Automatically hardening web applications using precise tainting

被引:0
|
作者
Nguyen-Tuong, A [1 ]
Guarnieri, S [1 ]
Greene, D [1 ]
Shirley, J [1 ]
Evans, D [1 ]
机构
[1] Univ Virginia, Dept Comp Sci, Charlottesville, VA 22904 USA
来源
Security and Privacy in the Age of Ubiquitous Computing | 2005年 / 181卷
关键词
web security; web vulnerabilities; SQL injection; PHP; cross-site scripting attacks; precise tainting; information flow;
D O I
暂无
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Most web applications contain security vulnerabilities. The simple and natural ways of creating a web application are prone to SQL injection attacks and cross-site scripting attacks as well as other less common vulnerabilities. In response, many tools have been developed for detecting or mitigating common web application vulnerabilities. Existing techniques either require effort from the site developer or are prone to false positives. This paper presents a fully automated approach to securely hardening web applications. It is based on precisely tracking taintedness of data and checking specifically for dangerous content only in parts of commands and output that came from untrustworthy sources. Unlike previous work in which everything that is derived from tainted input is tainted, our approach precisely tracks taintedness within data values.
引用
收藏
页码:295 / 307
页数:13
相关论文
共 50 条
  • [21] NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications
    Alhuzali, Abeer
    Gjomemo, Rigel
    Eshete, Birhanu
    Venkatakrishnan, V. N.
    PROCEEDINGS OF THE 27TH USENIX SECURITY SYMPOSIUM, 2018, : 377 - 392
  • [22] Precise Interface Identification to Improve Testing and Analysis of Web Applications
    Halfond, William G. J.
    Anand, Saswat
    Orso, Alessandro
    ISSTA 2009: INTERNATIONAL SYMPOSIUM ON SOFTWARE TESTING AND ANALYSIS, 2009, : 285 - 295
  • [23] Acquiring textual relations automatically on the web using genetic programming
    Bergström, A
    Jaksetic, P
    Nordin, P
    GENETIC PROGRAMMING, PROCEEDINGS, 2000, 1802 : 237 - 246
  • [24] Using Mapping Relations to Semi Automatically Compose Web Services
    Sabbouh, Marwan
    Higginson, Jeffrey L.
    Wan, Caleb
    Bennett, Scott R.
    IEEE CONGRESS ON SERVICES 2008, PT I, PROCEEDINGS, 2008, : 211 - 218
  • [25] Using linguistic features to automatically extract web page title
    Gali, Najlah
    Mariescu-Istodor, Radu
    Franti, Pasi
    EXPERT SYSTEMS WITH APPLICATIONS, 2017, 79 : 296 - 312
  • [26] Using adaptability to create an automatically adaptive course presentation on the web
    Razek, MA
    Frasson, C
    Kaltenbach, M
    3RD IEEE INTERNATIONAL CONFERENCE ON ADVANCED LEARNING TECHNOLOGIES, PROCEEDINGS, 2003, : 482 - 482
  • [27] TagTheWeb: Using Wikipedia Categories to Automatically Categorize Resources on the Web
    Medeiros, Jerry Fernandes
    Nunes, Bernardo Pereira
    Matsui Siqueira, Sean Wolfgand
    Portes Paes Leme, Luiz Andre
    SEMANTIC WEB: ESWC 2018 SATELLITE EVENTS, 2018, 11155 : 153 - 157
  • [28] Automatically inferring user behavior models in large-scale web applications
    Ghaemmaghami, Saeedeh Sadat Sajjadi
    Emam, Seyedeh Sepideh
    Miller, James
    INFORMATION AND SOFTWARE TECHNOLOGY, 2022, 141
  • [29] Literal tainting method for preventing code injection attack in Web application
    Wang, Yi
    Li, Zhoujun
    Guo, Tao
    Jisuanji Yanjiu yu Fazhan/Computer Research and Development, 2012, 49 (11): : 2414 - 2423
  • [30] Summarizing Web Sites automatically
    Zhang, YQZ
    Zincir-Heywood, N
    Milios, E
    ADVANCES IN ARTIFICIAL INTELLIGENCE, PROCEEDINGS, 2003, 2671 : 283 - 296
12345