Skip to main content
SpringerLink
Log in
Book cover

International Conference on Financial Cryptography and Data Security

FC 2011: Financial Cryptography and Data Security pp 284–298Cite as

Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7035))

Abstract

Web applications have become important services in our daily lives. Millions of users use web applications to obtain information, perform financial transactions, have fun, socialize, and communicate. Unfortunately, web applications are also frequently targeted by attackers. Recent data from SANS institute estimates that up to 60% of Internet attacks target web applications.

In this paper, we perform an empirical analysis of a large number of web vulnerability reports with the aim of understanding how input validation flaws have evolved in the last decade. In particular, we are interested in finding out if developers are more aware of web security problems today than they used to be in the past. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Hence, despite awareness programs provided by organizations such as MITRE, SANS Institute and OWASP, application developers seem to be either not aware of these classes of vulnerabilities, or unable to implement effective countermeasures. Therefore, we believe that there is a growing need for languages and application platforms that attack the root of the problem and secure applications by design.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side xss filters. In: WWW 2010: Proceedings of the 19th International Conference on World Wide Web, pp. 91–100. ACM, New York (2010)

    Google Scholar 

  2. Christey, S.M., Martin, R.A.: Vulnerability type distributions in cve (2007), http://cwe.mitre.org/documents/vuln-trends/index.html

  3. Clark, S., Frei, S., Blaze, M., Smith, J.: Familiarity breeds contempt: The honeymoon effect and the role of legacy code in zero-day vulnerabilities. In: Annual Computer Security Applications Conference (2010)

    Google Scholar 

  4. Dhamankar, R., Dausin, M., Eisenbarth, M., King, J.: The top cyber security risks (2009), http://www.sans.org/top-cyber-security-risks/

  5. Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: LSAD 2006: Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense, pp. 131–138. ACM, New York (2006)

    Chapter  Google Scholar 

  6. Microsoft Inc. Msdn code analysis team blog (2010), http://blogs.msdn.com/b/codeanalysis/

  7. Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 601–610. ACM, New York (2007)

    Google Scholar 

  8. Johns, M., Beyerlein, C., Giesecke, R., Posegga, J.: Secure Code Generation for Web Applications. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 96–113. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  9. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society, Washington, DC (2006)

    Google Scholar 

  10. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC 2006: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330–337. ACM, New York (2006)

    Google Scholar 

  11. Kouns, J., Todd, K., Martin, B., Shettler, D., Tornio, S., Ingram, C., McDonald, P.: The open source vulnerability database (2010), http://osvdb.org/

  12. Li, Z., Tan, L., Wang, X., Lu, S., Zhou, Y., Zhai, C.: Have things changed now?: an empirical study of bug characteristics in modern open source software. In: ASID 2006: Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability, pp. 25–33. ACM, New York (2006)

    Chapter  Google Scholar 

  13. Livshits, B., Erlingsson, Ú.: Using web application construction frameworks to protect against code injection attacks. In: PLAS 2007: Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security, pp. 95–104. ACM, New York (2007)

    Chapter  Google Scholar 

  14. Livshits, V.B., Lam, M.S.: Finding security errors in Java programs with static analysis. In: Proceedings of the 14th Usenix Security Symposium, pp. 271–286 (August 2005)

    Google Scholar 

  15. Martin, B., Brown, M., Paller, A., Kirby, D.: 2010 cwe/sans top 25 most dangerous software errors (2010), http://cwe.mitre.org/top25/

  16. Mavituna, F.: Sql injection cheat sheet (2009), http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

  17. Mell, P., Scarfone, K., Romanosky, S.: A complete guide to the common vulnerability scoring system version 2.0 (2007), http://www.first.org/cvss/cvss-guide.html

  18. MITRE. Common platform enumeration, cpe (2010), http://cpe.mitre.org/

  19. MITRE. Common vulnerabilities and exposures, cve (2010), http://cve.mitre.org/

  20. MITRE. Common weakness enumeration, cwe (2010), http://cwe.mitre.org/

  21. MITRE. Mitre faqs (2010), http://cve.mitre.org/about/faqs.html

  22. Neuhaus, S., Zimmermann, T.: Security trend analysis with cve topic models. In: Proceedings of the 21st IEEE International Symposium on Software Reliability Engineering (November 2010)

    Google Scholar 

  23. Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In: NDSS. The Internet Society (2005)

    Google Scholar 

  24. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: SEC 2005, pp. 295–308. Springer, Heidelberg (2005)

    Google Scholar 

  25. Computer Security Division of National Institute of Standards and Technology. National vulnerability database version 2.2 (2010), http://nvd.nist.gov/

  26. Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium. USENIX Association, Berkeley (2006)

    Google Scholar 

  27. Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks Through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  28. The Open Web Application Security Project. Owasp top 10 - 2010, the ten most critical web application security risks (2010)

    Google Scholar 

  29. Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 283–298. USENIX Association (2009)

    Google Scholar 

  30. RSnake. Xss (cross site scripting) cheat sheet esp: for filter evasion (2009), http://ha.ckers.org/xss.html

  31. Vikram, K., Prateek, A., Livshits, B.: Ripley: automatically securing web 2.0 applications through replicated execution. In: CCS 2009: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 173–186. ACM, New York (2009)

    Google Scholar 

  32. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: In Proceedings of 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)

    Google Scholar 

  33. Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation. ACM Press, New York (2007)

    Google Scholar 

  34. Wassermann, G., Su, Z.: Static Detection of Cross-Site Scripting Vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, Leipzig, Germany. ACM, New York (2008) (in press)

    Google Scholar 

  35. Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium. USENIX Association, Berkeley (2006)

    Google Scholar 

  36. Yu, D., Chander, A., Inamura, H., Serikov, I.: Better abstractions for secure server-side scripting. In: WWW 2008: Proceeding of the 17th International Conference on World Wide Web, pp. 507–516. ACM, New York (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SAP Research, Sophia Antipolis, France

    Theodoor Scholte

  2. Institut Eurecom, Sophia Antipolis, France

    Davide Balzarotti & Engin Kirda

  3. Northeastern University, Boston, US

    Engin Kirda

Authors
  1. Theodoor Scholte
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Davide Balzarotti
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Engin Kirda
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

George Danezis

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Scholte, T., Balzarotti, D., Kirda, E. (2012). Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications. In: Danezis, G. (eds) Financial Cryptography and Data Security. FC 2011. Lecture Notes in Computer Science, vol 7035. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27576-0_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27576-0_24

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27575-3

  • Online ISBN: 978-3-642-27576-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation