ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Web application security assessment by fault injection and behavior monitoring
Full text PdfPdf (4.53 MB)
Source International World Wide Web Conference archive
Proceedings of the 12th international conference on World Wide Web table of contents
Budapest, Hungary
SESSION: Data integrity table of contents
Pages: 148 - 159  
Year of Publication: 2003
ISBN:1-58113-680-3
Authors
Yao-Wen Huang  Academia Sinica, Taipei, Taiwan
Shih-Kun Huang  Academia Sinica, Taipei, Taiwan
Tsung-Po Lin  Academia Sinica, Taipei, Taiwan
Chung-Hung Tsai  National Chiao Tung University, Taiwan
Sponsor
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 91,   Downloads (12 Months): 766,   Citation Count: 19
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/775152.775174
What is a DOI?

ABSTRACT

As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Aladdin Knowledge Systems. "eSafe Proactive Content Security." http://www.ealaddin.com/
 
2
Apache. "Cross Site Scripting Info." http://httpd.apache.org/info/css-security/
 
3
Armstrong, I. "Mobile Code Stakes its Claim." In: SC Magazine, Cover Story, Nov 2000.
 
4
Auronen, L. "Tool-Based Approach to Assessing Web Application Security." Helsinki University of Technology, Nov 2002.
 
5
W3C. "Document Object Model (DOM)." http://www.w3.org/DOM/
 
6
Anley Chris. "Advanced SQL Injection In SQL Server Applications." An NGSSoftware Insight Security Research (NISR) Publication, 2002.
 
7
Apap, F., Honig, A., Hershkop, S. Eskin E., Stolfo S., "Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses." In: Fifth International Symposium on Recent Advances in Intrusion Detection (Zurich, Switzerland, Oct 2002).
 
8
Balzer, R., "Assuring the safety of opening email attachments." In: DARPA Information Survivability Conference & Exposition II, 2, 257--262, 2001.
 
9
Benedikt M., Freire J., Godefroid P., "VeriWeb: Automatically Testing Dynamic Web Sites." In: Proceedings of the 11th International Conference on the World Wide Web (Honolulu, Hawaii, May 2002).
 
10
Bergman, M. K. "The Deep Web: Surfacing Hidden Value." Deep Content Whitepaper, 2001.
11
Massimo Bernaschi , Emanuele Gabrielli , Luigi V. Mancini, Operating system enhancements to prevent the misuse of system calls, Proceedings of the 7th ACM conference on Computer and communications security, p.174-183, November 01-04, 2000, Athens, Greece  [doi>10.1145/352600.352624]
 
12
Bowman, C. M., Danzig, P., Hardy, D., Manber, U., Schwartz, M., Wessels, D. "Harvest: A Scalable, Customizable Discovery and Access System." In: Technical Report CU-CS-732-94.", Department of Computer Science, University of Colorado, Boulder, 1995.
 
13
Bowen, T., Segal, M., and Sekar, R. "On preventing intrusions by process behavior monitoring." In: Eighth USENIX Security Symposium (Washington, D.C., Aug 1999).
14
Claus Brabrand , Anders Møller , Michael I. Schwartzbach, The <bigwig> project, ACM Transactions on Internet Technology (TOIT), v.2 n.2, p.79-114, May 2002  [doi>10.1145/514183.514184]
 
15
CERT. "CERT" Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests. http://www.cgisecurity.com/articles/xss-faq.shtml
 
16
Cesar Cerrudo. "Manipulating Microsoft SQL Server Using SQL Injection." Whitepaper, 2002.
 
17
CGISecurity. "The Cross Site Scripting FAQ."
18
Hao Chen , David Wagner, MOPS: an infrastructure for examining security properties of software, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586142]
19
Junghoo Cho , Hector Garcia-Molina, Parallel crawlers, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511464]
 
20
Curphey et. al. Mark. "A Guide to Building Secure Web Applications." The Open Web Application Security Project, Sep 2002.
 
21
DHTML Central. HierMenus. http://www.webreference.com/dhtml/hiermenus/
 
22
G. A. Di Lucca , G. Casazza , M. Di Penta , G. Antoniol, An Approach for Reverse Engineering of Web-Based Applications, Proceedings of the Eighth Working Conference on Reverse Engineering (WCRE'01), p.231, October 02-05, 2001
 
23
Giuseppe A. Di Lucca , Anna Rita Fasolino , F. Pace , P. Tramontana , Ugo de Carlini, WARE: A Tool for the Reverse Engineering of Web Applications, Proceedings of the 6th European Conference on Software Maintenance and Reengineering, p.241-250, March 11-13, 2002
 
24
David Evans , David Larochelle, Improving Security Using Extensible Lightweight Static Analysis, IEEE Software, v.19 n.1, p.42-51, January 2002  [doi>10.1109/52.976940]
 
25
Finnigan, P., "SQL Injection and Oracle." SecurityFocus, 2002. http://online.securityfocus.com/infocus/1644
 
26
Finjan Software. "Your Window of Vulnerability - Why Anti-Virus Isn't Enough." http://www.finjan.com/mcrc/overview.cfm
 
27
Gold, R. "HttpUnit." http://httpunit.sourceforge.net/
 
28
Hunt, G., Brubacher, D. "Detours: Binary Interception of Win32 Functions." In: USENIX Technical Program - Windows NT Symposium 99, 1999.
 
29
Ipeirotis P., Gravano L., "Distributed Search over the Hidden Web: Hierarchical Database Sampling and Selection." In: The 28th International Conference on Very Large Databases (Hong Kong, China, Aug 2002), 394--405.
30
James B. D. Joshi , Walid G. Aref , Arif Ghafoor , Eugene H. Spafford, Security models for web-based applications, Communications of the ACM, v.44 n.2, p.38-44, Feb. 2001  [doi>10.1145/359205.359224]
 
31
Kaiya, H., Kaijiri, K. "Specifying runtime environments and functionalities of downloadable components under the sandbox model." In: Proceedings of the International Symposium on Principles of Software Evolution (Kanazawa, Japan, Nov 2000), 138--142.
 
32
KaVaDo. "Application-Layer Security: InterDo 2.1." KaVaDo Whitepaper, 2001.
 
33
Ko, C., Fraser, T., Badger, L., Kilpatrick, D. "Detecting and Countering System Intrusions Using Software Wrappers." In: Proceedings of the 9th USENIX Security Symposium (Denver, Colorado, Aug 2000).
 
34
Liddle, S., Embley, D., Scott, D., Yau, S.H., "Extracting Data Behind Web Forms." In: Proceedings of the Workshop on Conceptual Modeling Approaches for e-Business (Tampere, Finland, Oct 2002).
 
35
Manber, U., Smith, M., Gopal B., "WebGlimpse - Combining Browsing and Searching." In: Proceedings of the USENIX 1997 Annual Technical Conference (Anaheim, California, Jan, 1997).
 
36
Meer, H. "SQL Insertion," 2000.
 
37
Microsoft. "Scriptlet Security." Getting Started with Scriptlets, MSDN Library, 1997. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnindhtm/html/instantdhtmlscriptlets.asp
 
38
Robert C. Miller , Krishna Bharat, SPHINX: a framework for creating personal, site-specific Web crawlers, Proceedings of the seventh international conference on World Wide Web 7, p.119-130, April 1998, Brisbane, Australia
 
39
Mozilla.org. "Mozilla Layout Engine." http://www.mozilla.org/newlayout/
 
40
Netscape. "JavaScript Security in Communicator 4.x." http://developer.netscape.com/docs/manuals/communicator/jssec/contents.htm#1023448
 
41
Jeff Offutt, Quality Attributes of Web Software Applications, IEEE Software, v.19 n.2, p.25-32, March 2002  [doi>10.1109/52.991329]
 
42
OWASP. "WebScarab Project." http://www.owasp.org/webscarab/
 
43
Pelican Security Inc. "Active Content Security: Risks and Solutions." Pelican Security Whitepaper, 1999.
 
44
Privateer, P., "Making the Net Safe for eBusiness: Solving the Problem of Malicious Internet Mobile Code." In: Proceedings of the eSolutions World 2000 Conference (Philiadelphia, Pennsylvania, Sep 2000).
 
45
Prem Uppuluri , R. Sekar, Experiences with Specification-Based Intrusion Detection, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.172-189, October 10-12, 2001
 
46
Sriram Raghavan , Hector Garcia-Molina, Crawling the Hidden Web, Proceedings of the 27th International Conference on Very Large Data Bases, p.129-138, September 11-14, 2001
 
47
Raghavan, S., Garcia-Molina, H. "Crawling the Hidden Web." In: Technical Report 2000-36, Database Group, Computer Science Department, Stanford (Nov 2000).
 
48
Filippo Ricca , Paolo Tonella, Analysis and testing of Web applications, Proceedings of the 23rd International Conference on Software Engineering, p.25-34, May 12-19, 2001, Toronto, Ontario, Canada
 
49
Ricca, F., Tonella, P., Baxter, I. D. "Restructuring Web Applications via Transformation Rules." Information and Software Technology, 44(13), 811--825, Oct 2002.
 
50
Filippo Ricca , Paolo Tonella, Understanding and Restructuring Web Sites with ReWeb, IEEE MultiMedia, v.8 n.2, p.40-51, April 2001  [doi>10.1109/93.917970]
 
51
Web Application Slicing, Proceedings of the IEEE International Conference on Software Maintenance (ICSM'01), p.148, November 07-09, 2001
 
52
Filippo Ricca , Paolo Tonella, Web Site Analysis: Structure and Evolution, Proceedings of the International Conference on Software Maintenance (ICSM'00), p.76, October 11-14, 2000
 
53
Sanctum Inc. "Web Application Security Testing -- AppScan 3.5." http://www.sanctuminc.com
54
David Scott , Richard Sharp, Abstracting application-level web security, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511498]
 
55
Sekar, R., Uppuluri, P., "Synthesizing Fast Intrusion Detection/Prevention Systems from High-Level Specifications." In: USENIX Security Symposium, 1999.
 
56
Sebastien@ailleret.com. "Larbin -- A Multi-Purpose Web Crawler." http://larbin.sourceforge.net/index-eng.html
 
57
SecurityGlobal.net. Security Tracker Statistics. Apr 2002 -- Mar 2002. http://securitytracker.com/learn/statistics.html
 
58
Design and Implementation of a High-Performance Distributed Web Crawler, Proceedings of the 18th International Conference on Data Engineering, p.357, February 26-March 01, 2002
 
59
SPI Dynamics. "Complete Web Application Security: Phase 1"Building Web Application Security into Your Development Process." SPI Dynamics Whitepaper, 2002.
 
60
SPI Dynamics. "SQL Injection: Are Your Web Applications Vulnerable." SPI Dynamics Whitepaper, 2002.
 
61
SPI Dynamics. "Web Application Security Assessment." SPI Dynamics Whitepaper, 2003.
 
62
Tennyson Maxwell Information Systems, Inc. "Teleport Webspiders." http://www.tenmax.com/teleport/home.htm
 
63
Scott Tilley , Shihong Huang, Evaluating the reverse engineering capabilities of Web tools for understanding site content and structure: a case study, Proceedings of the 23rd International Conference on Software Engineering, p.514-523, May 12-19, 2001, Toronto, Ontario, Canada
 
64
United States Patent and Trademark Office. http://www.uspto.gov/patft/
 
65
Vibert, R., "AV Alternatives: Extending Scanner Range." In: Information Security Magazine, Feb 2001.
 
66
Jeffrey M. Voas , Gary McGraw, Software fault injection: inoculating programs against errors, John Wiley & Sons, Inc., New York, NY, 1997
 
67
WinMerge. "WinMerge: A visual text file differencing and merging tool for Win32 platforms." http://winmerge.sourceforge.net

CITED BY  19
Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA
Yuetang Deng , Phyllis Frankl , Jiong Wang, Testing web database applications, ACM SIGSOFT Software Engineering Notes, v.29 n.5, September 2004
Zhendong Su , Gary Wassermann, The essence of command injection attacks in web applications, ACM SIGPLAN Notices, v.41 n.1, p.372-382, January 2006
Gregory T. Buehrer , Bruce W. Weide , Paolo A. G. Sivilotti, Using parse tree validation to prevent SQL injection attacks, Proceedings of the 5th international workshop on Software engineering and middleware, September 05-06, 2005, Lisbon, Portugal
William G. J. Halfond , Alessandro Orso, Combining static analysis and runtime monitoring to counter SQL-injection attacks, ACM SIGSOFT Software Engineering Notes, v.30 n.4, July 2005
William G. J. Halfond , Alessandro Orso, AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks, Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, November 07-11, 2005, Long Beach, CA, USA
Engin Kirda , Christopher Kruegel , Giovanni Vigna , Nenad Jovanovic, Noxes: a client-side solution for mitigating cross-site scripting attacks, Proceedings of the 2006 ACM symposium on Applied computing, April 23-27, 2006, Dijon, France
Stefan Kals , Engin Kirda , Christopher Kruegel , Nenad Jovanovic, SecuBat: a web vulnerability scanner, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland
Nenad Jovanovic , Christopher Kruegel , Engin Kirda, Precise alias analysis for static detection of web application vulnerabilities, Proceedings of the 2006 workshop on Programming languages and analysis for security, June 10-10, 2006, Ottawa, Ontario, Canada
Ben Smith , Yonghee Shin , Laurie Williams, Proposing SQL statement coverage metrics, Proceedings of the fourth international workshop on Software engineering for secure systems, p.49-56, May 17-18, 2008, Leipzig, Germany
William G. J. Halfond , Alessandro Orso, Preventing SQL injection attacks using AMNESIA, Proceeding of the 28th international conference on Software engineering, May 20-28, 2006, Shanghai, China
William G. J. Halfond , Alessandro Orso , Panagiotis Manolios, Using positive tainting and syntax-aware evaluation to counter SQL injection attacks, Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering, November 05-11, 2006, Portland, Oregon, USA
William G. J. Halfond , Alessandro Orso, Improving test case generation for web applications using automated interface discovery, Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, September 03-07, 2007, Dubrovnik, Croatia
Cyntrica Eaton , Atif M. Memon, An empirical approach to evaluating web application compliance across diverse client platform configurations, International Journal of Web Engineering and Technology, v.3 n.3, p.227-253, January 2007
Xiang Fu , Kai Qian, SAFELI: SQL injection scanner using symbolic execution, Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications, p.34-39, July 21-21, 2008, Seattle, Washington
Matthew M. North , Max M. North , Sarah M. North, Security from the bottom-up: compliance regulations and the trend toward design-oriented web applications, Journal of Computing Sciences in Colleges, v.24 n.4, April 2009
Massimiliano Di Penta , Luigi Cerulo , Lerina Aversano, The life and death of statically detected vulnerabilities: An empirical study, Information and Software Technology, v.51 n.10, p.1469-1484, October, 2009
William G.J. Halfond , Saswat Anand , Alessandro Orso, Precise interface identification to improve testing and analysis of web applications, Proceedings of the eighteenth international symposium on Software testing and analysis, July 19-23, 2009, Chicago, IL, USA
Toan Huynh , James Miller, Another viewpoint on "evaluating web software reliability based on workload and failure data extracted from server logs", Empirical Software Engineering, v.14 n.4, p.371-396, August 2009

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.2 Design Tools and Techniques
          Subjects: Modules and interfaces

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.5 Testing and Debugging
          Subjects: Code inspections and walk-throughs; Testing tools (e.g., data generators, coverage testing)

  H. Information Systems
  H.3 INFORMATION STORAGE AND RETRIEVAL
      H.3.1 Content Analysis and Indexing
          Subjects: Dictionaries; Indexing methods

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Unauthorized access (e.g., hacking, phreaking); Invasive software (e.g., viruses, worms, Trojan horses)


General Terms:
Design, Security


Keywords:
black-box testing, complete crawling, fault injection, security assessment, web application testing

Collaborative Colleagues:
Yao-Wen Huang: colleagues
Shih-Kun Huang: colleagues
Tsung-Po Lin: colleagues
Chung-Hung Tsai: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player