Static and Dynamic Analysis for Web Security in Generic Format

Wu, Raymond; Hisada, Masayuki; Ranaweera, Rasika

doi:10.1007/978-3-642-04062-7_25

Cited by 7 publications

(5 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To solve it, it is necessary to develop not only black box testing, but also white box testing. This is discussed in web application security [5]. We would like to challenge to research white box testing in Flash application.…”

Section: Resultsmentioning

confidence: 98%

“…A sandbox is isolated from the operating system, file system, network, other applications, and even other Flash A developer can set the cross domain setting permission through the method of ActionScript called Security.allowDomain. According to the research of Jeremiah Grossman in 2006 [5], 6% of the top 100 websites have unrestricted cross domain policies. The problem with sandbox is that an attacker can attack application side vulnerabilities if the website administrator sets the crossdomain.xml wrongly.…”

Section: Protection Approachmentioning

confidence: 99%

See 1 more Smart Citation

A New Security Testing Method for Detecting Flash Vulnerabilities by Generating Test Patterns

Watanabe

Cheng

Kansen

et al. 2010

2010 13th International Conference on Network-Based Information Systems

Self Cite

View full text Add to dashboard Cite

Flash has a number of security defects even though Flash Player is installed on most of world's PC. Protection using sandbox has limitation to protect a user from vulnerabilities of Flash application because an attacker can attack a vulnerable Flash application when a sandbox can't work if an engineer or a web administrator set sandbox permission wrongly.Another way to solve it is testing. As a testing, penetration testing is useful for detecting vulnerability of Flash Application. Existing penetration testing performs penetration test through UI manually, which is inefficient and time consuming.In this paper, to overcome a problem of existing penetration test, we design a new penetration testing, which enables to generate as many test patterns as possible from VM inputs, inputting test patterns into VM, and checks the existence of vulnerabilities from VM outputs automatically. We demonstrate our testing method using an example, which can detect Flash Parameter Injection that is a one kind of vulnerability of Flash application.

show abstract

Section: Resultsmentioning

confidence: 98%

Section: Protection Approachmentioning

confidence: 99%

A New Security Testing Method for Detecting Flash Vulnerabilities by Generating Test Patterns

Watanabe

Cheng

Kansen

et al. 2010

2010 13th International Conference on Network-Based Information Systems

Self Cite

View full text Add to dashboard Cite

show abstract

“…9, NO. 2 when executed, so the logging messages can be generated at run-time process in HTML form, and represent the traces of an individual execution path [4]. TBM works on the decomposition of tokens, so each token is encoded to a special parser code, it will then be filtered and integrated into string code.…”

Section: Soa Trend and Security Approachesmentioning

confidence: 99%

SOA Web Security and Applications.

Wu¹,

Hisada²

2010

JOT

Self Cite

View full text Add to dashboard Cite

The conventional vulnerability detection fails to extend its generic form to an abstract level in coping with particular type of string validation. Consequently the security bypasses key issues such as Java scripting and SQL injection. It causes tremendous business loss and customers risk due to taint distribution and illegal data manipulation. This paper introduces semantic analysis by using metadata codes, as well as a hierarchical parser in token-based algorithmic check. Our research in SOA web security can help industry to minimize business impact, to achieve higher accuracy in vulnerability detection, and to commit fast responsiveness.

show abstract

“…From an integrity perspective, the lack of a consistent checkpoint can be risky for roll-back scenarios caused by security issues. Besides, the conventional techniques require developers to learn and use a new programming paradigm, which makes the implementation difficult in realization (Wu et al, 2009a).…”

Section: Literature and Architecture Review 21 Literature Reviewmentioning

confidence: 99%

“…In order to settle these issues, a metadata strategy in supporting IVT interoperability is proposed. It achieves a generic format (Wu et al, 2009b) for language transparency, and it also envisions the unique characteristics of semantic structure in coping with web security in new-age computing.…”

Section: Literature and Architecture Review 21 Literature Reviewmentioning

confidence: 99%

The architecture and industry applications of web security in static and dynamic analysis

Wu¹,

Hisada²

2010

Journal of Systems and Information Technology

Self Cite

View full text Add to dashboard Cite

Purpose -The purpose of this paper is to propose a metadata-driven approach and the associated technologies to deal with ever-rising web security issue. The approach applies metadata techniques to envision semantic validation for new types of vulnerability. Design/methodology/approach -Token decomposition design was applied to move analysis work into abstract level. This novel approach can solve the issues by using a dual control method to perform vulnerability validation. Findings -Current analysis has been lack in metadata foundation, the vulnerability is invisible due to semantic obfuscation. This paper reflects the limitation of existing methods. It applies metadatadriven approach to move physical and syntax analysis into semantic validation.Research limitations/implications -Currently, certain difficulties may be encountered in preparing benchmarking for dual control process before completing development work. However, this paper tries to create scenarios which can be a reference, to evaluate the semantic validation. Practical implications -In consideration of the optimized control and vulnerability rate, Structural Query Language (SQL) injection is taken as an example in demonstration. This approach targets large enterprise and high complexity, and the research intends to impact industry to generate common practices such as metadata standards and development tools. Originality/value -This paper contributes originality in applying metadata strategy to envision semantic structure. It further favours the service industry in building up portfolio foundation in component-based technologies. As the new type of vulnerability can be precisely specified, it can minimize business impact and achieve efficient vulnerability detection.

show abstract

Static and Dynamic Analysis for Web Security in Generic Format

Cited by 7 publications

References 3 publications

A New Security Testing Method for Detecting Flash Vulnerabilities by Generating Test Patterns

A New Security Testing Method for Detecting Flash Vulnerabilities by Generating Test Patterns

SOA Web Security and Applications.

The architecture and industry applications of web security in static and dynamic analysis

Contact Info

Product

Resources

About