Skip to main content

Vulnerability Analysis of Web-based Applications

  • Chapter
Test and Analysis of Web Services

Abstract

In the last few years, the popularity of web-based applications has grown tremendously. A number of factors have led an increasing number of organizations and individuals to rely on web-based applications to provide access to a variety of services. Today, web-based applications are routinely used in security-critical environments, such as medical, financial, and military systems.

Web-based systems are a composition of infrastructure components, such as web servers and databases, and of application-specific code, such as HTML-embedded scripts and server-side CGI programs. While the infrastructure components are usually developed by experienced programmers with solid security skills, the application-specific code is often developed under strict time constraints by programmers with little security training. As a result, vulnerable web-based applications are deployed and made available to the whole Internet, creating easily exploitable entry points for the compromise of entire networks.

To ameliorate these security problems, it is necessary to develop tools and techniques to improve the security of web-based applications. The most effective approach would be to provide secure mechanisms that can be used by well-trained developers. Unfortunately, this is not always possible, and a second line of defense is represented by auditing the application code for possible security problems. This activity, often referred to as web vulnerability analysis, allows one to identify security problems in web-based applications at early stages of development and deployment.

Recently, a number of methodologies and tools have been proposed to support the assessment of the security of web-based applications. In this chapter, we survey the current approaches to web vulnerability analysis and we propose a classification along two characterizing axes: detection model and analysis technique. We also present the most common attacks against web-based applications and discuss the effectiveness of certain analysis techniques in identifying specific classes of flaws.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 54.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. C. Anley. Advanced SQL Injection in SQL Server Applications. Technical report, Next Generation Security Software, Ltd, 2002.

    Google Scholar 

  2. J. Bercegay. Double Choco Latte Vulnerabilities. http://www.gulftech.org/?node=research&article_id=00066-04082005, April 2005.

    Google Scholar 

  3. M. Brown. FastCGI Specification. Technical report, Open Market, Inc., 1996.

    Google Scholar 

  4. A. Christensen, A. Møller, and M. Schwartzbach. Precise Analysis of String Expressions. In Proceedings of the 10th International Static Analysis Symposium (SAS’03), pp. 1–18, May 2003.

    Google Scholar 

  5. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (Draft Standard), June 1999. Updated by RFC 2817.

    Google Scholar 

  6. K. Fu, E. Sit, K. Smith, and N. Feamster. Dos and Don’ts of Client Authentication on the Web. In Proceedings of the USENIX Security Symposium, Washington, DC, August 2001.

    Google Scholar 

  7. C. Gould, Z. Su, and P. Devanbu. Static Checking of Dynamically Generated Queries in Database Applications. In Proceedings of the 26th International Conference of Software Engineering (ICSE’04), pages 645–654, September 2004.

    Google Scholar 

  8. V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC’05), pages 303–311, December 2005.

    Google Scholar 

  9. W. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the International Conference on Automated Software Engineering (ASE’05), pp. 174–183, November 2005.

    Google Scholar 

  10. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 12th International World Wide Web Conference (WWW’04), pp. 40–52, May 2004.

    Google Scholar 

  11. N. Jovanovic. txtForum: Script Injection Vulnerability. http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-004.txt, March 2006.

    Google Scholar 

  12. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy, May 2006.

    Google Scholar 

  13. N. Jovanovic, C. Kruegel, and E. Kirda. Precise Alias Analysis for Static Detection of Web Application Vulnerabilities. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS’06), June 2006.

    Google Scholar 

  14. A. Klein. Cross Site Scripting Explained. Technical report, Sanctum Inc., 2002.

    Google Scholar 

  15. A. Klein. “Divide and Conquer”. HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics. Technical report, Sanctum, Inc., 2004.

    Google Scholar 

  16. A. Klein. DOM Based Cross Site Scripting or XSS of the Third Kind. Technical report, Web Application Security Consortium, 2005.

    Google Scholar 

  17. M. Kolšek. Session Fixation Vulnerability in Web-based Applications. Technical report, ACROS Security, 2002.

    Google Scholar 

  18. C. Kruegel and G. Vigna. Anomaly Detection of Web-based Attacks. In Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS’03), pp. 251–261, October 2003.

    Google Scholar 

  19. C. Kruegel, G. Vigna, and W. Robertson. A Multi-model Approach to the Detection of Web-based Attacks. Computer Networks, 48(5):717–738, August 2005.

    Article  Google Scholar 

  20. C. Linhart, A. Klein, R. Heled, and S. Orrin. HTTP Request Smuggling. Technical report, Watchfire Corporation, 2005.

    Google Scholar 

  21. V. Livshits and M. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th USENIX Security Symposium (USENIX’05), pp. 271–286, August 2005.

    Google Scholar 

  22. Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In Proceedings of the 14th International World Wide Web Conference (WWW’05), pp. 432–441, May 2005.

    Google Scholar 

  23. NCSA Software Development Group. The Common Gateway Interface. http://hoohoo.ncsa.uiuc.edu/cgi/.

    Google Scholar 

  24. Netcraft. PHP Usage Stats. http://www.php.net/usage.php, April 2006.

    Google Scholar 

  25. A. Nguyen-Tuong, S. Guarnieri, D. Greene, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the 20th International Information Security Conference (SEC’05), pp. 372–382, May 2005.

    Google Scholar 

  26. OWASP. WebGoat. http://wwwo.wasp.org/software/webgoat.html, 2006.

    Google Scholar 

  27. Perl. Perl security. http://perldoc.perl.org/perlsec.html.

    Google Scholar 

  28. rgod. PHP Advanced Transfer Manager v1.30 underlying system disclosure / remote command execution / cross site scripting. http://retrogod.altervista.org/phpatm130.html, 2005.

    Google Scholar 

  29. Security Space. Apache Module Report. http://www.securityspace.com/s_survey/data/man.200603/apachemods.html, April 2006.

    Google Scholar 

  30. K. Spett. Blind SQL Injection. Technical report, SPI Dynamics, 2003.

    Google Scholar 

  31. Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In Proceedings of the 33rd Annual Symposium on Principles of Programming Languages (POPL’06), pp. 372–382, 2006.

    Google Scholar 

  32. Sun. JavaServer Pages. http://java.sun.com/products/jsp/.

    Google Scholar 

  33. Symantec Inc. Symantec Internet Security Threat Report: Vol. VIII. Technical report, Symantec Inc., September 2005.

    Google Scholar 

  34. TIOBE Software. TIOBE Programming Community Index for April 2006. http://www.tiobe.com/index.htm?tiobe_index, April 2006.

    Google Scholar 

  35. D. Wagner and P. Soto. Mimicry Attacks on Host-Based Intrusion Detection Systems. In Proceedings of the ACM Conference on Computer and Communications Security, pp. 255–264, Washington DC, November 2002.

    Google Scholar 

  36. J. Whaley and M. Lam. Cloning-Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI’04), pp. 131–144, June 2004.

    Google Scholar 

  37. Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the 15th USENIX Security Symposium (USENIX’06), August 2006.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Cova, M., Felmetsger, V., Vigna, G. (2007). Vulnerability Analysis of Web-based Applications. In: Baresi, L., Nitto, E.D. (eds) Test and Analysis of Web Services. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72912-9_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-72912-9_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-72911-2

  • Online ISBN: 978-3-540-72912-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics