Web malware that targets web applications

Social Network Engineering for Secure Web Data and Services

Volumn , Issue , 2013, Pages 248-264

  Alazab, Ammar ^a   Abawajy, Jemal ^a   Hobbs, Michael ^a  

^a DEAKIN UNIVERSITY   (Australia)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER CRIME; ELECTRONIC COMMERCE; GOVERNMENT DATA PROCESSING; INTRUSION DETECTION; NETWORK SECURITY; QUERY LANGUAGES; WEBSITES;

E-GOVERNMENTS; FINANCIAL GAINS; FINANCIAL SECTORS; INTRUSION DETECTION SYSTEMS; MEDICAL DATA; SOCIAL MEDIA NETWORKS; STRUCTURE QUERY LANGUAGES; WEB APPLICATION;

MALWARE;

EID: 84893435715     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.4018/978-1-4666-3926-3.ch012     Document Type: Chapter

References (34)

1. Anderson, R., & Moore, T. (2007). Information security economics-And beyond. Advances in Cryptology-CRYPTO, 2007, 68-91.
2. Bandhakavi, S., Bisht, P., Madhusudan, P., & Venkatakrishnan, V. (2007). CANDID: Preventing sql injection attacks using dynamic candidate evaluations. ACM Conference on Computer and Communications Security (pp. 12-24).
3. Barnes, K., Marateo, R. C., & Ferris, S. P. (2007). Teaching and learning with the net generation. Innovate Journal of Online Education, 3(4).
4. Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., & Wang, L. (2010, 17-19 August). On the analysis of the Zeus botnet crimeware toolkit. Paper presented at the Privacy Security and Trust (PST).
5. Bisht, P., Madhusudan, P., & Venkatakrishnan, V. (2010). CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Transactions on Information and System Security, 13(2), 1-39. doi:10.1145/1698750.1698754.
6. Buehrer, G., Weide, B. W., & Sivilotti, P. A. G. (2005). Using parse tree validation to prevent SQL injection attacks. Paper presented at the Proceedings of the 5th international workshop on Software engineering and middleware. Lisbon, Portugal.
7. Corporation, M. (2010). Common vulnerabilities and exposures. Retrieved April, 2011, from http://cve.mitre.org/.
8. Gould, C., Su, Z., & Devanbu, P. (2004). JDBC checker: A static analysis tool for SQL/JDBC applications. In Proceedings of the 26th International Conference on Software Engineering.
9. Halfond, W. G. J., & Orso, A. (2006). Preventing SQL injection attacks using AMNESIA. In Proceedings of the 28th International Conference on Software Engineering.
10. Halfond, W. G. J., Orso, A., & Manolios, P. (2006). Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering.
11. Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., & Kuo, S.-Y. (2004). Securing web application code by static analysis and runtime protection. Paper presented at the Proceedings of the 13th international conference on World Wide Web, New York, NY, USA.
12. IndraniBalasundaram, & Ramaraj. (2011). An approach to detect and prevent SQL injection attacks in database using web service. International Journal of Computer Science and Network Security, 11, 197-205.
13. Jie, W., Phan, R. C. W., Whitley, J. N., & Parish, D. J. (2010). Research on Multi-Level Security Framework for OpenID. In Third International Symposium on Electronic Commerce and Security.
14. Kramer, S., & Bradfield, J. C. (2010). A general definition of malware. Journal in Computer Virology, 6(2), 105-114. doi:10.1007/s11416-009-0137-1.
15. Martin, M., Livshits, B., & Lam, M. S. (2005). Finding application errors and security flaws using PQL: A program query language. ACM SIGPLAN Notices, 40(10), 365-383. doi:10.1145/1103845.1094840.
16. th International Conference on Software Engineering.
17. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., & Evans, D. (2005). Automatically hardening web applications using precise tainting. Security and Privacy in the Age of Ubiquitous Computing, 295-307.
18. OWASP. (2010). The top 10 most critical web application security risks. Retrieved April 2011, from owasp.org.
19. Peng, C. S., Chen, S. K., Chung, J. Y., Roy-Chowdhury, A., & Srinivasan, V. (2010). Accessing existing business data from the World Wide Web. IBM Systems Journal, 37(1), 115-132. doi:10.1147/sj.371.0115.
20. Pietraszek, T., & Berghe, C. (2006). Defending against injection attacks through contextsensitive string evaluation. In Valdes, A., & Zamboni, D. (Eds.), Recent advances in intrusion detection (Vol. 3858, pp. 124-145). Springer. doi:10.1007/11663812_7.
21. RSA. (2011). The current state of cybercrime and what to expect in 2011. USA: EMC corporation.
22. Su, Z., & Wassermann, G. (2006). The essence of command injection attacks in web applications. Paper presented at the Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages. Charleston, South Carolina, USA.
23. Torrano-Gimenez, C., Perez-Villegas, A., & Alvarez, G. (2010). WASAT-A new web authorization security analysis tool. Web Application Security, 39-49.
24. Trend Micro. (2009). 2009's most persistent malware threats. Retrieved February 3, 2011, from http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/2009s_most_ persistent_malware_threats__march_2010_.pdf.
25. Trusteer. (2009). Banking malware Zeus sucessfully bypasses anti-virus detection. Retrieved March, 2011, from http://www.ecommerce-journal.com/news/18221_zeus_increasingly_avoids_pcs_detection.
26. Valeur, F., Mutz, D., & Vigna, G. (2005). A learning-based approach to the detection of SQL attacks. In Julisch, K., & Kruegel, C. (Eds.), Detection of intrusions and malware, and vulnerability assessment (Vol. 3548, pp. 533-546). Springer. doi:10.1007/11506881_8.
27. Valli, C., & Brand, M. (2008). The malware analysis body of knowledge. MABOK.
28. Vella, K. J. (2007, Jun 11). Web applications: What are they? What about them? Retrieved 2011, from http://www.windowsecurity.com/articles/Web-Applications.html?printversion.
29. W3schools. (2011). Introduction to SQL. Retrieved April, 2011, from http://www.w3schools. com/sql/sql_intro.asp.
30. Yu, W. D., Aravind, D., & Supthaweesuk, P. (2006). Software vulnerability analysis for web services software systems.
31. Alazab, M., Venkataraman, S., & Watters, P. (2010). Towards understanding malware behaviour by the extraction of api calls. Cybercrime and Trustworthy Computing Workshop.
32. Alazab, M., Ventatraman, S., Watters, P., Alazab, M., & Alazab, A. (2011). Cybercrime: The case of obuscated malware. Paper presented at the 7th International Conference on Global Security, Safety & Sustainability. Thessaloniki, Greece.
33. Clarke, J. (2009). SQL injection attacks and defense. Syngress.
34. Stuttard, D., & Pinto, M. (2011). The web application hacker's handbook: Finding and exploiting security flaws. Wiley.