An empirical analysis of input validation mechanisms in web applications and languages
作者: Theodoor Scholte , William Robertson , Davide Balzarotti , Engin Kirda
关键词: World Wide Web 、 Secure coding 、 SQL injection 、 Computer science 、 Web modeling 、 Web application security 、 Web application 、 Web development 、 Web application framework 、 Web service 、 Cross-site scripting
摘要: Web applications have become an integral part of the daily lives millions users. Unfortunately, web are also frequently targeted by attackers, and attacks such as XSS SQL injection still common. In this paper, we present empirical study more than 7000 input validation vulnerabilities with aim gaining deeper insights into how these common can be prevented. particular, focus on relationship between specific programming language used to develop that commonly reported. Our findings suggest most a significant number prevented using straight-forward mechanisms based data types. We elaborate types, discuss support could provided in application frameworks.
acm.org
syssec-project.eu 
sci-hub.se 参考文章(23)
Alex Aiken, Yichen Xie, Static detection of security vulnerabilities in scripting languages usenix security symposium. pp. 13- ,(2006)
Matthew Finifter, David Wagner, Exploring the relationship betweenweb application development tools and security usenix conference on web application development. pp. 9- 9 ,(2011)
Giovanni Vigna, William Robertson, Static enforcement of web application integrity through strong typing usenix security symposium. pp. 283- 298 ,(2009)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans, Automatically Hardening Web Applications Using Precise Tainting information security conference. pp. 295- 307 ,(2004) , 10.1007/0-387-25660-1_20
Martin Johns, Christian Beyerlein, Rosemaria Giesecke, Joachim Posegga, Secure Code Generation for Web Applications Lecture Notes in Computer Science. pp. 96- 113 ,(2010) , 10.1007/978-3-642-11747-3_8
Tadeusz Pietraszek, Chris Vanden Berghe, Defending Against Injection Attacks Through Context-Sensitive String Evaluation Lecture Notes in Computer Science. pp. 124- 145 ,(2006) , 10.1007/11663812_7
Theodoor Scholte, Davide Balzarotti, Engin Kirda, Quo vadis? a study of the evolution of input validation vulnerabilities in web applications financial cryptography. pp. 284- 298 ,(2011) , 10.1007/978-3-642-27576-0_24
Gary Wassermann, Zhendong Su, Sound and precise analysis of web applications for injection vulnerabilities Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation - PLDI '07. ,vol. 42, pp. 32- 41 ,(2007) , 10.1145/1250734.1250739
Daniel Bates, Adam Barth, Collin Jackson, Regular expressions considered harmful in client-side XSS filters the web conference. pp. 91- 100 ,(2010) , 10.1145/1772690.1772701