Position paper: Why are there so many vulnerabilities in web applications?

Proceedings New Security Paradigms Workshop

Volumn , Issue , 2011, Pages 83-93

  Du, Wenliang ^a   Jayaraman, Karthick ^a   Tan, Xi ^a   Luo, Tongbo ^a   Chapin, Steve ^a  

^a Syracuse University   (United States)

Author keywords

access control; browser; web security; web server

Indexed keywords

BROWSER; ERROR PRONES; IN-DEPTH ANALYSIS; POSITION PAPERS; PROTECTION LOGIC; SECURITY PROBLEMS; SECURITY PROPERTIES; TRUSTED COMPUTING BASE; WEB APPLICATION; WEB INFRASTRUCTURE; WEB SECURITY; WEB SERVERS;

ACCESS CONTROL;

WORLD WIDE WEB;

EID: 84855668211     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2073276.2073285     Document Type: Conference Paper

References (31)

1. Caja. http://code.google.com/p/google-caja/.
2. Spring Security. http://static.springsource.org/spring-security/site/.
3. A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 75-88, New York, NY, USA, 2008. ACM.
4. P. Bisht and V. Venkatakrishnan. XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks . In DIMVA 2008.
5. K. Donald, E. Vervaet, and R. Stoyanchev. Spring Web Flow - Reference documentation. http://static.springsource.org/spring-webflow/docs/1.0.x/ reference/index.html, 2007.
6. W. Du, X. Tan, T. Luo, K. Jayaraman, and Z. Zhu. Re-designing the web's access control system (invited talk). In Proceedings of the 25th Annual WG 11.3 Conference on Data and Applications Security and Privacy, Richmond, Virgina USA, July 11-13 2011.
7. T. Duong and J. Rizzo. Cryptography in the web: The case of cryptographic design flaws in asp.net. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, Washington, DC, USA, 2011. IEEE Computer Society.
8. M. Finifter, J. Weinberger, and A. Barth. Preventing capability leaks in secure javascript subsets. In Proc. of Network and Distributed System Security Symposium, 2010.
9. M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2009.
10. K. Jayaraman, W. Du, B. Rajagopalan, and S. J. Chapin. Escudo: A fine-grained protection model for web browsers. In Proceedings of the 30th International Conference on Distributed Computing Systems (ICDCS), Genoa, Italy, June 21-25 2010.
11. K. Jayaraman, G. Lewandowski, P. G. Talaga, and S. J. Chapin. Enforcing request integrity in web applications. In Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy, DBSec'10, pages 225-240, Berlin, Heidelberg, 2010. Springer-Verlag.
12. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW 2007.
13. M. Johns and J. Winter. RequestRodeo: Client-side protection against session riding. In F. Piessens, editor, Proceedings of the OWASP Europe 2006 Conference, refereed papers track, Report CW448, pages 5-17, May 2006.
14. N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In In Proceedings of the Second IEEE Conference on Security and Privacy in Communications Networks (SecureComm), pages 1-10, 2006.
15. F. Kerschbaum. Simple cross-site attack prevention. In SecureComm 2007.
16. D. M. KIENZLE and M. C. ELDER. Final Technical Report: Security Patterns for Web Application Development. http://www.scrypt.net/~celer/securitypatterns/ finalreport.pdf, 2002.
17. E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: a client-side solution for mitigating cross-site scripting attacks. In ACM SAC 2006.
18. M. Kolsek. Session Fixation Vulnerabilities in Web-based Applications. http://www.acrossecurity.com/papers/session-fixation.pdf.
19. T. Luo and W. Du. Contego: Capability-based access control for web browsers. In Proceedings of the 4th International Conference on Trust and Trustworthy Computing, Pittsburgh, PA, June 22-25 2011.
20. L. A. Meyerovich and V. B. Livshits. Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In IEEE Symposium on Security and Privacy, pages 481-496, 2010.
21. Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2009.
22. G. Ollmann. Web Based Session Management: Best Practices in Managing HTTP Based Client Sessions. http://www.technicalinfo.net/papers/ WebBasedSessionManagement.html.
23. OWASP. The ten most critical web application security risks. http://www.owasp.org/index.php/File:OWASP-T10---2010-rc1.pdf, 2010.
24. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In RAID 2005.
25. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 1975.
26. X. Tan, W. Du, T. Luo, and K. D. Soundararaj. Scuta: A server-side access control system for web applications. Technical Report SYR-EECS-2011-09, Syracuse University - Department of Electrical Engineering & Computer Science, July 2011.
27. A. Vance. Times web ads show security breach. http://www.nytimes.com/ 2009/09/15/technology/internet/15adco.html.
28. K. Vikram, A. Prateek, and B. Livshits. Ripley: automatically securing web 2.0 applications through replicated execution. In Proceedings of the 16th ACM conference on Computer and communications security, CCS '09, pages 173-186, New York, NY, USA, 2009. ACM.
29. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In NDSS 2007.
30. WhiteHat Security. Whitehat website security statistic report, 10th edition, 2010.
31. M. Zalewski. Cross-site cooking. URL: http://www.securityfocus.com/ archive/107/423375/30/0/threaded, 2006.