David Scott
ABSTRACT
Application-level web security refers to vulnerabilities inherent in the code of a web-application itself (irrespective of the technologies in which it is implemented or the security of the web-server/back-end database on which it is built). In the last few months application-level vulnerabilities have been exploited with serious consequences: hackers have tricked e-commerce sites into shipping goods for no charge, user-names and passwords have been harvested and condential information (such as addresses and credit-card numbers) has been leaked.In this paper we investigate new tools and techniques which address the problem of application-level web security. We (i) describe a scalable structuring mechanism facilitating the abstraction of security policies from large web-applications developed in heterogenous multi-platform environments; (ii) present a tool which assists programmers develop secure applications which are resilient to a wide range of common attacks; and (iii) report results and experience arising from our implementation of these techniques.
- The bigwig project. http://www.brics.dk/bigwig/.]]Google Scholar
- MySQL database server. http://www.mysql.com/.]]Google Scholar
- PHP hypertext preprocessor. http://www.php.net/.]]Google Scholar
- Squid web proxy cache. http://www.squid-cache.org/.]]Google Scholar
- D. Box. Simple object access protocol (SOAP) 1.1. world wide web consortium (W3C). May 2000. http://www.w3.org/TR/SOAP.]]Google Scholar
- C. Brabrand, A. Mller, M. Ricky, and M. Schwartzbach. Powerforms: Declarative client-side form field validation. World Wide Web Journal, 3(4), 2000.]] Google ScholarDigital Library
- CERT. Advisory CA-2000-02: malicious HTML tags embedded in client web requests. http://www.cert.org/advisories/CA-2000-02.html.]]Google Scholar
- CERT. Understanding malicious content mitigation for web developers. http://www.cert.org/tech tips/ malicious code mitigation.html.]]Google Scholar
- R. Clayton, G. Danezis, and M. Kuhn. Real world patterns of failure in anonymity systems. In Proceedings of the Workshop on Information Hiding, volume 2137. Springer-Verlag, LNCS, 2001.]] Google ScholarDigital Library
- E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati. Fine grained access control for soap e-services. In Proceedings of the 10th International World Wide Web Conference, pages 504--513. ACM, May 2001.]] Google ScholarDigital Library
- eEye Digital Security. %u-encoding IDS bypass vulnerability. Advisory AD20010705, http://www.eeye.com/html/Research/Advisories/AD20010705.html.]]Google Scholar
- D. Flanagan. JavaScript: The Definitive Guide. O'Reilly. ISBN: 1565923928.]] Google ScholarDigital Library
- S. Goodley. Security hole threatens british e-tailers. The Daily Telegraph Newspaper (UK). 25th January, 2001. http://www.telegraph.co.uk/et?pg=/et/01/1/25/ecnsecu2.html.]]Google Scholar
- Internet Security Systems (ISS). Form tampering vulnerabilities in several web-based shopping cart applications. ISS alert. http://xforce.iss.net/alerts/advise42.php.]]Google Scholar
- B. Jemas, B. M. Bendis, and M. Bagley. Ultimate Spider-man: Power and Responsibility. Marvel Books. ISBN: 078510786X.]]Google Scholar
- X. Leroy. The Objective Caml System Release 3.0. INRIA, Rocquencourt, France, 2000.]]Google Scholar
- L. Lorek. New e-rip-off maneuver: Swapping price tags. ZD-Net. 5th March, 2001. http://www.zdnet.com/intweek/stories/news/0,4164,2692337,00.html.]]Google Scholar
- Microsoft. HOWTO: Review ASP code for CSSI vulnerability. http://support.microsoft.com/support/kb/articles/Q253/1/19.ASP.]]Google Scholar
- R. Milner. A theory of type-polymorphism in programming. Journal of Computer and System Sciences, 17(3), 1978.]]Google ScholarCross Ref
- R. Milner, M. Tofte, R. Harper, and D. MacQueen. The Definition of Standard ML(Revised). MIT Press, 1997.]] Google ScholarDigital Library
- C. Musciano and B. Kennedy. HTML & XHTML: The Definitive Guide (4th Edition). O'Reilly, 2000. ISBN: 0-596-00026-X. See page 328.]] Google ScholarDigital Library
- R. Peteanu. Best practices for secure web development. Security portal. http://securityportal.com/cover/ coverstory20001030.html.]]Google Scholar
- R. Peteanu. Best practices for secure web development: Technical details. Security portal. http://securityportal.com/articles/webdev20001103.html.]]Google Scholar
- R. Petrusha, P. Lomax, and M. Childs. VBscript in a nutshell: a desktop quick reference. O'Reilly. ISBN: 1565927206.]]Google Scholar
- R. Rivest. The MD5 message digest algorithm. Internet Request For Comments. April 1992. RFC 1321.]] Google ScholarDigital Library
- Sanctum Inc. AppShield white paper. March 2001. Available from http://www.sanctuminc.com/.]]Google Scholar
- B. Schneier. Applied cryptography: protocols, algorithms, and sourcecode in C. John Wiley & Sons, New York, 1994.]] Google ScholarDigital Library
- L. D. Stein. Referer refresher. http://www.webtechniques.com/archives/1998/09/webm/.]]Google Scholar
- P. Syverson. A taxonomy of replay attacks. In Computer Security Foundations Workshop VII. IEEE Computer Society Press, 1994.]]Google ScholarCross Ref
Index Terms
- Abstracting application-level web security
Recommendations
XSS Application Worms: New Internet Infestation and Optimized Protective Measures
SNPD '07: Proceedings of the Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing - Volume 03There has been considerable increase in Application layer attacks in the recent years. Research surveys show that the cross site scripting (XSS) attack is most common among all the application layer attacks. Ajax web technology, by design makes number of ...
Specifying and Enforcing Application-Level Web Security Policies
Application-level Web security refers to vulnerabilities inherent in the code of a Web-application itself (irrespective of the technologies in which it is implemented or the security of the Web-server/back-end database on which it is built). In the last ...
Web Application Security Using JSFlow
SYNASC '15: Proceedings of the 2015 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC)Web applications are often vulnerable to code injection attacks and to attacksthrough buggy or malicious libraries. Unfortunately, the current protectionmechanisms are frequently ad-hoc, as a response to attacks after the fact. Thishad lead to a ...
Comments