Vulnerability & attack injection for web applications

Proceedings of the International Conference on Dependable Systems and Networks

Volumn , Issue , 2009, Pages 93-102

  Fonseca, José ^a   Vieira, Marco ^a   Madeira, Henrique ^a  

^a UNIVERSITY OF COIMBRA   (Portugal)

Author keywords

[No Author keywords available]

Indexed keywords

FALSE POSITIVE; FIELD STUDIES; INTRUSION DETECTION SYSTEMS; SECURITY MECHANISM; SQL INJECTION; WEB APPLICATION; WEB APPLICATION VULNERABILITY;

COMPUTER CRIME; INTRUSION DETECTION; NETWORK SECURITY; WORLD WIDE WEB;

EXPERIMENTS;

EID: 70450078118     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/DSN.2009.5270349     Document Type: Conference Paper

References (33)

1. Christey, S., Martin, R., "Vulnerability Type Distributions in CVE", Mitre report, May, 2007
2. Zanero, S., Carettoni, L., Zanchetta, M., "Automatic Detection of Web Application Security Flaws", Black Hat Briefings, 2005
3. Jovanovic, N., Kruegel, C., Kirda, E., "Precise Alias Analysis for Static Detection of Web Application Vulnerabilities", IEEE Symp. on Security and Privacy, 2006
4. Stock, A., Williams, J., Wichers, D., "OWASP top 10", OWASP Foundation, July, 2007
5. Christey, S., "Unforgivable Vulnerabilities", The MITRE Corporation, Black Hat Briefings, August 2007
6. Vnunet, August, 2007, http://www.vnunet.com/vnunet/news/2197408/ monsterkeptbreach-secret-five
7. NTA, May, 2007, http://www.ntamonitor.com/posts/2007/05/ annualsecurityreport.html
8. Powell, D., Stroud, R., "Conceptual Model and Architecture of MAFTIA", Project MAFTIA, deliverable D21, 2003
9. Neves, N., Antunes, J., Correia, M., Veríssimo, P., Neves R., "Using Attack Injection to Discover New Vulnerabilities", IEEE/IFIP International Conference on Dependable Systems and Networks, 2006
10. Fonseca, J., Vieira, M., "Mapping Software Faults with Web Security Vulnerabilities", IEEE/IFIP Int. Conference on Dependable Systems and Networks, June 2008
11. Fonseca, J., Vieira, M., Madeira, H., "Training Security Assurance Teams using Vulnerability Injection", IEEE Pacific Rim Dependable Computing conference, December 2008
12. McConnell, S., "Gauging Software Readiness with Defect Tracking". Software, IEEE, 1997
13. Arlat, J., Costes, A., Crouzet, Y., Laprie, J.-C., Powell, D., "Fault injection and dependability evaluation of fault-tolerant systems", IEEE Trans. on Computers, 42(8):913.923, August, 1993
14. Iyer, R., "Experimental Evaluation", Special Issue FTCS-25 Silver Jubilee, IEEE Symp. on Fault Tolerant Computing, pp. 115-132, 1995
15. Carreira, J., Madeira, H., Silva, J. G., "Xception: Software Fault Injection and Monitoring in Processor Functional Units", IEEE Trans. on Software Engineering, vol. 24, no. 2, February 1998
16. Stott, D.T., Floering, B., Burke, D., Kalbarczpk, Z., Iyer, R.K., "NFTAPE: a framework for assessing dependability in distributed systems with lightweight fault injectors", Computer Performance and Dependability Symp., 2000
17. Christmansson, J., Chillarege, R. "Generation of an Error Set that Emulates Software Faults". IEEE Fault Tolerant Computing Symp. - FCTS-26, 1996
18. Madeira, H. Vieira, M., Costa, D. "On the Emulation of Software Faults by Software Fault Injection.", IEEE/IFIP Int. Conf. on Dependable System and Networks, 2000
19. Durães, J., Madeira, H., "Emulation of Software Faults: A Field Data Study and a Practical Approach", IEEE Trans. on Software Engineering, Vol. 32, No. 11, November 2006
20. Fonseca, J., Vieira, M., Madeira, H., "Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks", IEEE Pacific Rim International Symposium on Dependable Computing, December 2007
21. Sam NG. CISA, CISSP. SQLBlock.com, www.owasp.org/images/7/7d/Advanced- Topics-on-SQL-Injection-Protection.ppt, 2006
22. Cgisecurity.net, December 2008, http://www.cgisecurity.com/articles/csrf- faq.shtml#whatis
23. SANS Institute, January, 2008, http://isc.sans.org/diary.html?storyid= 3823
24. Web Application Security Consortium, August, 2008, http://www.webappsec. org/lists/websecurity/archive/2008-08/msg00084.html
25. The PHP Group, December, 2007, http://pt.php.net/
26. Halfond, W., Viegas, J., Orso, A., "A Classification of SQL Injection Attacks and Countermeasures", Int. Symp. on Secure Software Engineering, 2006
27. Buehrer, G., Weide, B., Sivilotti, P., "Using Parse Tree Validation to Prevent SQL Injection Attacks", International Workshop on Software Egineering and Middleware, 2005
28. TikiWiki, December, 2008, http://tikiwiki.org/
29. phpBB, December, 2008, http://www.phpbb.com/
30. Java-source.net, 2008, http://java-source.net/opensource/crawlers
31. Fonseca, J., Vieira, M., Madeira, H., "Detecting Malicious SQL", Int. Conference on Trust, Privacy & Security in Digital Business, September, 2007
32. SPI Dynamics Inc., May, 2008, http://www.spydynamics.com/products/ webinspect/
33. Watchfire Corporation, 2008, http://www.watchfire.com