An empirical investigation into open source web applications' implementation vulnerabilities

Empirical Software Engineering

Volumn 15, Issue 5, 2010, Pages 556-576

  Huynh, Toan ^a   Miller, James ^a  

^a UNIVERSITY OF ALBERTA   (Canada)

Author keywords

Classification of vulnerabilities; Empirical evaluation; Injection; Security; Vulnerability; Web applications

Indexed keywords

COMMON PROPERTY; DATA FLOW; EMPIRICAL EVALUATIONS; EMPIRICAL INVESTIGATION; EXTERNAL SYSTEMS; GOAL-QUESTION-METRIC APPROACH; LINES OF CODE; OPEN SOURCES; SECURITY VULNERABILITIES; SOURCE CODES; WEB APPLICATION; WEB APPLICATION VULNERABILITY;

WORLD WIDE WEB;

SECURITY OF DATA;

EID: 77954759796     PISSN: 13823256     EISSN: 15737616     Source Type: Journal    
DOI: 10.1007/s10664-010-9131-y     Document Type: Article

References (32)

1. Agrawal H, Horgan JR (1990) Dynamic program slicing. Proceedings of the ACM SIGPLAN'90 Conference on Programming Language Design and Implementation, New York, USA, pp 246-256.
2. Alhazmi OH, Malaiya YK, Ray I (2007) Measuring, analyzing and predicting security vulnerabilities in software systems. Comput Secur J 26(3):219-228.
3. Basili V, Caldeira G, Rombach HD (1994) The goal question metric approach. Encyclopedia of Software Engineering, Wiley.
4. Baskerville R, Pries-Heje J (2004) Short cycle time systems development. Inf Syst J 14(3):237-264.
5. Boyd SW, Keromytis AD (2004) SQLrand: preventing SQL injection attacks. In Proc. of the 2nd Applied Cryptography and Network Security Conf. (ACNS '04), Yellow Mountain, China pp 292-302.
6. Buehrer GT, Weide BW, Sivilotti PAG (2005) Using parse tree validation to prevent SQL injection attacks. In Proc. of the 5th Intl. Workshop on Software Engineering and Middleware (SEM '05), Lisbon, Portugal, pp 106-113.
7. Cova M, Balzarotti D, Felmetsger V, Vigna G (2007) Swaddler: an approach for the anomaly-based detection of State violations in web applications, Recent Advance in Intrusion Detection (RAID), pp 63-86.
8. Denning DE, Denning PJ (1997) Certification of programs for secure information flow. Commun ACM 20:504-513, New York, USA, ACM.
9. Halfond WG, Orso A (2005) AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Long Beach, CA, USA, pp 174-183.
10. Halfond WG, Orso A, Manolios P (2006) Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proceedings of the 14th ACM SIGSOFT international Symposium on Foundations of Software Engineering, Portland, Oregon, USA, pp 175-185.
11. Halfond WGJ, Orso A, Manolios P (2008) WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans Softw Eng 34(1):65-81.
12. Huang YW, Yu F, Hang C, Tsai CH, Lee DT, Kuo SY (2004) Securing web application code by static analysis and runtime protection, in WWW '04: Proceedings of the 13th International Conference on World Wide Web. New York, NY, USA: ACM Press, pp 40-52.
13. Liu A, Yuan Y, Wijesekera D, Stavrou A (2009) SQLProb: a proxy-based architecture towards preventing SQL injection attacks. Proceedings of the 2009 ACM symposium on Applied Computing, Honolulu, Hawaii, pp 2054-2061.
14. Johnson R, Wagner D (2004) Finding user/kernel pointer bugs with type inference. In Proceedings of the 2004 Usenix Security Conference, San Diego, CA, USA, pp 119-134.
15. Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA, pp 258-263. (Pubitemid 44753727)
16. Kals S, Kirda E, Kruegel C, Jovanovic N (2006) SecuBat: a web vulnerability scanner. The 15th International World Wide Web Conference (WWW 2006), Edinburgh, Scotland, pp 247-256.
17. Kiezun A, Guo PJ, Jayaraman K, Ernst MD (2008) Automatic creation of SQL injection and cross-site scripting attacks. Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, Vancouver, British Columbia, Canada, pp 199-209.
18. Lin J-C, Chen J-M (2006) An automatic revised tool for anti-malicious injection. Sixth IEEE International Conference on Computer and Information Technology (CIT'06), Seoul, South Korea, pp 164-170.
19. Martin M, Lam M (2008) Automatic generation of XSS and SQL injection attacks with goal-directed model checking. Proceedings of the 17th conference on Security symposium, San Jose, CA, pp 31-43.
20. Martin M, Livshits B, Lam MS (2005) Finding application errors and security flaws using PQL: a program query language. In OOPSLA '05: Proc. of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, San Diego, CA, USA, pp 365-383.
21. Nguyen-Tuong A, Guarnieri S, Greene D, Shirley J, Evans D (2005) Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference, Chiba, Japan, pp 372-382.
22. OWASP (2007) Top 10 2007. http://www.owasp.org/index.php/Top-10-2007, last accessed June 29, 2009.
23. Pietraszek T, Berghe CV (2005) Defending against injection attacks through context-sensitive string evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID2005), Seattle, Washington, USA, pp 124-145.
24. Rapid7 (2005) Vulnerability management trends. (2)1-9.
25. Scambray J, Shema M, Sima C (2006) Hacking exposed: web applications second edition. McGraw-Hill, San Francisco.
26. Scott D, Sharp R (2002) Abstracting application-level web security. In Proc. of the 11th Intl. Conference on the World Wide Web (WWW 2002), Honolulu, Hawaii, USA, pp 396-407.
27. Shankar U, Talwar K, Foster JS, Wagner D (2001) Detecting format string vulnerabilities with type qualifiers. In 10th USENIX Security Symposium, Washington, D.C., pp 201-220.
28. Su Z, Wassermann G (2006) The essence of command injection attacks in web applications. In The 33rd Annual Symposium on Principles of Programming Languages, Charleston, South Carolina, USA, pp 372-382.
29. Swiderski F, Snyder W (2004) Threat modeling. Microsoft Press, Redmond.
30. Tip F (1995) A survey of program slicing techniques. J Program Lang 3(3):121-189.
31. Weiser M (1984) Program slicing. IEEE Trans Softw Eng SE-10(4):352-357.
32. Zhang X, Edwards A, Jaeger T (2002) Using CQual for static analysis of authorization hook placement. In the Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, pp 33-48.