BLOCK: A Black-bOx approach for detection of state violation attacks towards web applications

ACM International Conference Proceeding Series

Volumn , Issue , 2011, Pages 247-256

  Li, Xiaowei ^a   Xue, Yuan ^a  

^a VANDERBILT UNIVERSITY   (United States)

Author keywords

Black box approach; Invariant; State violation attack; Web application security

Indexed keywords

APPLICATION LOGIC; BLACK BOX APPROACH; DETECTION SYSTEM; GENERAL APPROACH; INVARIANT; RUNTIMES; SCALE-UP; SENSITIVE INFORMATIONS; SOURCE CODES; STATE VIOLATION ATTACK; SYSTEM PROTOTYPE; WEB APPLICATION; WEB APPLICATION SECURITY; WEB REQUESTS;

CODES (SYMBOLS); COMPUTER APPLICATIONS; MATHEMATICAL MODELS; MULTIVARIABLE CONTROL SYSTEMS; SECURITY SYSTEMS; WORLD WIDE WEB;

SECURITY OF DATA;

EID: 84862915304     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2076732.2076767     Document Type: Conference Paper

References (26)

1. M. Almgren, H. Debar, and M. Dacier. A lightweight tool for detecting web server attacks. In Proceedings of the ISOC Symposium on Network and Distributed Systems Security, pages 157-170, 2000.
2. G. Ammons, R. Bodĺłk, and J. R. Larus. Mining specifications. In Symposium on Principles of Programming Languages, volume 37, pages 4-16, 2002. (Pubitemid 35009026)
3. M. Balduzzi, C. Gimenez, D. Balzarotti, and E. Kirda. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS'11: Proceedings of the 18th Network and Distributed System Security Symposium, 2011.
4. D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of web-based applications. In CCS'07: Proceedings of the 14th ACM conference on Computer and communications security, pages 25-35, 2007.
5. P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications. In CCS'10: Proceedings of the 17th ACM conference on Computer and communications security, pages 607-618, 2010.
6. Y. Chen and B. Malin. Detection of anomalous insiders in collaborative environments via relational analysis of access logs. In CODASPY '11: Proceedings of the first ACM conference on Data and application security and privacy, pages 63-74, 2011.
7. M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In RAID'07: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection, pages 63-86, 2007.
8. X. Ding, H. Huang, Y. Ruan, A. Shaikh, B. Peterson, and X. Zhang. Splitter: a proxy-based approach for post-migration testing of web applications. In EuroSys'10: Proceedings of the 5th European conference on Computer systems, pages 97-110, 2010.
9. M. D. Ernst, J. Cockrell, W. G. Griswold, and D. Notkin. Dynamically discovering likely program invariants to support program evolution. IEEE Transactions on Software Engineering, 27(2):99-123, Feb. 2001. (Pubitemid 32254259)
10. V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In USENIX'10: Proceedings of the 19th conference on USENIX Security Symposium, pages 143-160, 2010.
11. K. L. Ingham, A. Somayaji, J. Burge, and S. Forrest. Learning dfa representations of http for protecting web applications. Computer Networks and Isdn Systems, 51:1239-1255, 2007. (Pubitemid 46131444)
12. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In S&P'06: Proceedings of the 27th IEEE Symposium on Security & Privacy, pages 258-263, 2006. (Pubitemid 44753727)
13. C. Kim and K. Shim. Text: Automatic template extraction from heterogeneous web pages. IEEE Trans. Knowl. Data Eng., 23(4):612-626, 2011.
14. T. Kremenek, P. Twohey, G. Back, A. Ng, and D. Engler. From uncertainty to belief: inferring the specification within. In OSDI '06: Proceedings of the 7th symposium on Operating systems design and implementation, pages 161-176, 2006.
15. C. Kruegel and G. Vigna. Anomaly detection of web-based attacks. In CCS'03: Proceedings of the 10th ACM conference on Computer and communications security, pages 251-261, 2003. (Pubitemid 40673807)
16. D. Lorenzoli, L. Mariani, and M. Pezzè. Automatic generation of software behavioral models. In ICSE '08: Proceedings of the 30th international conference on Software engineering, pages 501-510, 2008.
17. OsCommerce Inc. http://www.oscommerce.com/.
18. OWASP WebScarab Project. https://www.owasp.org/index.php/category:owasp webscarab project.
19. D. C. Reis, P. B. Golgher, A. S. Silva, and A. F. Laender. Automatic web news extraction using tree edit distance. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 502-511, 2004. (Pubitemid 40752784)
20. R. Sekar. An efficient black-box technique for defeating web application attacks. In NDSS'09: 16th Annual Network and Distributed System Security Symposium, 2009.
21. SeleniumHQ: Web Application Testing System. http://seleniumhq.org/.
22. Symantec internet security threat report 2009. http://www.symantec.com/ business/threatreport/.
23. G. Vigna, W. Robertson, V. Kher, and R. A. Kemmerer. A stateful intrusion detection system for world-wide web servers. In ACSAC'03: Proceedings of the Annual Computer Security Applications Conference, pages 34-43, 2003.
24. Wackopicko. https://github.com/adamdoupe/wackopicko.
25. G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE'08: ACM/IEEE 30th International Conference on Software Engineering, pages 171-180, 2008.
26. J. Yang, D. Evans, D. Bhardwaj, T. Bhat, and M. Das. Perracotta: mining temporal api rules from imperfect traces. In ICSE '06: Proceedings of the 28th international conference on Software engineering, pages 282-291, 2006. (Pubitemid 46600925)