Abstract
“Invalidated Input” is Top One Critical Web Application Security Vulnerabilities according to have been released by Open Web Applications Security Project (OWASP) on July 14, 2004. Many web application security vulnerabilities result from generic input validation problems. Some sites attempt to protect themselves by filtering malicious input, but it may not be viable to modify the source of such components. We have tried to develop an automatic defense mechanism that can produce a proper input validation function on security gateway to filter malicious injection. To verify the efficiency of the tool, we picked the websites made up of some Web applications often contain third-party vulnerable components which was shipped in binary form. Among our experiments, the defense mechanism can automatically organize validation functions to avoid malicious injection attack. abstract environment.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Open Web Application Security Project. The ten most critical Web application security vulnerabilities (2004) (visit on 2005/10/05), http://umn.dl.sourceforge.net/sourceforge/owasp/OWASPTopTen2004.pdf
Lin, J.-C., Chen, J.-M.: An Automatic Revised Tool for Anti-malicious Injection. In: Proceedings of The Sixth IEEE International Conference on Computer and Information Technology (CIT 2006), IEEE, Los Alamitos (2006)
Scott, D., Sharp, R.: Abstracting Application-Level Web Security. In: The 11th International Conference on the World Wide Web (Honolulu, Hawaii, May 2002), pp. 396–407 (2002)
Huang, Y.W., Huang, S.K., Lin, T.P., Tsai, C.H.: Securing Web application code by static analysis and runtime protection. In: Proceedings of the 13th International World Wide Web Conference, New York (May 17-22, 2004)
Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Verifying Web applications using bounded model checking. In: Proceedings of the 2004 International Conference Dependable Systems and Networks (DSN 2004), Florence, Italy (June 28-July 1, 2004)
Huang, Y.W., Huang, S.K., Lin, T.P., Tsai, C.H.: Web Application Security Assessment by Fault Injection and Behavior Monitoring. In: Proc. 12th Int’l. World Wide Web Conference, pp.148–159, Budapest, Hungary (2003)
OWASP. WebScarab Project (visit on 2005/10/08), http://www.owasp.org/webscarab/
SPI Dynamics. Web Application Security Assessment. SPI Dynamics Whitepaper (2003)
KaVaDo. Application-Layer Security: InterDo 3.0. KaVaDo Whitepaper (2003), Available from http://www.kavado.com/
Sanctum Inc. AppShield. white paper (March 2003), Available from http://www.sanctuminc.com/
Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep Packet Inspection Using Parallel Bloom Filters. In: Proc. 11th Symp. High Performance Interconnects (HOTI 2003), Stanford, California, pp. 44–51 (2003)
SPI Labs, Hybrid Analysis- An Approach to Testing Web Application Security (visit on 2006/3/05), Available from: http://www.spidynamics.com/assets/documents/hybrid_analysis.pdf
Chen, D.-J., Hwang, C.-C., Huang, S.-K., Chen, D.T.: A Testing Framework for Web Application Security Assessment. Journal of Computer Networks 48(5), 739–761 (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lin, JC., Chen, JM., Wong, HK. (2007). An Automatic Meta-revised Mechanism for Anti-malicious Injection. In: Enokido, T., Barolli, L., Takizawa, M. (eds) Network-Based Information Systems. NBiS 2007. Lecture Notes in Computer Science, vol 4658. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74573-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-540-74573-0_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74572-3
Online ISBN: 978-3-540-74573-0
eBook Packages: Computer ScienceComputer Science (R0)