| |||||||||||||||||||
| |||||||||||||||||||
ABSTRACT
As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security. REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references. 1 Aladdin Knowledge Systems. "eSafe Proactive Content Security." http://www.ealaddin.com/ 2 Apache. "Cross Site Scripting Info." http://httpd.apache.org/info/css-security/ 3 Armstrong, I. "Mobile Code Stakes its Claim." In: SC Magazine, Cover Story, Nov 2000. 4 Auronen, L. "Tool-Based Approach to Assessing Web Application Security." Helsinki University of Technology, Nov 2002. 5 W3C. "Document Object Model (DOM)." http://www.w3.org/DOM/ 6 Anley Chris. "Advanced SQL Injection In SQL Server Applications." An NGSSoftware Insight Security Research (NISR) Publication, 2002. 7 Apap, F., Honig, A., Hershkop, S. Eskin E., Stolfo S., "Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses." In: Fifth International Symposium on Recent Advances in Intrusion Detection (Zurich, Switzerland, Oct 2002). 8 Balzer, R., "Assuring the safety of opening email attachments." In: DARPA Information Survivability Conference & Exposition II, 2, 257--262, 2001. 9 Benedikt M., Freire J., Godefroid P., "VeriWeb: Automatically Testing Dynamic Web Sites." In: Proceedings of the 11th International Conference on the World Wide Web (Honolulu, Hawaii, May 2002). 10 Bergman, M. K. "The Deep Web: Surfacing Hidden Value." Deep Content Whitepaper, 2001. 12 Bowman, C. M., Danzig, P., Hardy, D., Manber, U., Schwartz, M., Wessels, D. "Harvest: A Scalable, Customizable Discovery and Access System." In: Technical Report CU-CS-732-94.", Department of Computer Science, University of Colorado, Boulder, 1995. 13 Bowen, T., Segal, M., and Sekar, R. "On preventing intrusions by process behavior monitoring." In: Eighth USENIX Security Symposium (Washington, D.C., Aug 1999). 15 CERT. "CERT" Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests. http://www.cgisecurity.com/articles/xss-faq.shtml 16 Cesar Cerrudo. "Manipulating Microsoft SQL Server Using SQL Injection." Whitepaper, 2002. 17 CGISecurity. "The Cross Site Scripting FAQ." 20 Curphey et. al. Mark. "A Guide to Building Secure Web Applications." The Open Web Application Security Project, Sep 2002. 21 DHTML Central. HierMenus. http://www.webreference.com/dhtml/hiermenus/ 25 Finnigan, P., "SQL Injection and Oracle." SecurityFocus, 2002. http://online.securityfocus.com/infocus/1644 26 Finjan Software. "Your Window of Vulnerability - Why Anti-Virus Isn't Enough." http://www.finjan.com/mcrc/overview.cfm 27 Gold, R. "HttpUnit." http://httpunit.sourceforge.net/ 28 Hunt, G., Brubacher, D. "Detours: Binary Interception of Win32 Functions." In: USENIX Technical Program - Windows NT Symposium 99, 1999. 29 Ipeirotis P., Gravano L., "Distributed Search over the Hidden Web: Hierarchical Database Sampling and Selection." In: The 28th International Conference on Very Large Databases (Hong Kong, China, Aug 2002), 394--405. 31 Kaiya, H., Kaijiri, K. "Specifying runtime environments and functionalities of downloadable components under the sandbox model." In: Proceedings of the International Symposium on Principles of Software Evolution (Kanazawa, Japan, Nov 2000), 138--142. 32 KaVaDo. "Application-Layer Security: InterDo 2.1." KaVaDo Whitepaper, 2001. 33 Ko, C., Fraser, T., Badger, L., Kilpatrick, D. "Detecting and Countering System Intrusions Using Software Wrappers." In: Proceedings of the 9th USENIX Security Symposium (Denver, Colorado, Aug 2000). 34 Liddle, S., Embley, D., Scott, D., Yau, S.H., "Extracting Data Behind Web Forms." In: Proceedings of the Workshop on Conceptual Modeling Approaches for e-Business (Tampere, Finland, Oct 2002). 35 Manber, U., Smith, M., Gopal B., "WebGlimpse - Combining Browsing and Searching." In: Proceedings of the USENIX 1997 Annual Technical Conference (Anaheim, California, Jan, 1997). 36 Meer, H. "SQL Insertion," 2000. 37 Microsoft. "Scriptlet Security." Getting Started with Scriptlets, MSDN Library, 1997. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnindhtm/html/instantdhtmlscriptlets.asp 39 Mozilla.org. "Mozilla Layout Engine." http://www.mozilla.org/newlayout/ 40 Netscape. "JavaScript Security in Communicator 4.x." http://developer.netscape.com/docs/manuals/communicator/jssec/contents.htm#1023448 42 OWASP. "WebScarab Project." http://www.owasp.org/webscarab/ 43 Pelican Security Inc. "Active Content Security: Risks and Solutions." Pelican Security Whitepaper, 1999. 44 Privateer, P., "Making the Net Safe for eBusiness: Solving the Problem of Malicious Internet Mobile Code." In: Proceedings of the eSolutions World 2000 Conference (Philiadelphia, Pennsylvania, Sep 2000). 47 Raghavan, S., Garcia-Molina, H. "Crawling the Hidden Web." In: Technical Report 2000-36, Database Group, Computer Science Department, Stanford (Nov 2000). 49 Ricca, F., Tonella, P., Baxter, I. D. "Restructuring Web Applications via Transformation Rules." Information and Software Technology, 44(13), 811--825, Oct 2002. 51 Ricca, F., Tonella, P. "Web Application Slicing." In: Proceedings of the IEEE International Conference on Software Maintenance (Florence, Italy, Nov 2001), 148--157. 53 Sanctum Inc. "Web Application Security Testing -- AppScan 3.5." http://www.sanctuminc.com 55 Sekar, R., Uppuluri, P., "Synthesizing Fast Intrusion Detection/Prevention Systems from High-Level Specifications." In: USENIX Security Symposium, 1999. 56 Sebastien@ailleret.com. "Larbin -- A Multi-Purpose Web Crawler." http://larbin.sourceforge.net/index-eng.html 57 SecurityGlobal.net. Security Tracker Statistics. Apr 2002 -- Mar 2002. http://securitytracker.com/learn/statistics.html 58 Shkapenyuk, V., Suel, T. "Design and Implementation of a High-Performance Distributed Web Crawler." In: Proceedings of the 18th IEEE International Conference on Data Engineering (San Jose, California, Feb 2002), 357--368. 59 SPI Dynamics. "Complete Web Application Security: Phase 1"Building Web Application Security into Your Development Process." SPI Dynamics Whitepaper, 2002. 60 SPI Dynamics. "SQL Injection: Are Your Web Applications Vulnerable." SPI Dynamics Whitepaper, 2002. 61 SPI Dynamics. "Web Application Security Assessment." SPI Dynamics Whitepaper, 2003. 62 Tennyson Maxwell Information Systems, Inc. "Teleport Webspiders." http://www.tenmax.com/teleport/home.htm 64 United States Patent and Trademark Office. http://www.uspto.gov/patft/ 65 Vibert, R., "AV Alternatives: Extending Scanner Range." In: Information Security Magazine, Feb 2001. 67 WinMerge. "WinMerge: A visual text file differencing and merging tool for Win32 platforms." http://winmerge.sourceforge.net INDEX
TERMS
Primary
Classification: Additional Classification: General
Terms: Keywords: Peer to Peer -
Readers of this Article have also read:
|