Quo vadis? A study of the evolution of input validation vulnerabilities in web applications

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 7035 LNCS, Issue , 2012, Pages 284-298

  Scholte, Theodoor ^a   Balzarotti, Davide ^b   Kirda, Engin ^b,c  

^a SAP RESEARCH   (France)

^b EURECOM   (France)

^c NORTHEASTERN UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

APPLICATION DEVELOPERS; APPLICATION PLATFORMS; AWARENESS PROGRAM; DAILY LIVES; EMPIRICAL ANALYSIS; FINANCIAL TRANSACTIONS; INPUT VALIDATION; INTERNET ATTACKS; WEB APPLICATION; WEB SECURITY;

CRYPTOGRAPHY; NETWORK SECURITY;

WORLD WIDE WEB;

EID: 84857087304     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-27576-0_24     Document Type: Conference Paper

References (36)

1. Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side xss filters. In: WWW 2010: Proceedings of the 19th International Conference on World Wide Web, pp. 91-100. ACM, New York (2010)
2. Christey, S.M., Martin, R.A.: Vulnerability type distributions in cve (2007), http://cwe.mitre.org/documents/vuln-trends/index.html
3. Clark, S., Frei, S., Blaze, M., Smith, J.: Familiarity breeds contempt: The honeymoon effect and the role of legacy code in zero-day vulnerabilities. In: Annual Computer Security Applications Conference (2010)
4. Dhamankar, R., Dausin, M., Eisenbarth, M., King, J.: The top cyber security risks (2009), http://www.sans.org/top-cyber-security-risks/
5. Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: LSAD 2006: Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense, pp. 131-138. ACM, New York (2006)
6. Microsoft Inc. Msdn code analysis team blog (2010), http://blogs.msdn. com/b/codeanalysis/
7. Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 601-610. ACM, New York (2007)
8. Johns, M., Beyerlein, C., Giesecke, R., Posegga, J.: Secure Code Generation for Web Applications. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 96-113. Springer, Heidelberg (2010)
9. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 258-263. IEEE Computer Society, Washington, DC (2006)
10. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC 2006: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330-337. ACM, New York (2006)
11. Kouns, J., Todd, K., Martin, B., Shettler, D., Tornio, S., Ingram, C., McDonald, P.: The open source vulnerability database (2010), http://osvdb.org/
12. Li, Z., Tan, L., Wang, X., Lu, S., Zhou, Y., Zhai, C.: Have things changed now?: an empirical study of bug characteristics in modern open source software. In: ASID 2006: Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability, pp. 25-33. ACM, New York (2006)
13. Livshits, B., Erlingsson, Ú.: Using web application construction frameworks to protect against code injection attacks. In: PLAS 2007: Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security, pp. 95-104. ACM, New York (2007)
14. Livshits, V.B., Lam, M.S.: Finding security errors in Java programs with static analysis. In: Proceedings of the 14th Usenix Security Symposium, pp. 271-286 (August 2005)
15. Martin, B., Brown, M., Paller, A., Kirby, D.: 2010 cwe/sans top 25 most dangerous software errors (2010), http://cwe.mitre.org/top25/
16. Mavituna, F.: Sql injection cheat sheet (2009), http://ferruh.mavituna. com/sql-injection-cheatsheet-oku/
17. Mell, P., Scarfone, K., Romanosky, S.: A complete guide to the common vulnerability scoring system version 2.0 (2007), http://www.first.org/cvss/cvss- guide.html
18. MITRE. Common platform enumeration, cpe (2010), http://cpe.mitre.org/
19. MITRE. Common vulnerabilities and exposures, cve (2010), http://cve.mitre.org/
20. MITRE. Common weakness enumeration, cwe (2010), http://cwe.mitre.org/
21. MITRE. Mitre faqs (2010), http://cve.mitre.org/about/faqs.html
22. Neuhaus, S., Zimmermann, T.: Security trend analysis with cve topic models. In: Proceedings of the 21st IEEE International Symposium on Software Reliability Engineering (November 2010)
23. Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In: NDSS. The Internet Society (2005)
24. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: SEC 2005, pp. 295-308. Springer, Heidelberg (2005)
25. Computer Security Division of National Institute of Standards and Technology. National vulnerability database version 2.2 (2010), http://nvd.nist.gov/
26. Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium. USENIX Association, Berkeley (2006)
27. Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks Through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124-145. Springer, Heidelberg (2006) (Pubitemid 43973725)
28. The Open Web Application Security Project. Owasp top 10 - 2010, the ten most critical web application security risks (2010)
29. Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 283-298. USENIX Association (2009)
30. RSnake. Xss (cross site scripting) cheat sheet esp: for filter evasion (2009), http://ha.ckers.org/xss.html
31. Vikram, K., Prateek, A., Livshits, B.: Ripley: automatically securing web 2.0 applications through replicated execution. In: CCS 2009: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 173-186. ACM, New York (2009)
32. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: In Proceedings of 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)
33. Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation. ACM Press, New York (2007)
34. Wassermann, G., Su, Z.: Static Detection of Cross-Site Scripting Vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, Leipzig, Germany. ACM, New York (2008) (in press)
35. Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium. USENIX Association, Berkeley (2006)
36. Yu, D., Chander, A., Inamura, H., Serikov, I.: Better abstractions for secure serverside scripting. In: WWW 2008: Proceeding of the 17th International Conference on World Wide Web, pp. 507-516. ACM, New York (2008)