Google Scholar
- Michael Martin and Monica S. Lam. 2008. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In USENIX'08: Proceedings of the 17th Conference on USENIX Security Symposium. 31--43. Google ScholarDigital Library
- Sean Mcallister, Engin Kirda, and Christopher Kruegel. 2008. Leveraging user interactions for in-depth testing of web applications. In RAID'08: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection. 191--210. Google ScholarDigital Library
- Russell A. McClure and Ingolf H. Krüger. 2005. SQL DOM: Compile time checking of dynamic SQL statements. In ICSE'05: Proceedings of the 27th International Conference on Software Engineering. 88--96. Google ScholarDigital Library
- Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A security-oriented subset of Java. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium. 357--374.Google Scholar
- Yasuhiko Minamide. 2005. Static approximation of dynamically generated web pages. In WWW'05: Proceedings of the 14th International Conference on World Wide Web. 432--441. Google ScholarDigital Library
- Andrew C. Myers, Lantian Zheng, Steve Zdancewic, Stephen Chong, and Nathaniel Nystrom. n.d. Jif: Java Information Flow. http://www.cs.cornell.edu/jif.Google Scholar
- Yacin Nadji, Prateek Saxena, and Dawn Song. 2009. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.Google Scholar
- Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2007. Cross-site scripting prevention with dynamic data tainting and static analysis. In NDSS'07: Proceedings of the 14th Network and Distributed System Security Symposium.Google Scholar
- Anh Nguyen-tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. 2005. Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference. 372--382.Google Scholar
- NoScript. NoScript Features: Anti-XSS Protection. http://noscript.net/.Google Scholar
- OWASP Top 10. 2013. Open Web Application Security Project Top Ten Security Risk (Feburary 2013). http://www.owasp.org/index.php/Top_10_2013Google Scholar
- Chris Palmer. 2008. Secure Session Management with Cookies for Web Applications. https://www.isecpartners.com/media/12009/web-session-management.pdf.Google Scholar
- Bryan Parno, Jonathan M. McCune, Dan Wendlandt, David G. Andersen, and Adrian Perrig. 2009. CLAMP: Practical prevention of large-scale data leaks. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Tadeusz Pietraszek and Chris Vanden Berghe. 2005. Defending against injection attacks through context-sensitive string evaluation. In RAID'05: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection. Google ScholarDigital Library
- Rails. Ruby-on-Rails Security Guide. http://guides.rubyonrails.org/security.html.Google Scholar
- Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. 2006. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In OSDI'06: Proceedings of the 7th Symposium on Operating Systems Design and Implementation. 61--74. Google ScholarDigital Library
- William Robertson and Giovanni Vigna. 2009. Static enforcement of web application integrity through strong typing. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 283--298. Google ScholarDigital Library
- William Robertson, Giovanni Vigna, Christopher Kruegel, and Richard Kemmerer. 2006. Using generalization and characterization techniques in the anomaly-based detection of web attacks. In NDSS'06: Proceedings of the 13th Network and Distributed System Security Symposium.Google Scholar
- David Ross. 2008. IE 8 XSS Filter Architecture. http://blogs.technet.com/swi/archive/2008/08/19/ie-8-xss-filter -architecture-implementation.aspx.Google Scholar
- Mike Samuel, Prateek Saxena, and Dawn Song. 2011. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 587--600. Google ScholarDigital Library
- Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. 2010a. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium.Google Scholar
- Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010b. A Symbolic Execution Framework for JavaScript. In SP'10: Proceedings of the 2010 IEEE Symposium on Security and Privacy. 513--528. Google ScholarDigital Library
- Prateek Saxena, David Molnar, and Benjamin Livshits. 2011. SCRIPTGUARD: Automatic context-sensitive sanitization for large-scale legacy web applications. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 601--614. Google ScholarDigital Library
- Theodoor Scholte, William Robertson, Davide Balzarotti, and Engin Kirda. 2012. Preventing input validation vulnerabilities in web applications through automated type analysis. In COMPSAC'12: Proceedings of the IEEE 36th Annual Computer Software and Applications Conference. Google ScholarDigital Library
- David Scott and Richard Sharp. 2002. Abstracting application-level web security. In WWW'02: Proceedings of the 11th International Conference on World Wide Web. 396--407. Google ScholarDigital Library
- R. Sekar. 2009. An efficient black-box technique for defeating web application attacks. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.Google Scholar
- Eric Sheridan. 2008. OWASP CSRFGuard Project. http://www.owasp.org/index.php/CSRF_Guard.Google Scholar
- Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2011. RoleCast: Finding missing security checks when you do not know what checks are. In OOPSLA'11: Proceedings of the 26th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications. 1069--1084. Google ScholarDigital Library
- Yingbo Song, Angelos D. Keromytis, and Salvatore J. Stolfo. 2009. Spectrogram: A mixture-of-Markov-chains model for anomaly detection in web traffic. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.Google Scholar
- Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In Proceedings of the 19th International Conference on World Wide Web(WWW'10). 921--930. Google ScholarDigital Library
- Zhendong Su and Gary Wassermann. 2006. The essence of command injection attacks in web applications. In POPL'06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 372--382. Google ScholarDigital Library
- Fangqi Sun, Liang Xu, and Zhendong Su. 2011. Static detection of access control vulnerabilities in web applications. In USENIX'11: Proceedings of the 20th USENIX Security Symposium. Google ScholarDigital Library
- Nikhil Swamy, Brian J. Corcoran, and Michael Hicks. 2008. Fable: A language for enforcing user-defined security policies. In Oakland'08: Proceedings of the 29th IEEE Symposium on Security and Privacy. 369--383. Google ScholarDigital Library
- Shuo Tang, Haohui Mai, and Samuel T. King. 2010. Trust and protection in the Illinois browser operating system. In OSDI'10: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. 1--8. Google ScholarDigital Library
- Mike Ter Louw and V. N. Venkatakrishnan. 2009. Blueprint: Precise browser-neutral prevention of cross-site scripting attacks. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy.Google Scholar
- Fredrik Valeur, Darren Mutz, and Giovanni Vigna. 2005. A learning-based approach to the detection of SQL attacks. In DIMVA'05: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment. 123--140. Google ScholarDigital Library
- Verizon. 2010. Verizon 2010 Data Breach Investigations Report. http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf.Google Scholar
- K. Vikram, Abhishek Prateek, and Benjamin Livshits. 2009. Ripley: Automatically securing web 2.0 applications through replicated execution. In CCS'09: Proceedings of the 16th ACM Conference on Computer and Communications Security. 173--186. Google ScholarDigital Library
- Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. 2009. The multi-principal OS construction of the gazelle web browser. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 417--432. Google ScholarDigital Library
- Rui Wang, Shuo Chen, XiaoFeng Wang, and Shaz Qadeer. 2011. How to shop for free online—security analysis of cashier-as-a-service based web stores. In Oakland'11: Proceedings of the 32nd IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- WASS. 2007. 2007 Web Application Security Statistics. http://projects.webappsec.org/w/page/13246989/WebApplication/SecurityStatistics.Google Scholar
- Gary Wassermann and Zhendong Su. 2007. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI'07: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation. 32--41. Google ScholarDigital Library
- Gary Wassermann and Zhendong Su. 2008. Static detection of cross-site scripting vulnerabilities. In ICSE'08: Proceedings of the ACM/IEEE 30th International Conference on Software Engineering. Google ScholarDigital Library
- Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song. 2011. A systematic analysis of XSS sanitization in web application frameworks. In ESORICS'11: Proceedings of the 16th European Symposium on Research in Computer Security. Google ScholarDigital Library
- WhiteHat. 2010. WhiteHat Website Security Statistic Report 2010. https://www.whitehatsec.com/resource/stats.html.Google Scholar
- Yichen Xie and Alex Aiken. 2006. Static detection of security vulnerabilities in scripting languages. In USENIX'06: Proceedings of the 15th Conference on USENIX Security Symposium. Google ScholarDigital Library
- Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2009. Improving application security with data flow assertions. In SOSP'09: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. 291--304. Google ScholarDigital Library
- Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. 2007. JavaScript instrumentation for browser security. In POPL'07: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 237--249. Google ScholarDigital Library
Index Terms
- A survey on server-side approaches to securing web applications
Recommendations
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Securing native XML database-driven web applications from XQuery injection vulnerabilities
Detects XQuery injection vulnerabilities in web applications using native XML DBs.Implements a prototype system "XQueryFuzzer" based on the proposed approach.Demonstrates the effectiveness of the prototype on benchmark web applications.Three types of ...
Exposing private information by timing web applications
WWW '07: Proceedings of the 16th international conference on World Wide WebWe show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as ...
Comments