Automatically hardening web applications using precise tainting

被引：0

作者：

Nguyen-Tuong, A ^{[1
]}

Guarnieri, S ^{[1
]}

Greene, D ^{[1
]}

Shirley, J ^{[1
]}

Evans, D ^{[1
]}

机构：

[1] Univ Virginia, Dept Comp Sci, Charlottesville, VA 22904 USA

来源：

Security and Privacy in the Age of Ubiquitous Computing | 2005年 / 181卷

关键词：

web security; web vulnerabilities; SQL injection; PHP; cross-site scripting attacks; precise tainting; information flow;

D O I：

暂无

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

Most web applications contain security vulnerabilities. The simple and natural ways of creating a web application are prone to SQL injection attacks and cross-site scripting attacks as well as other less common vulnerabilities. In response, many tools have been developed for detecting or mitigating common web application vulnerabilities. Existing techniques either require effort from the site developer or are prone to false positives. This paper presents a fully automated approach to securely hardening web applications. It is based on precisely tracking taintedness of data and checking specifically for dangerous content only in parts of commands and output that came from untrustworthy sources. Unlike previous work in which everything that is derived from tainted input is tainted, our approach precisely tracks taintedness within data values.

引用

页码：295 / 307

页数：13

共 50 条

[1] ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities
Weissbacher, Michael
Robertson, William
Kirda, Engin
Kruegel, Christopher
Vigna, Giovanni
PROCEEDINGS OF THE 24TH USENIX SECURITY SYMPOSIUM, 2015, : 737 - 752
[2] WASP: Protecting web applications using positive tainting and syntax-aware evaluation
Halfond, William G. J.
Orso, Alessandro
Manolios, Panagiotis
IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2008, 34 (01) : 65 - 81
[3] Automatically RESTful Web Applications
McCarthy, Jay
ICFP'09: PROCEEDINGS OF THE 2009 ACM SIGPLAN INTERNATIONAL CONFERENCE ON FUNCTIONAL PROGRAMMING, 2009, : 299 - 309
[4] Automatically RESTful Web Applications
McCarthy, Jay
ACM SIGPLAN NOTICES, 2009, 44 (8-9) : 299 - 309
[5] PENUMBRA: Automatically Identifying Failure-Relevant Inputs Using Dynamic Tainting
Clause, James
Orso, Alessandro
ISSTA 2009: INTERNATIONAL SYMPOSIUM ON SOFTWARE TESTING AND ANALYSIS, 2009, : 249 - 259
[6] Testing Forms in Web Applications Automatically
XU Lei
WuhanUniversityJournalofNaturalSciences, 2006, (03) : 561 - 566
[7] AutoCSP: Automatically Retrofitting CSP to Web Applications
Fazzini, Mattia
Saxena, Prateek
Orso, Alessandro
2015 IEEE/ACM 37TH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING, VOL 1, 2015, : 336 - 346
[8] Fortifying Web-Based Applications Automatically
Tang, Shuo
Dautenhahn, Nathan
King, Samuel T.
PROCEEDINGS OF THE 18TH ACM CONFERENCE ON COMPUTER & COMMUNICATIONS SECURITY (CCS 11), 2011, : 615 - 626
[9] AutoTester Web automatically tests your applications
InfoWorld, 27 (74):
[10] BLeak: Automatically Debugging Memory Leaks in Web Applications
Vilk, John
Berger, Emery D.
PROCEEDINGS OF THE 39TH ACM SIGPLAN CONFERENCE ON PROGRAMMING LANGUAGE DESIGN AND IMPLEMENTATION, PLDI 2018, 2018, : 15 - +

← 1 2 3 4 5 →