Yao-Wen Huang
ABSTRACT
As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.
- Aladdin Knowledge Systems. "eSafe Proactive Content Security." http://www.ealaddin.com/Google Scholar
- Apache. "Cross Site Scripting Info." http://httpd.apache.org/info/css-security/Google Scholar
- Armstrong, I. "Mobile Code Stakes its Claim." In: SC Magazine, Cover Story, Nov 2000.Google Scholar
- Auronen, L. "Tool-Based Approach to Assessing Web Application Security." Helsinki University of Technology, Nov 2002.Google Scholar
- W3C. "Document Object Model (DOM)." http://www.w3.org/DOM/Google Scholar
- Anley Chris. "Advanced SQL Injection In SQL Server Applications." An NGSSoftware Insight Security Research (NISR) Publication, 2002.Google Scholar
- Apap, F., Honig, A., Hershkop, S. Eskin E., Stolfo S., "Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses." In: Fifth International Symposium on Recent Advances in Intrusion Detection (Zurich, Switzerland, Oct 2002). Google ScholarDigital Library
- Balzer, R., "Assuring the safety of opening email attachments." In: DARPA Information Survivability Conference & Exposition II, 2, 257--262, 2001.Google ScholarCross Ref
- Benedikt M., Freire J., Godefroid P., "VeriWeb: Automatically Testing Dynamic Web Sites." In: Proceedings of the 11th International Conference on the World Wide Web (Honolulu, Hawaii, May 2002).Google Scholar
- Bergman, M. K. "The Deep Web: Surfacing Hidden Value." Deep Content Whitepaper, 2001.Google Scholar
- Bernaschi, M., Gabrielli, E., Mancini, L.V., "Operating system enhancements to prevent the misuse of system calls." In: Proceedings of the 7th ACM conference on Computer and communications security (Athens, Greece, 2000). Google ScholarDigital Library
- Bowman, C. M., Danzig, P., Hardy, D., Manber, U., Schwartz, M., Wessels, D. "Harvest: A Scalable, Customizable Discovery and Access System." In: Technical Report CU-CS-732-94.", Department of Computer Science, University of Colorado, Boulder, 1995.Google Scholar
- Bowen, T., Segal, M., and Sekar, R. "On preventing intrusions by process behavior monitoring." In: Eighth USENIX Security Symposium (Washington, D.C., Aug 1999). Google ScholarDigital Library
- Brabrand, C., Müller, A., M. I. "The <bigwig> project." ACM Transactions on Internet Technology, 2(2), 79--114, May 2002. Google ScholarDigital Library
- CERT. "CERT" Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests. http://www.cgisecurity.com/articles/xss-faq.shtmlGoogle Scholar
- Cesar Cerrudo. "Manipulating Microsoft SQL Server Using SQL Injection." Whitepaper, 2002.Google Scholar
- CGISecurity. "The Cross Site Scripting FAQ."Google Scholar
- Chen, H., Wagner, D. "MOPS: an Infrastructure for Examining Security Properties of Software." In: ACM conference on computer and communication security (Washington, D.C., Nov 2002). Google ScholarDigital Library
- Cho, J., Garcia-Molina, H. "Parallel Crawlers." In: Proceedings of the 11th International Conference on the World Wide Web (Honolulu, Hawaii, May 2002), 124--135. Google ScholarDigital Library
- Curphey et. al. Mark. "A Guide to Building Secure Web Applications." The Open Web Application Security Project, Sep 2002.Google Scholar
- DHTML Central. HierMenus. http://www.webreference.com/dhtml/hiermenus/Google Scholar
- Di Lucca, G.A.; Di Penta, M.; Antoniol, G.; Casazza, G. "An approach for reverse engineering of web-based applications." In: Proceedings of the Eighth Working Conference on Reverse Engineering (Stuttgart, Germany, Oct 2001), 231--240. Google ScholarDigital Library
- Di Lucca, G.A., Fasolino, A.R., Pace, F., Tramontana, P., De Carlini, U. "WARE: a tool for the reverse engineering of web applications." In: Proceedings of the Sixth European Conference on Software Maintenance and Reengineering (Budapest, Hungary, Mar 2002), 241--250. Google ScholarDigital Library
- Evans D., Larochelle, D. "Improving Security Using Extensible Lightweight Static Analysis." In: IEEE Software, Jan 2002. Google ScholarDigital Library
- Finnigan, P., "SQL Injection and Oracle." SecurityFocus, 2002. http://online.securityfocus.com/infocus/1644Google Scholar
- Finjan Software. "Your Window of Vulnerability - Why Anti-Virus Isn't Enough." http://www.finjan.com/mcrc/overview.cfmGoogle Scholar
- Gold, R. "HttpUnit." http://httpunit.sourceforge.net/Google Scholar
- Hunt, G., Brubacher, D. "Detours: Binary Interception of Win32 Functions." In: USENIX Technical Program - Windows NT Symposium 99, 1999. Google ScholarDigital Library
- Ipeirotis P., Gravano L., "Distributed Search over the Hidden Web: Hierarchical Database Sampling and Selection." In: The 28th International Conference on Very Large Databases (Hong Kong, China, Aug 2002), 394--405. Google ScholarDigital Library
- Joshi, J., Aref, W., Ghafoor, A., Spafford, E. "Security Models for Web-Based Applications." Communications of the ACM, 44(2), 38--44, Feb 2001. Google ScholarDigital Library
- Kaiya, H., Kaijiri, K. "Specifying runtime environments and functionalities of downloadable components under the sandbox model." In: Proceedings of the International Symposium on Principles of Software Evolution (Kanazawa, Japan, Nov 2000), 138--142.Google ScholarCross Ref
- KaVaDo. "Application-Layer Security: InterDo 2.1." KaVaDo Whitepaper, 2001.Google Scholar
- Ko, C., Fraser, T., Badger, L., Kilpatrick, D. "Detecting and Countering System Intrusions Using Software Wrappers." In: Proceedings of the 9th USENIX Security Symposium (Denver, Colorado, Aug 2000). Google ScholarDigital Library
- Liddle, S., Embley, D., Scott, D., Yau, S.H., "Extracting Data Behind Web Forms." In: Proceedings of the Workshop on Conceptual Modeling Approaches for e-Business (Tampere, Finland, Oct 2002).Google Scholar
- Manber, U., Smith, M., Gopal B., "WebGlimpse - Combining Browsing and Searching." In: Proceedings of the USENIX 1997 Annual Technical Conference (Anaheim, California, Jan, 1997). Google ScholarDigital Library
- Meer, H. "SQL Insertion," 2000.Google Scholar
- Microsoft. "Scriptlet Security." Getting Started with Scriptlets, MSDN Library, 1997. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnindhtm/html/instantdhtmlscriptlets.aspGoogle Scholar
- Miller, R. C., Bharat, K. "SPHINX: A Framework for Creating Personal, Site-Specific Web Crawlers." In: Proceedings of the 7th International World Wide Web Conference (Brisbane, Australia, April 1998), 119--130. Google ScholarDigital Library
- Mozilla.org. "Mozilla Layout Engine." http://www.mozilla.org/newlayout/Google Scholar
- Netscape. "JavaScript Security in Communicator 4.x." http://developer.netscape.com/docs/manuals/communicator/jssec/contents.htm#1023448Google Scholar
- Offutt, J. "Quality Attributes of Web Software Applications." IEEE Software, 19(2), 25--32, Mar 2002. Google ScholarDigital Library
- OWASP. "WebScarab Project." http://www.owasp.org/webscarab/Google Scholar
- Pelican Security Inc. "Active Content Security: Risks and Solutions." Pelican Security Whitepaper, 1999.Google Scholar
- Privateer, P., "Making the Net Safe for eBusiness: Solving the Problem of Malicious Internet Mobile Code." In: Proceedings of the eSolutions World 2000 Conference (Philiadelphia, Pennsylvania, Sep 2000).Google Scholar
- Uppuluri, P., Sekar, R. "Experiences with Specification Based Intrusion Detection System." In: Fourth International Symposium on Recent Advances in Intrusion Detection (Davis, California, Oct. 2001). Google ScholarDigital Library
- Raghavan, S., Garcia-Molina, H. "Crawling the Hidden Web." In: Proceedings of the 27th VLDB Conference (Roma, Italy, Sep 2001), 129--138. Google ScholarDigital Library
- Raghavan, S., Garcia-Molina, H. "Crawling the Hidden Web." In: Technical Report 2000-36, Database Group, Computer Science Department, Stanford (Nov 2000).Google Scholar
- Ricca, F., Tonella, P. "Analysis and Testing of Web Applications." In: Proceedings of the 23rd IEEE International Conference on Software Engineering (Toronto, Ontario, Canada, May 2001), 25--34. Google ScholarDigital Library
- Ricca, F., Tonella, P., Baxter, I. D. "Restructuring Web Applications via Transformation Rules." Information and Software Technology, 44(13), 811--825, Oct 2002.Google ScholarCross Ref
- Ricca, F., Tonella, P. "Understanding and Restructuring Web Sites with ReWeb." IEEE Multimedia, 8(2), 40--51, Apr 2001. Google ScholarDigital Library
- Ricca, F., Tonella, P. "Web Application Slicing." In: Proceedings of the IEEE International Conference on Software Maintenance (Florence, Italy, Nov 2001), 148--157. Google ScholarDigital Library
- Ricca, F., Tonella, P. "Web Site Analysis: Structure and Evolution." In: Proceedings of the IEEE International Conference on Software Maintenance (San Jose, California, Oct 2000), 76--86. Google ScholarDigital Library
- Sanctum Inc. "Web Application Security Testing -- AppScan 3.5." http://www.sanctuminc.comGoogle Scholar
- Scott, D., Sharp, R. "Abstracting Application-Level Web Security." In: The 11th International Conference on the World Wide Web (Honolulu, Hawaii, May 2002), 396--407. Google ScholarDigital Library
- Sekar, R., Uppuluri, P., "Synthesizing Fast Intrusion Detection/Prevention Systems from High-Level Specifications." In: USENIX Security Symposium, 1999. Google ScholarDigital Library
- [email protected]. "Larbin -- A Multi-Purpose Web Crawler." http://larbin.sourceforge.net/index-eng.htmlGoogle Scholar
- SecurityGlobal.net. Security Tracker Statistics. Apr 2002 -- Mar 2002. http://securitytracker.com/learn/statistics.htmlGoogle Scholar
- Shkapenyuk, V., Suel, T. "Design and Implementation of a High-Performance Distributed Web Crawler." In: Proceedings of the 18th IEEE International Conference on Data Engineering (San Jose, California, Feb 2002), 357--368. Google ScholarDigital Library
- SPI Dynamics. "Complete Web Application Security: Phase 1"Building Web Application Security into Your Development Process." SPI Dynamics Whitepaper, 2002.Google Scholar
- SPI Dynamics. "SQL Injection: Are Your Web Applications Vulnerable." SPI Dynamics Whitepaper, 2002.Google Scholar
- SPI Dynamics. "Web Application Security Assessment." SPI Dynamics Whitepaper, 2003.Google Scholar
- Tennyson Maxwell Information Systems, Inc. "Teleport Webspiders." http://www.tenmax.com/teleport/home.htmGoogle Scholar
- Tilley, S., Huang, S. "Evaluating the Reverse Engineering Capabilities of Web Tools for Understanding Site Content and Structure: A Case Study." In: Proceedings of the 23rd IEEE International Conference on Software Engineering (Toronto, Ontario, Canada, May 2001), 514--523. Google ScholarDigital Library
- United States Patent and Trademark Office. http://www.uspto.gov/patft/Google Scholar
- Vibert, R., "AV Alternatives: Extending Scanner Range." In: Information Security Magazine, Feb 2001.Google Scholar
- Voas, J., McGraw, G., "Software Fault Injection: Inoculating Programs against Errors." John Wiley & Sons, 47--48, New York, 1997. Google ScholarDigital Library
- WinMerge. "WinMerge: A visual text file differencing and merging tool for Win32 platforms." http://winmerge.sourceforge.netGoogle Scholar
Index Terms
- Web application security assessment by fault injection and behavior monitoring
Recommendations
A testing framework for Web application security assessment
Web securityThe rapid development phases and extremely short turnaround time of Web applications make it difficult to eliminate their vulnerabilities. Here we study how software testing techniques such as fault injection and runtime monitoring can be applied to Web ...
Web Application Security through Comprehensive Vulnerability Assessment
AbstractIn current information era, every small-scale industry, MNC's, Schools, and Colleges utilise Web Applications to promote their organizations and provide services to society. Web Applications have become a simple and vital medium for communicating ...
Faults, Injection Methods, and Fault Attacks
In a fault attack, errors are induced during the computation of a cryptographic algorithm, and the faulty results are exploited to extract information about the secret key in embedded systems. Fault attacks can break an unprotected system more quickly ...
Comments