Web application attack prevention for tiered internet services

Proceedings - The 4th International Symposium on Information Assurance and Security, IAS 2008

Volumn , Issue , 2008, Pages 186-191

  Nanda, Susanta ^a   Lam, Lap Chung ^a   Chiueh, Tzi Cker ^b  

^a Stony Brook University

^b SYMANTEC RESEARCH LABS   (United States)

Author keywords

Cross site scripting; Dynamic checking compiler; Information flow tracking; SQL injection; Taint analysis; Web application security

Indexed keywords

CROSS-SITE SCRIPTING; DYNAMIC CHECKING COMPILER; INFORMATION FLOW TRACKING; SQL INJECTION; TAINT ANALYSIS; WEB APPLICATION SECURITY;

INTERNET; MARKUP LANGUAGES; NETWORK SECURITY; PROGRAM COMPILERS; WORLD WIDE WEB;

APPLICATIONS;

EID: 55349097140     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/IAS.2008.62     Document Type: Conference Paper

References (25)

1. Nessus vulnerability scanner. http://www.nessus.org/.
2. Nikto web server scanner. http://www.cirt.net/code/nikto.shtml.
3. Open source web application firewall. http://www.modsecurity.org/.
4. Reusing mshtml. MSDN Library, Microsoft Corporation.
5. Web application firewall. http://www.cgisecurity.com/questions/ webappfirewall.shtml.
6. Whisker: a next-generation cgi scanner. http://www.securiteam.com/tools/ 3R5QHQAPPY.html.
7. Xss (cross site scripting) cheat sheet. http://ha.ckers.org/xss.html.
8. Document object model (dom) level 1 specification. W3C Recommendation, Technical Report REC-DOM-Level-1-19981001, 1998.
9. C. Anley. Advanced sql injection. An NGSSoftware Insight Security Research (NISR) Publication, June 2002.
10. W Bellamy. Hypertext transfer protocol (http) header exploitation. http://www.cgisecurity.com/lib/bill/William_Bellamy_GCIH.html, September 2002.
11. L. chung Lam and T. cker Chiueh. A general dynamic information flow tracking framework for security applications. In Proceedings of 22st Annual Computer Security Applications Conference (ACSAC 2006), December 2006.
12. J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model, in 37th Annual International Symposium on Microarchitecture, pages 221-232, December 2004.
13. P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazires, F. Kaashoek, and R. Morris. Labels and event processes in the asbestos operating system. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, pages 17-30, October 2005.
14. D. Mosberger and T. Jin. httperf: A tool for measuring web server performance, In Internet Server Performance Workshop, pages 59-67, June 1998.
15. N. Nethercote and J. Seward. Valgrind: A program supervision framework. In Proceedings of the Third Workshop on Runtime Verification (RV'03), July 2003.
16. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005), February 2005.
17. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, andD. Evans. Automatically hardening web applications using precise tainting. 20th IFIP International Information Security Conference (SEC 2005), 30 May- 1 June 2005.
18. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection 2005 (RAID), 2005.
19. J. Rafail. Cross-site scripting vulnerabilities. CERT Advisory Archieves.
20. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of POPL'06, January 11-13 2006.
21. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 85-96, October 2004.
22. US-CERT. National vulnerability database: A comprehensive cyber vulnerability resource, http://nvd.nist.gov/nvd.cfm?startrow=21.
23. W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. 15th USENIX Security Symposium, August 2006.
24. A. Yumerefendi, B. Mickle, and L. P. Cox. Tightlip: Keeping applications from spilling the beans. Duke University Techinical Report CS-2006-07, April 2006.
25. J. Zucker. Sql::statement - sql parsing and processing engine. http://cpan.uwinnipeg.ca/htdocs/SQL-Statement/SQL/Statement.html.