Get A Free Trial
Request Information
Resource Center
|
|
|
Academic Publications
|
|
Web Application Security Assessment by Fault Injection and Behavior Monitoring
As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities.
Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of softwaretesting techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an opensource project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security. | ...
|
|
Web Application Security Assessment by Fault Injection and Behavior Monitoring
|
|
A Testing Framework for Web Application Security Assessment
The rapid development phases and extremely short turnaround time of Web applications make it difficult to eliminate their vulnerabilities.
Here we study how software testing techniques such as fault injection and runtime monitoring can be applied to Web applications. We implemented our proposed mechanisms in the Web Application Vulnerability and Error Scanner (WAVES) - a black-box testing framework for automated Web application security assessment. Real-world situations are used to test WAVES and to compare it with other tools.
Our results show that WAVES is a feasible platform for assessing Web application security. © 2005 Elsevier B.V. All rights reserved. | ...
|
|
A Testing Framework for Web Application Security Assessment
|
|
Non-Detrimental Web Application Security Scanning
The World Wide Web has become a sophisticated platform capable of delivering a broad range of applications. However, its rapid growth has resulted in numerous security problems that current technologies cannot address. Researchers from both academic and private sector are devoting a considerable amount of resources to the development of Web application security scanners (i.e., automated software testing platforms for Web application security auditing) with some success. However, little is known about their potential side effects.
It is possible for an auditing process to induce permanent changes in an application's state. Due to this potential, we have so far avoided large-scale empirical evaluations of our Web Application Vulnerability and Error Scanner (WAVES).
In this paper we introduce a testing methodology that allows for harmless auditing, define three testing modes-heavy, relaxed, and safe modes, and report our results from two experiments. In the first, we compared the coverage and side effects of the three scanning modes using 5 real-world Web applications chosen from the 38 found vulnerable in a previous static verification effort. In the second, we used the relaxed mode to conduct a 48-hour test involving 1120 random websites, of which 55 were found to be vulnerable. | ...
|
|
Non-Detrimental Web Application Security Scanning
|
|
Securing Web Application Code by Static Analysis and Runtime Protection
Security remains a major roadblock to universal acceptance of the Web for many kinds of transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities has been attributed to Web application bugs. Many verification tools are discovering previously unknown vulnerabilities in legacy C programs, raising hopes that the same success can be achieved with Web applications.
In this paper, we describe a sound and holistic approach to ensuring Web application security. Viewing Web application vulnerabilities as a secure information flow problem, we created a lattice-based static analysis algorithm derived from type systems and typestate, and addressed its soundness. During the analysis, sections of code considered vulnerable are instrumented with runtime guards, thus securing Web applications in the absence of user intervention.
With sufficient annotations, runtime overhead can be reduced to zero. We also created a tool named WebSSARI (Web application Security by Static Analysis and Runtime Inspection) to test our algorithm, and used it to verify 230 open-source Web application projects on SourceForge.net, which were selected to represent projects of different maturity, popularity, and scale. 69 contained vulnerabilities and their developers were notified.
38 projects acknowledged our findings and stated their plans to provide patches. Our statistics also show that static analysis reduced potential runtime overhead by 98.4%.
|
|
Securing Web Application Code by Static Analysis and Runtime Protection
|
|
Verifying Web Applications Using Bounded Model Checking
The authors describe the use of bounded model
checking (BMC) for verifying Web application code.
Vulnerable sections of code are patched automatically
with runtime guards, allowing both verification and
assurance to occur without user intervention. Model
checking techniques have relatively complexity compared
to the typestate-based polynomial-time algorithm (TS) we
adopted in an earlier paper, but they offer three
benefits—they provide counterexamples, more precise
models, and sound and complete verification.
Compared to conventional model checking techniques, BMC offers a
more practical approach to verifying programs
containing large numbers of variables, but requires fixed
program diameters to be complete.
Formalizing Web
application vulnerabilities as a secure information flow
problem with fixed diameter allows for BMC application
without drawback. Using BMC-produced counterexamples,
errors that result from propagations of the
same initial error can be reported as a single group
rather than individually.
|
|
Verifying Web Applications Using Bounded Model Checking
|
|
