ABSTRACT

As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1   Aladdin Knowledge Systems. "eSafe Proactive Content Security." http://www.ealaddin.com/

2   Apache. "Cross Site Scripting Info." http://httpd.apache.org/info/css-security/

3   Armstrong, I. "Mobile Code Stakes its Claim." In: SC Magazine, Cover Story, Nov 2000.

4   Auronen, L. "Tool-Based Approach to Assessing Web Application Security." Helsinki University of Technology, Nov 2002.

5   W3C. "Document Object Model (DOM)." http://www.w3.org/DOM/

6   Anley Chris. "Advanced SQL Injection In SQL Server Applications." An NGSSoftware Insight Security Research (NISR) Publication, 2002.

7   Apap, F., Honig, A., Hershkop, S. Eskin E., Stolfo S., "Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses." In: Fifth International Symposium on Recent Advances in Intrusion Detection (Zurich, Switzerland, Oct 2002).

8   Balzer, R., "Assuring the safety of opening email attachments." In: DARPA Information Survivability Conference & Exposition II, 2, 257--262, 2001.

9   Benedikt M., Freire J., Godefroid P., "VeriWeb: Automatically Testing Dynamic Web Sites." In: Proceedings of the 11th International Conference on the World Wide Web (Honolulu, Hawaii, May 2002).

10   Bergman, M. K. "The Deep Web: Surfacing Hidden Value." Deep Content Whitepaper, 2001.

11   Massimo Bernaschi , Emanuele Gabrielli , Luigi V. Mancini, Operating system enhancements to prevent the misuse of system calls, Proceedings of the 7th ACM conference on Computer and communications security, p.174-183, November 01-04, 2000, Athens, Greece

12   Bowman, C. M., Danzig, P., Hardy, D., Manber, U., Schwartz, M., Wessels, D. "Harvest: A Scalable, Customizable Discovery and Access System." In: Technical Report CU-CS-732-94.", Department of Computer Science, University of Colorado, Boulder, 1995.

13   Bowen, T., Segal, M., and Sekar, R. "On preventing intrusions by process behavior monitoring." In: Eighth USENIX Security Symposium (Washington, D.C., Aug 1999).

14   Claus Brabrand , Anders Møller , Michael I. Schwartzbach, The <bigwig> project, ACM Transactions on Internet Technology (TOIT), v.2 n.2, p.79-114, May 2002

15   CERT. "CERT" Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests. http://www.cgisecurity.com/articles/xss-faq.shtml

16   Cesar Cerrudo. "Manipulating Microsoft SQL Server Using SQL Injection." Whitepaper, 2002.

17   CGISecurity. "The Cross Site Scripting FAQ."

18   Hao Chen , David Wagner, MOPS: an infrastructure for examining security properties of software, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA

19   Junghoo Cho , Hector Garcia-Molina, Parallel crawlers, Proceedings of the eleventh international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA

20   Curphey et. al. Mark. "A Guide to Building Secure Web Applications." The Open Web Application Security Project, Sep 2002.

21   DHTML Central. HierMenus. http://www.webreference.com/dhtml/hiermenus/

22   G. A. Di Lucca , G. Casazza , M. Di Penta , G. Antoniol, An Approach for Reverse Engineering of Web-Based Applications, Proceedings of the Eighth Working Conference on Reverse Engineering (WCRE'01), p.231, October 02-05, 2001

23   Giuseppe A. Di Lucca , Anna Rita Fasolino , F. Pace , P. Tramontana , Ugo de Carlini, WARE: A Tool for the Reverse Engineering of Web Applications, Proceedings of the 6th European Conference on Software Maintenance and Reengineering, p.241-250, March 11-13, 2002

24   David Evans , David Larochelle, Improving Security Using Extensible Lightweight Static Analysis, IEEE Software, v.19 n.1, p.42-51, January 2002

25   Finnigan, P., "SQL Injection and Oracle." SecurityFocus, 2002. http://online.securityfocus.com/infocus/1644

26   Finjan Software. "Your Window of Vulnerability - Why Anti-Virus Isn't Enough." http://www.finjan.com/mcrc/overview.cfm

27   Gold, R. "HttpUnit." http://httpunit.sourceforge.net/

28   Hunt, G., Brubacher, D. "Detours: Binary Interception of Win32 Functions." In: USENIX Technical Program - Windows NT Symposium 99, 1999.

29   Ipeirotis P., Gravano L., "Distributed Search over the Hidden Web: Hierarchical Database Sampling and Selection." In: The 28th International Conference on Very Large Databases (Hong Kong, China, Aug 2002), 394--405.

30   James B. D. Joshi , Walid G. Aref , Arif Ghafoor , Eugene H. Spafford, Security models for web-based applications, Communications of the ACM, v.44 n.2, p.38-44, Feb. 2001

31   Kaiya, H., Kaijiri, K. "Specifying runtime environments and functionalities of downloadable components under the sandbox model." In: Proceedings of the International Symposium on Principles of Software Evolution (Kanazawa, Japan, Nov 2000), 138--142.

32   KaVaDo. "Application-Layer Security: InterDo 2.1." KaVaDo Whitepaper, 2001.

33   Ko, C., Fraser, T., Badger, L., Kilpatrick, D. "Detecting and Countering System Intrusions Using Software Wrappers." In: Proceedings of the 9th USENIX Security Symposium (Denver, Colorado, Aug 2000).

34   Liddle, S., Embley, D., Scott, D., Yau, S.H., "Extracting Data Behind Web Forms." In: Proceedings of the Workshop on Conceptual Modeling Approaches for e-Business (Tampere, Finland, Oct 2002).

35   Manber, U., Smith, M., Gopal B., "WebGlimpse - Combining Browsing and Searching." In: Proceedings of the USENIX 1997 Annual Technical Conference (Anaheim, California, Jan, 1997).

36   Meer, H. "SQL Insertion," 2000.

37   Microsoft. "Scriptlet Security." Getting Started with Scriptlets, MSDN Library, 1997. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnindhtm/html/instantdhtmlscriptlets.asp

38   Robert C. Miller , Krishna Bharat, SPHINX: a framework for creating personal, site-specific Web crawlers, Proceedings of the seventh international conference on World Wide Web 7, p.119-130, April 1998, Brisbane, Australia

39   Mozilla.org. "Mozilla Layout Engine." http://www.mozilla.org/newlayout/

40   Netscape. "JavaScript Security in Communicator 4.x." http://developer.netscape.com/docs/manuals/communicator/jssec/contents.htm#1023448

41   Jeff Offutt, Quality Attributes of Web Software Applications, IEEE Software, v.19 n.2, p.25-32, March 2002

42   OWASP. "WebScarab Project." http://www.owasp.org/webscarab/

43   Pelican Security Inc. "Active Content Security: Risks and Solutions." Pelican Security Whitepaper, 1999.

44   Privateer, P., "Making the Net Safe for eBusiness: Solving the Problem of Malicious Internet Mobile Code." In: Proceedings of the eSolutions World 2000 Conference (Philiadelphia, Pennsylvania, Sep 2000).

45   Prem Uppuluri , R. Sekar, Experiences with Specification-Based Intrusion Detection, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.172-189, October 10-12, 2001

46   Sriram Raghavan , Hector Garcia-Molina, Crawling the Hidden Web, Proceedings of the 27th International Conference on Very Large Data Bases, p.129-138, September 11-14, 2001

47   Raghavan, S., Garcia-Molina, H. "Crawling the Hidden Web." In: Technical Report 2000-36, Database Group, Computer Science Department, Stanford (Nov 2000).

48   Filippo Ricca , Paolo Tonella, Analysis and testing of Web applications, Proceedings of the 23rd international conference on Software engineering, p.25-34, May 12-19, 2001, Toronto, Ontario, Canada

49   Ricca, F., Tonella, P., Baxter, I. D. "Restructuring Web Applications via Transformation Rules." Information and Software Technology, 44(13), 811--825, Oct 2002.

50   Filippo Ricca , Paolo Tonella, Understanding and Restructuring Web Sites with ReWeb, IEEE MultiMedia, v.8 n.2, p.40-51, April 2001

51   Ricca, F., Tonella, P. "Web Application Slicing." In: Proceedings of the IEEE International Conference on Software Maintenance (Florence, Italy, Nov 2001), 148--157.

52   Filippo Ricca , Paolo Tonella, Web Site Analysis: Structure and Evolution, Proceedings of the International Conference on Software Maintenance (ICSM'00), p.76, October 11-14, 2000

53   Sanctum Inc. "Web Application Security Testing -- AppScan 3.5." http://www.sanctuminc.com

54   David Scott , Richard Sharp, Abstracting application-level web security, Proceedings of the eleventh international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA

55   Sekar, R., Uppuluri, P., "Synthesizing Fast Intrusion Detection/Prevention Systems from High-Level Specifications." In: USENIX Security Symposium, 1999.

56   Sebastien@ailleret.com. "Larbin -- A Multi-Purpose Web Crawler." http://larbin.sourceforge.net/index-eng.html

57   SecurityGlobal.net. Security Tracker Statistics. Apr 2002 -- Mar 2002. http://securitytracker.com/learn/statistics.html

58   Shkapenyuk, V., Suel, T. "Design and Implementation of a High-Performance Distributed Web Crawler." In: Proceedings of the 18th IEEE International Conference on Data Engineering (San Jose, California, Feb 2002), 357--368.

59   SPI Dynamics. "Complete Web Application Security: Phase 1"Building Web Application Security into Your Development Process." SPI Dynamics Whitepaper, 2002.

60   SPI Dynamics. "SQL Injection: Are Your Web Applications Vulnerable." SPI Dynamics Whitepaper, 2002.

61   SPI Dynamics. "Web Application Security Assessment." SPI Dynamics Whitepaper, 2003.

62   Tennyson Maxwell Information Systems, Inc. "Teleport Webspiders." http://www.tenmax.com/teleport/home.htm

63   Scott Tilley , Shihong Huang, Evaluating the reverse engineering capabilities of Web tools for understanding site content and structure: a case study, Proceedings of the 23rd international conference on Software engineering, p.514-523, May 12-19, 2001, Toronto, Ontario, Canada

64   United States Patent and Trademark Office. http://www.uspto.gov/patft/

65   Vibert, R., "AV Alternatives: Extending Scanner Range." In: Information Security Magazine, Feb 2001.

66   Jeffrey M. Voas , Gary McGraw, Software fault injection: inoculating programs against errors, John Wiley & Sons, Inc., New York, NY, 1997

67   WinMerge. "WinMerge: A visual text file differencing and merging tool for Win32 platforms." http://winmerge.sourceforge.net

Collaborative Colleagues:

Shih-Kun Huang:	Deng-Jyi Chen Yao-Wen Huang Hong-Yuan Mark Liao Tsung-Po Lin Chun-Shien Lu Chwen-Jye Sze Chung-Hung Tsai
Yao-Wen Huang:	Shih-Kun Huang Tsung-Po Lin Chung-Hung Tsai
Tsung-Po Lin:	Shih-Kun Huang Yao-Wen Huang Chung-Hung Tsai
Chung-Hung Tsai:	Jin-Hua Hong Shih-Kun Huang Yao-Wen Huang Tsung-Po Lin Cheng-Wen Wu

Peer to Peer - Readers of this Article have also read:

• Data structures for quadtree approximation and compression
  Communications of the ACM   28, 9
  Hanan Samet
  
  
• The state of the art in locally distributed Web-server systems
  ACM Computing Surveys (CSUR)   34, 2
  Valeria Cardellini ,  Emiliano Casalicchio ,  Michele Colajanni ,  Philip S. Yu
  
  
• Web switch support for differentiated services
  ACM SIGMETRICS Performance Evaluation Review   29, 2
  Valeria Cardellini ,  Emiliano Casalicchio ,  Michele Colajanni ,  Marco Mambelli
  
  
• Performance study of dispatching algorithms in multi-tier web architectures
  ACM SIGMETRICS Performance Evaluation Review   30, 2
  Mauro Andreolini ,  Michele Colajanni ,  Ruggero Morselli
  
  
• The state of the art in automating usability evaluation of user interfaces
  ACM Computing Surveys (CSUR)   33, 4
  Melody Y. Ivory ,  Marti A Hearst