Code-injection Vulnerabilities in Web Applications — Exemplified at Cross-site Scripting

Johns, Martin

doi:10.1524/itit.2011.0651

Cited by 21 publications

(14 citation statements)

References 62 publications

(106 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A significant portion of today's security vulnerabilities are string-based code injection vulnerabilities [71], which enable the attacker to inject syntactic content into dynamically executed programming statements, which -in the majority of all cases -leads to full compromise of the vulnerable execution context. Examples for such vulnerabilities include SQL Injection [52] and Cross-Site Scripting [50].…”

Section: An Important Variant Of Black-box Testing Is An Analysis Tecmentioning

confidence: 99%

Security Testing

Felderer

Büchler

Johns

et al. 2016

Advances in Computers

Self Cite

126

View full text Add to dashboard Cite

ReuseThis article is distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivs (CC BY-NC-ND) licence. This licence only allows you to download this work and share it with others as long as you credit the authors, but you can't change the article in any way or use it commercially. More information and the full terms of the licence here: https://creativecommons.org/licenses/ Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing eprints@whiterose.ac.uk including the URL of the record and the reason for the withdrawal request. Identifying vulnerabilities and ensuring security functionality by security testing is a widely applied measure to evaluate and improve the security of software. Due to the openness of modern software-based systems, applying appropriate security testing techniques is of growing importance and essential to perform effective and efficient security testing. Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them. This chapter fulfills this need and provides an overview of recent security testing techniques. For this purpose, it first summarize the required background of testing and security engineering. Then, basics and recent developments of security testing techniques applied during the secure software development lifecycle, i.e., model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing are discussed. Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application.

show abstract

Section: An Important Variant Of Black-box Testing Is An Analysis Tecmentioning

confidence: 99%

Security Testing

Felderer

Büchler

Johns

et al. 2016

Advances in Computers

Self Cite

126

View full text Add to dashboard Cite

show abstract

“…However, most of the previous work focus on the automated detection of well-known classes of vulnerabilities related to insufficient input validation, such as Cross-Site Scripting (XSS) [26], Cross-Site Request Forgery (CSRF) [2,27] and SQL injection [22]. Since our goal is to find logic flaws, we will not present these solutions in this section.…”

Section: Related Workmentioning

confidence: 99%

Toward Black-Box Detection of Logic Flaws in Web Applications

Pellegrino

Balzarotti

2014

Proceedings 2014 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-Web applications play a very important role in many critical areas, including online banking, health care, and personal communication. This, combined with the limited security training of many web developers, makes web applications one of the most common targets for attackers.In the past, researchers have proposed a large number of white-and black-box techniques to test web applications for the presence of several classes of vulnerabilities. However, traditional approaches focus mostly on the detection of input validation flaws, such as SQL injection and cross-site scripting. Unfortunately, logic vulnerabilities specific to particular applications remain outside the scope of most of the existing tools and still need to be discovered by manual inspection.In this paper we propose a novel black-box technique to detect logic vulnerabilities in web applications. Our approach is based on the automatic identification of a number of behavioral patterns starting from few network traces in which users interact with a certain application. Based on the extracted model, we then generate targeted test cases following a number of common attack scenarios.We applied our prototype to seven real world E-commerce web applications, discovering ten very severe and previouslyunknown logic vulnerabilities.

show abstract

“…XML signature wrapping attacks on public SOAP interface in the cloud have been reported to cause the formation of new instances of VM as well as starting and stopping of existing VM (Somorovsky et al, 2011). Code injection in web applications poses an ongoing threat due to immature coding and lack of preventive measures (Johns, 2009). To prevent injection flaws and cross-site scripting, automatic approaches to detect vulnerabilities have been suggested (Bello and Russo, 2012).…”

Section: Common Risks and Threatsmentioning

confidence: 99%

Cloud Computing: Security and Reliability Issues

Ahamed¹,

Shahrestani²,

Ginige³

2013

CIBIMA

View full text Add to dashboard Cite

Security and reliability of cloud computing services remain among the dominant concerns inhibiting their pervasive adaptation. The distributed and the multi-tenancy nature of the cloud computing paradigm can be considered as the root causes for their increased risks and vulnerabilities. Resource sharing and virtualization can also be mentioned as additional main factors contributing to or augmenting cross-site scripting and other cloud vulnerabilities. Cloud are also exposed to the risks and liabilities faced by other networked systems. Poorly designed APIs that may cause security problems or distributed denial of services attacks are the examples of this category that are considered in this paper. Public key infrastructure provides the foundations for provision of some essential security services. These include services such as confidentiality, authentication, and privacy that are of vital importance for establishing trust and confidence between the cloud providers and their clients. In this work, we will discuss the potential flaws of this infrastructure and examine how they may deteriorate the security and reliability levels of the cloud environments. To enable a comprehensive study of the challenges in security and reliability of the cloud computing environments, we categorize the risks and vulnerabilities they face. Traditional techniques, based on cryptography, can address some of these challenges to a certain degree. We will argue that they may not be efficient for use in cloud environments. We then focus on data-centric and homomorphic encryption methods that may provide more appropriate solutions in addressing the challenges in cloud computing security and reliability.

show abstract

Code-injection Vulnerabilities in Web Applications — Exemplified at Cross-site Scripting

Cited by 21 publications

References 62 publications

Security Testing

Security Testing

Toward Black-Box Detection of Logic Flaws in Web Applications

Cloud Computing: Security and Reliability Issues

Contact Info

Product

Resources

About