2018
DOI: 10.1007/978-3-030-00009-7_51
|View full text |Cite
|
Sign up to set email alerts
|

A Web Application Runtime Application Self-protection Scheme against Script Injection Attacks

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1

Citation Types

0
3
0

Year Published

2020
2020
2024
2024

Publication Types

Select...
3
2

Relationship

0
5

Authors

Journals

citations
Cited by 6 publications
(3 citation statements)
references
References 6 publications
0
3
0
Order By: Relevance
“…"byte\\[\\]", "foo", "\\[Z", "\\[B", "\\[S", "\\[I", "\\[J", "\\[F", "\\[D", "\\[C", "SerializationInjector", "java\..*", "sun\.util\.calendar\..*", "org\.apache\.ofbiz\..*", "org\.codehaus\.groovy\.runtime\.GStringImpl", "groovy\.lang\.GString", With the support of new security features in libraries, developers are encouraged to customize the deserialization policies of their applications according to their requirements. The most common ones are blocklists containing classes in all known exploitation gadgets collected by the community [6], [13], [14]. For example, in the Jenkins project [15], a famous automation server with over 20k stars on GitHub, developers formulate a blocklist including exploitable classes in its classpath, such as CommonsCollection and CommonsBeanutils.…”
Section: B Deserialization Policymentioning
confidence: 99%
See 1 more Smart Citation
“…"byte\\[\\]", "foo", "\\[Z", "\\[B", "\\[S", "\\[I", "\\[J", "\\[F", "\\[D", "\\[C", "SerializationInjector", "java\..*", "sun\.util\.calendar\..*", "org\.apache\.ofbiz\..*", "org\.codehaus\.groovy\.runtime\.GStringImpl", "groovy\.lang\.GString", With the support of new security features in libraries, developers are encouraged to customize the deserialization policies of their applications according to their requirements. The most common ones are blocklists containing classes in all known exploitation gadgets collected by the community [6], [13], [14]. For example, in the Jenkins project [15], a famous automation server with over 20k stars on GitHub, developers formulate a blocklist including exploitable classes in its classpath, such as CommonsCollection and CommonsBeanutils.…”
Section: B Deserialization Policymentioning
confidence: 99%
“…For example, JEP 290 [5] is a look-ahead defense and allows developers to customize a policy of permitting and blocking classes. Besides protection provided by JDK, many runtime application self-protection frameworks [13], [14], [46] also provide mechanisms to customize policies. They usually hook critical methods and perform auditing with byte code instrumentation [31], [47].…”
Section: Related Workmentioning
confidence: 99%
“…Yin et al [35] developed a RASP tool specific to Script Injection attacks for dynamic web applications based on data flow analysis and automatic insertion of filters before relevant sink statements. They compare their solution with WAF, BEEP, and CSP and find that their approach and CSP perform better.…”
Section: Runtime Application Self Protection (Rasp)mentioning
confidence: 99%