Abstract
This paper investigates how to combine techniques of static and dynamic analysis for finding security vulnerabilities in Java web applications. We present a hybrid analyzer that employs test case generation and dynamic taint analysis to achieve the goal of no false negatives and reduced false positives.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
OWASP. OWASP Top 10 for (2010), https://www.owasp.org/index.php/Top_10_2010-Main
Halfond, W.G., Viegas, J., Orso, A.: A Classification of SQL-Injection Attacks and Countermeasures. In: Proc. IEEE Int’l Sym. on Secure Software Engineering (March 2006)
CERT. Advisory CA-2002: Malicious HTML Tags Embedded in Client Web Requests (2002)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proc. 14th Usenix Security Symposium, pp. 271–286 (August 2005)
Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A Symbolic Execution Framework for JavaScrip. In: IEEE Sym. on Security and Privacy (May 2010)
Laddad, R.: AspectJ in Action. Manning Publications Co. (2003)
Chiang, S.L.: A Hybrid Security Analyzer for Java Web Applications, Master Thesis, National Chengchi University, Taiwan (July 2010)
Huang, Y.Y.: Test Case Generation for Verifying Security Vulnerabilities in Java Web Applications, Master Thesis, National Chengchi University, Taiwan (July 2011)
Monga, M., Paleari, R., Passerini, E.: A Hybrid Analysis Framework for Detecting Web Application Vulnerabilities. In: Proc. Workshop on Software Engineering for Secure Systems (IWSESS 2009), pp. 25–32 (2009)
Kieżun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: Proc. the 31st International Conference on Software Engineering (May 2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag GmbH Berlin Heidelberg
About this paper
Cite this paper
Huang, YY., Chen, K., Chiang, SL. (2012). Finding Security Vulnerabilities in Java Web Applications with Test Generation and Dynamic Taint Analysis. In: Gaol, F., Nguyen, Q. (eds) Proceedings of the 2011 2nd International Congress on Computer Applications and Computational Science. Advances in Intelligent and Soft Computing, vol 145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28308-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-28308-6_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28307-9
Online ISBN: 978-3-642-28308-6
eBook Packages: EngineeringEngineering (R0)