Proceedings Article10.1145/511446.511498
Abstracting application-level web security
David Scott,Richard Sharp +1 more
- 07 May 2002
- pp 396-407
294
TL;DR: A scalable structuring mechanism facilitating the abstraction of security policies from large web-applications developed in heterogenous multi-platform environments is described and a tool which assists programmers develop secure applications which are resilient to a wide range of common attacks is presented.
read more
Abstract: Application-level web security refers to vulnerabilities inherent in the code of a web-application itself (irrespective of the technologies in which it is implemented or the security of the web-server/back-end database on which it is built). In the last few months application-level vulnerabilities have been exploited with serious consequences: hackers have tricked e-commerce sites into shipping goods for no charge, user-names and passwords have been harvested and condential information (such as addresses and credit-card numbers) has been leaked.In this paper we investigate new tools and techniques which address the problem of application-level web security. We (i) describe a scalable structuring mechanism facilitating the abstraction of security policies from large web-applications developed in heterogenous multi-platform environments; (ii) present a tool which assists programmers develop secure applications which are resilient to a wide range of common attacks; and (iii) report results and experience arising from our implementation of these techniques.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Book review: Applied cryptography: Protocols, algorithms, and source code in C
TL;DR: This is Applied Cryptography Protocols Algorithms And Source Code In C Applied Cryptographic Protocols algorithms and Source Code in C By Schneier Bruce Author Nov 01 1995 the best ebook that you can get right now online.
1.5K
A Classification of SQL-Injection Attacks and Countermeasures
William G. J. Halfond,Jeremy Viegas,Alessandro Orso +2 more
- 01 Jan 2006
TL;DR: An extensive review of the different types of SQL injection attacks known to date is presented, including descriptions and examples of how attacks of that type could be performed and existing detection and prevention techniques against SQL injections.
The essence of command injection attacks in web applications
Zhendong Su,Gary Wassermann +1 more
- 11 Jan 2006
TL;DR: This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques.
Web application security assessment by fault injection and behavior monitoring
Yao-Wen Huang,Shih-Kun Huang,Tsung-Po Lin,Chung-Hung Tsai +3 more
- 20 May 2003
TL;DR: The design of Web application security assessment mechanisms are analyzed in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting.
432
•Proceedings Article
Static detection of security vulnerabilities in scripting languages
Yichen Xie,Alex Aiken +1 more
- 31 Jul 2006
TL;DR: A static analysis algorithm for detecting security vulnerabilities in PHP, a popular server-side scripting language for building web applications, is presented, finding 105 previously unknown security vulnerabilities, most of which it believes are remotely exploitable.
References
•Book
Applied Cryptography: Protocols, Algorithms, and Source Code in C
Bruce Schneier,Phil Sutherland +1 more
- 10 Nov 1993
TL;DR: This document describes the construction of protocols and their use in the real world, as well as some examples of protocols used in the virtual world.
4K
•Proceedings Article
The MD5 Message-Digest Algorithm
Ronald L. Rivest
- 01 Apr 1992
TL;DR: This document describes the MD5 message-digest algorithm, which takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.
•Book
The Definition of Standard ML
Robin Milner,Mads Tofte,Robert Harper +2 more
- 01 Jan 1990
TL;DR: This book provides a formal definition of Standard ML for the benefit of all concerned with the language, including users and implementers, and the authors have defined their semantic objects in mathematical notation that is completely independent of StandardML.
2.7K
A theory of type polymorphism in programming
TL;DR: This work presents a formal type discipline for polymorphic procedures in the context of a simple programming language, and a compile time type-checking algorithm w which enforces the discipline.
2.6K
Keying Hash Functions for Message Authentication
Mihir Bellare,Ran Canetti,Hugo Krawczyk +2 more
- 18 Aug 1996
TL;DR: Two new, simple, and practical constructions of message authentication schemes based on a cryptographic hash function, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths.
Related Papers (5)
Zhendong Su,Gary Wassermann +1 more
- 11 Jan 2006
Stephen W. Boyd,Angelos D. Keromytis +1 more
- 08 Jun 2004