Abstract
In the last few years, the popularity of web-based applications has grown tremendously. A number of factors have led an increasing number of organizations and individuals to rely on web-based applications to provide access to a variety of services. Today, web-based applications are routinely used in security-critical environments, such as medical, financial, and military systems.
Web-based systems are a composition of infrastructure components, such as web servers and databases, and of application-specific code, such as HTML-embedded scripts and server-side CGI programs. While the infrastructure components are usually developed by experienced programmers with solid security skills, the application-specific code is often developed under strict time constraints by programmers with little security training. As a result, vulnerable web-based applications are deployed and made available to the whole Internet, creating easily exploitable entry points for the compromise of entire networks.
To ameliorate these security problems, it is necessary to develop tools and techniques to improve the security of web-based applications. The most effective approach would be to provide secure mechanisms that can be used by well-trained developers. Unfortunately, this is not always possible, and a second line of defense is represented by auditing the application code for possible security problems. This activity, often referred to as web vulnerability analysis, allows one to identify security problems in web-based applications at early stages of development and deployment.
Recently, a number of methodologies and tools have been proposed to support the assessment of the security of web-based applications. In this chapter, we survey the current approaches to web vulnerability analysis and we propose a classification along two characterizing axes: detection model and analysis technique. We also present the most common attacks against web-based applications and discuss the effectiveness of certain analysis techniques in identifying specific classes of flaws.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
C. Anley. Advanced SQL Injection in SQL Server Applications. Technical report, Next Generation Security Software, Ltd, 2002.
J. Bercegay. Double Choco Latte Vulnerabilities. http://www.gulftech.org/?node=research&article_id=00066-04082005, April 2005.
M. Brown. FastCGI Specification. Technical report, Open Market, Inc., 1996.
A. Christensen, A. Møller, and M. Schwartzbach. Precise Analysis of String Expressions. In Proceedings of the 10th International Static Analysis Symposium (SAS’03), pp. 1–18, May 2003.
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (Draft Standard), June 1999. Updated by RFC 2817.
K. Fu, E. Sit, K. Smith, and N. Feamster. Dos and Don’ts of Client Authentication on the Web. In Proceedings of the USENIX Security Symposium, Washington, DC, August 2001.
C. Gould, Z. Su, and P. Devanbu. Static Checking of Dynamically Generated Queries in Database Applications. In Proceedings of the 26th International Conference of Software Engineering (ICSE’04), pages 645–654, September 2004.
V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC’05), pages 303–311, December 2005.
W. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the International Conference on Automated Software Engineering (ASE’05), pp. 174–183, November 2005.
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 12th International World Wide Web Conference (WWW’04), pp. 40–52, May 2004.
N. Jovanovic. txtForum: Script Injection Vulnerability. http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-004.txt, March 2006.
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy, May 2006.
N. Jovanovic, C. Kruegel, and E. Kirda. Precise Alias Analysis for Static Detection of Web Application Vulnerabilities. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS’06), June 2006.
A. Klein. Cross Site Scripting Explained. Technical report, Sanctum Inc., 2002.
A. Klein. “Divide and Conquer”. HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics. Technical report, Sanctum, Inc., 2004.
A. Klein. DOM Based Cross Site Scripting or XSS of the Third Kind. Technical report, Web Application Security Consortium, 2005.
M. Kolšek. Session Fixation Vulnerability in Web-based Applications. Technical report, ACROS Security, 2002.
C. Kruegel and G. Vigna. Anomaly Detection of Web-based Attacks. In Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS’03), pp. 251–261, October 2003.
C. Kruegel, G. Vigna, and W. Robertson. A Multi-model Approach to the Detection of Web-based Attacks. Computer Networks, 48(5):717–738, August 2005.
C. Linhart, A. Klein, R. Heled, and S. Orrin. HTTP Request Smuggling. Technical report, Watchfire Corporation, 2005.
V. Livshits and M. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th USENIX Security Symposium (USENIX’05), pp. 271–286, August 2005.
Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In Proceedings of the 14th International World Wide Web Conference (WWW’05), pp. 432–441, May 2005.
NCSA Software Development Group. The Common Gateway Interface. http://hoohoo.ncsa.uiuc.edu/cgi/.
Netcraft. PHP Usage Stats. http://www.php.net/usage.php, April 2006.
A. Nguyen-Tuong, S. Guarnieri, D. Greene, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the 20th International Information Security Conference (SEC’05), pp. 372–382, May 2005.
OWASP. WebGoat. http://wwwo.wasp.org/software/webgoat.html, 2006.
Perl. Perl security. http://perldoc.perl.org/perlsec.html.
rgod. PHP Advanced Transfer Manager v1.30 underlying system disclosure / remote command execution / cross site scripting. http://retrogod.altervista.org/phpatm130.html, 2005.
Security Space. Apache Module Report. http://www.securityspace.com/s_survey/data/man.200603/apachemods.html, April 2006.
K. Spett. Blind SQL Injection. Technical report, SPI Dynamics, 2003.
Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In Proceedings of the 33rd Annual Symposium on Principles of Programming Languages (POPL’06), pp. 372–382, 2006.
Sun. JavaServer Pages. http://java.sun.com/products/jsp/.
Symantec Inc. Symantec Internet Security Threat Report: Vol. VIII. Technical report, Symantec Inc., September 2005.
TIOBE Software. TIOBE Programming Community Index for April 2006. http://www.tiobe.com/index.htm?tiobe_index, April 2006.
D. Wagner and P. Soto. Mimicry Attacks on Host-Based Intrusion Detection Systems. In Proceedings of the ACM Conference on Computer and Communications Security, pp. 255–264, Washington DC, November 2002.
J. Whaley and M. Lam. Cloning-Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI’04), pp. 131–144, June 2004.
Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the 15th USENIX Security Symposium (USENIX’06), August 2006.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Cova, M., Felmetsger, V., Vigna, G. (2007). Vulnerability Analysis of Web-based Applications. In: Baresi, L., Nitto, E.D. (eds) Test and Analysis of Web Services. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72912-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-72912-9_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-72911-2
Online ISBN: 978-3-540-72912-9
eBook Packages: Computer ScienceComputer Science (R0)