Multi-module vulnerability analysis of web-based applications

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2007, Pages 25-35

  Balzarotti, Davide ^a   Cova, Marco ^a   Felmetsger, Viktoria V ^a   Vigna, Giovanni ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Dynamic analysis; Multi step attacks; Static analysis; Vulnerability analysis; Web applications

Indexed keywords

ANALYSIS APPROACH; APPLICATION LOGIC; APPLICATION MODULE; BACK-END DATABASE; CODE MODULES; CRITICAL ENVIRONMENT; CRITICAL SERVICE; INTER-MODULE; MILITARY SYSTEMS; MULTI-STEP ATTACKS; PROTOTYPE TOOLS; SCRIPTING LANGUAGES; SECURITY PROBLEMS; VULNERABILITY ANALYSIS; WEB APPLICATION; WEB APPLICATION VULNERABILITY; WEB APPLICATIONS; WEB-BASED APPLICATIONS; WEB-BASED ATTACKS;

COMPUTER VIRUSES; DYNAMIC ANALYSIS; JAVA PROGRAMMING LANGUAGE; MANAGEMENT; MILITARY APPLICATIONS; STATIC ANALYSIS; WORLD WIDE WEB;

SECURITY OF DATA;

EID: 49949096891     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1315245.1315250     Document Type: Conference Paper

References (22)

1. A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley Longman Publishing Co., Inc., 1986.
2. M. Almgren, H. Debar, and M. Dacier. A Lightweight Tool for Detecting Web Server Attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS), pages 157-170, February 2000.
3. C. Anley. Advanced SQL Injection in SQL Server Applications. Technical report, Next Generation Security Software, Ltd, 2002.
4. Common Vulnerabilities and Exposures. http://www.cve.mitre.org/, 2006.
5. V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'05), pages 303-311, December 2005.
6. W. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the International Conference on Automated Software Engineering (ASE'05), pages 174-183, November 2005.
7. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the International World Wide Web Conference (WWW'04), pages 40-52, May 2004.
8. N. Jovanovic, E. Kirda, and C. Kruegel. Preventing Cross Site Request Forgery Attacks. In Proceedings of the IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks (Securecomm), pages 1-10, September 2006.
9. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy, pages 258-263, May 2006. (Pubitemid 44753727)
10. N. Jovanovic, C. Kruegel, and E. Kirda. Precise Alias Analysis for Static Detection of Web Application Vulnerabilities. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS'06), pages 27-36, June 2006. (Pubitemid 44059944)
11. E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A Client-Side Solution for Mitigating Cross Site Scripting Attacks. In Proceedings of the ACM Symposium on Applied Computing (SAC), pages 330-337, April 2006.
12. A. Klein. Cross Site Scripting Explained. Technical report, Sanctum Inc., 2002.
13. C. Kruegel and G. Vigna. Anomaly Detection of Web-based Attacks. In Proceedings of the ACM Conference on Computer and Communication Security (CCS '03), pages 251-261, October 2003.
14. B. Livshits and M. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the USENIX Security Symposium (USENIX'05), pages 271-286, August 2005.
15. A. Nguyen-Tuong, S. Guarnieri, D. Greene, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the International Information Security Conference (SEC'05), pages 372-382, May 2005.
16. T. Pietraszek and C. Vanden Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID'05), pages 372-382, 2005.
17. I. Ristic. ModSecurity. http://www.modsecurity.org/, November 2006.
18. D. Scott and R. Sharp. Abstracting Application-Level Web Security. In Proceedings of the International World Wide Web Conference (WWW'02), pages 396-407, May 2002.
19. M. Sharir and A. Pnueli. Two Approaches to Interprocedural Data Flow Analysis. In N. Jones and S. Muchnick, editors, Program Flow Analysis: Theory and Applications, chapter 7. Prentice Hall, 1981.
20. Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In Proceedings of the Annual Symposium on Principles of Programming Languages (POPL'06), pages 372-382, January 2006.
21. G. Vigna, W. Robertson, V. Kher, and R. A. Kemmerer. A Stateful Intrusion Detection System for World-Wide Web Servers. In Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003), pages 34-43, December 2003.
22. Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the USENIX Security Symposium (USENIX'06), pages 271-286, August 2006.