research-article

A survey on server-side approaches to securing web applications

Authors:

Yuan XueAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 46, Issue 4

Article No.: 54, Pages 1 - 29

https://doi.org/10.1145/2541315

Published: 01 March 2014 Publication History

Abstract

Web applications are one of the most prevalent platforms for information and service delivery over the Internet today. As they are increasingly used for critical services, web applications have become a popular and valuable target for security attacks. Although a large body of techniques have been developed to fortify web applications and mitigate attacks launched against them, there has been little effort devoted to drawing connections among these techniques and building the big picture of web application security research.

This article surveys the area of securing web applications from the server side, with the aim of systematizing the existing techniques into a big picture that promotes future research. We first present the unique aspects of the web application development that cause inherent challenges in building secure web applications. We then discuss three commonly seen security vulnerabilities within web applications: input validation vulnerabilities, session management vulnerabilities, and application logic vulnerabilities, along with attacks that exploit these vulnerabilities. We organize the existing techniques along two dimensions: (1) the security vulnerabilities and attacks that they address and (2) the design objective and the phases of a web application during which they can be carried out. These phases are secure construction of new web applications, security analysis/testing of legacy web applications, and runtime protection of legacy web applications. Finally, we summarize the lessons learned and discuss future research opportunities in this area.

References

[1]

MySpace. 2005. MySpace Samy Worm. http://namb.la/popular/tech.html.

[2]

Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda. 2011. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS'11: Proceedings of the 8th Annual Network and Distributed System Security Symposium.

[3]

Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Oakland'08: Proceedings of the 29th IEEE Symposium on Security and Privacy. 387--401.

Digital Library

[4]

Davide Balzarotti, Marco Cova, Viktoria V. Felmetsger, and Giovanni Vigna. 2007. Multi-module vulnerability analysis of web-based applications. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security. 25--35.

Digital Library

[5]

Sruthi Bandhakavi, Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. 2007. CANDID: Preventing SQL injection attacks using dynamic candidate evaluations. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security. 12--24.

Digital Library

[6]

Adam Barth, Juan Caballero, and Dawn Song. 2009. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy. 360--371.

Digital Library

[7]

Adam Barth, Collin Jackson, and John C. Mitchell. 2008. Robust defenses for cross-site request forgery. In CCS'08: Proceedings of the 15th ACM Conference on Computer and Communications Security. 75--88.

Digital Library

[8]

Jason Bau, Elie Bursztein, Divij Gupta, and John Mitchell. 2010. State of the art: Automated black-box web application vulnerability testing. In Oakland'10: Proceedings of the 31st IEEE Symposium on Security and Privacy. 332--345.

Digital Library

[9]

Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, and V. N. Venkatakrishnan. 2010a. NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In CCS'10: Proceedings of the 17th ACM Conference on Computer and Communications Security.

Digital Library

[10]

Prithvi Bisht, A. Prasad Sistla, and V. N. Venkatakrishnan. 2010b. Automatically Preparing Safe SQL Queries. In FC'10: Proceedings of the 14th International Conference on Financial Cryptography and Data Security.

Digital Library

[11]

Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, and V. N. Venkatakrishnan. 2011. WAPTEC: Whitebox analysis of web applications for parameter tampering exploit construction. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 575--586.

Digital Library

[12]

Prithvi Bisht and V. N. Venkatakrishnan. 2008. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In DIMVA'08: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.

Digital Library

[13]

Stephen W. Boyd and Angelos D. Keromytis. 2004. SQLrand: Preventing SQL injection attacks. In ACNS'04: Proceedings of the 2nd Applied Cryptography and Network Security Conference. 292--302.

[14]

Avik Chaudhuri and Jeffrey S. Foster. 2010. Symbolic security analysis of ruby-on-rails web applications. In CCS'10: Proceedings of the 17th ACM Conference on Computer and Communications Security.

Digital Library

[15]

Erika Chin and David Wagner. 2009. Efficient character-level taint tracking for Java. In Proceedings of the 2009 ACM Workshop on Secure Web Services (SWS'09). 3--12.

Digital Library

[16]

Adam Chlipala. 2010. Static checking of dynamically-varying security policies in database-backed applications. In OSDI'10: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation.

Digital Library

[17]

Stephen Chong, K. Vikram, and Andrew C. Myers. 2007a. SIF: Enforcing confidentiality and integrity in web applications. In USENIX'07: Proceedings of the 16th Conference on USENIX Security Symposium.

Digital Library

[18]

Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng. 2007b. Secure web applications via automatic partitioning. In SOSP'07: Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles. 31--44.

Digital Library

[19]

Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. 2009. Cross-tier, label-based security enforcement for web applications. In SIGMOD'09: Proceedings of the 35th SIGMOD International Conference on Management of Data. 269--282.

Digital Library

[20]

Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni Vigna. 2007a. Swaddler: An approach for the anomaly-based detection of state violations in web applications. In RAID'07: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection. 63--86.

Digital Library

[21]

Marco Cova, Viktoria Felmetsger, and Giovanni Vigna. 2007b. Vulnerability analysis of web applications. In Testing and Analysis of Web Services, L. Baresi and E. Dinitto (Eds.). Springer.

[22]

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich. 2009. Nemesis: Preventing authentication and access control vulnerabilities in web applications. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 267--282.

Digital Library

[23]

Adam Doupé, Bryce Boe, Christopher Kruegel, and Giovanni Vigna. 2011. Fear the EAR: Discovering and mitigating execution after redirect vulnerabilities. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security.

Digital Library

[24]

Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box vulnerability scanner. In USENIX'12: Proceedings of the USENIX Security Symposium. Bellevue, WA.

Digital Library

[25]

Adam Doupé, Marco Cova, and Giovanni Vigna. 2010. Why Johnny can't pentest: An analysis of black-box web vulnerability scanners. In DIMVA'10: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment.

Digital Library

[26]

Facebook. Facebook Bounty Program. https://www.facebook.com/whitehat.

[27]

Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2010. Toward automated detection of logic vulnerabilities in web applications. In USENIX'10: Proceedings of the 19th USENIX Security Symposium.

Digital Library

[28]

Harrison Fisk. 2004. Prepared Statements. http://en.wikipedia.org/wiki/Prepared_statement.

[29]

Joaquin Garcia-Alfaro and Guillermo Navarro-Arribas. 2008. A survey on detection techniques to prevent cross-site scripting attacks on current web applications. In CRITIS'07: Proceedings of the Second International Conference on Critical Information Infrastructures Security. 287--298.

Digital Library

[30]

Joaquín García-Alfaro and Guillermo Navarro-Arribas. 2009. A survey on cross-site scripting attacks. CoRR: Computing Research Repository. http://arxiv.org/abs/0905.4850.

[31]

Gmail CSRF Security Flaw. 2007. http://ajaxian.com/archives/gmail-csrf-security-flaw.

[32]

Google. Google Bounty Program. http://www.google.com/about/appsecurity/reward-program/.

[33]

Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. 2009. Using static analysis for Ajax intrusion detection. In WWW'09: Proceedings of the 18th International Conference on World Wide Web. 561--570.

Digital Library

[34]

Matthew Van Gundy and Hao Chen. 2009. Noncespaces: Using randomization to enforce information flow tracking and thwart XSS attacks. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.

[35]

Vivek Haldar, Deepak Chandra, and Michael Franz. 2005. Dynamic taint propagation for Java. In ACSAC'05: Proceedings of the 21st Annual Computer Security Applications Conference. 303--311.

Digital Library

[36]

William G. J. Halfond and Alessandro Orso. 2005. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In ASE'05: Proceedings of the 20th IEEE and ACM International Conference on Automated Software Engineering.

Digital Library

[37]

William G. J. Halfond, Jeremy Viegas, and Alessandro Orso. 2006a. A cassification of SQL-injection attacks and countermeasures. In Proceedings of the International Symposium on Secure Software Engineering.

[38]

William G. J. Halfond, Alessandro Orso, and Panagiotis Manolios. 2006b. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In SIGSOFT'06/FSE-14: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 175--185.

Digital Library

[39]

Pieter Hooimeijer, Benjamin Livshits, David Molnar, Prateek Saxena, and Margus Veanes. 2011. Fast and precise sanitizer analysis with BEK. In Proceedings of the 20th USENIX Conference on Security (SEC'11).

Digital Library

[40]

Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai. 2003. Web application security assessment by fault injection and behavior monitoring. In WWW'03: Proceedings of the 12th International Conference on World Wide Web. 148--159.

Digital Library

[41]

Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. 2004. Securing web application code by static analysis and runtime protection. In WWW'04: Proceedings of the 13th International Conference on World Wide Web. 40--52.

Digital Library

[42]

Kenneth L. Ingham and Hajime Inoue. 2007. Comparing anomaly detection techniques for HTTP. In RAID'07: Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection. 42--62.

Digital Library

[43]

Kenneth L. Ingham, Anil Somayaji, John Burge, and Stephanie Forrest. 2007. Learning DFA representations of HTTP for protecting web applications. Computer Networks 51, 1239--1255.

Digital Library

[44]

Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In WWW'07: Proceedings of the 16th International Conference on World Wide Web. 601--610.

Digital Library

[45]

Martin Johns, Bjorn Engelmann, and Joachim Posegga. 2008. XSSDS: Server-side detection of cross-site scripting attacks. In ACSAC'08: Proceedings of the 24th Annual Computer Security Applications Conference. 335--344.

Digital Library

[46]

Paul Johnston. 2004. Authentication and Session Management on the Web. http://www.sans.org/reading_ room/whitepapers/webservers/authent ication-session-management-web_1545.

[47]

Martin Johns and Justus Winter. 2006. RequestRodeo: Client-side protection against session riding. In OWASP AppSec Europe.

[48]

Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006a. Preventing Cross Site Request Forgery Attacks. In SecureComm'06: 2nd International Conference on Security and Privacy in Communication Networks. 1--10.

[49]

Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006b. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Oakland'06: Proceedings of the 27th IEEE Symposium on Security and Privacy. 258--263.

Digital Library

[50]

Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006c. Precise Alias Analysis for Syntactic Detection of Web Application Vulnerabilities. ACM SIGPLAN Workshop on Programming Languages and Analysis for Security.

Digital Library

[51]

Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. 2003. Countering code-injection attacks with instruction-set randomization. In CCS'03: Proceedings of the 10th ACM Conference on Computer and Communications Security. 272--280.

Digital Library

[52]

Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. 2009. Automatic creation of SQL injection and cross-site scripting attacks. In ICSE'09: Proceedings of the 31st International Conference on Software Engineering. 199--209.

Digital Library

[53]

Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. 2006. Noxes: A client-side solution for mitigating cross-site scripting attacks. In SAC'06: Proceedings of the 2006 ACM Symposium on Applied Computing. 330--337.

Digital Library

[54]

Akshay Krishnamurthy, Adrian Mettler, and David Wagner. 2010. Fine-grained privilege separation for web applications. In WWW'10: Proceedings of the 19th International Conference on World Wide Web. 551--560.

Digital Library

[55]

Christopher Kruegel and Giovanni Vigna. 2003. Anomaly detection of web-based attacks. In CCS'03: Proceedings of the 10th ACM Conference on Computer and Communication Security. 251--261.

Digital Library

[56]

Christopher Kruegel, Giovanni Vigna, and William Robertson. 2005. A multi-model approach to the detection of web-based attacks. Computer Networks 48, 5 (August 2005), 717--738.

Digital Library

[57]

Monica S. Lam, Michael Martin, Benjamin Livshits, and John Whaley. 2008. Securing web applications with static and dynamic information flow tracking. In PEPM'08: Proceedings of the 2008 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation. 3--12.

Digital Library

[58]

Xiaowei Li and Yuan Xue. 2011. BLOCK: A black-box approach for detection of state violation attacks towards web applications. In ACSAC'11: Proceedings of the 27th Annual Computer Security Applications Conference.

Digital Library

[59]

Xiaowei Li and Yuan Xue. 2013. LogicScope: Automatic discovery of logic vulnerabilities within web applications. In ASIACCS'13: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security.

Digital Library

[60]

Xiaowei Li, Wei Yan, and Yuan Xue. 2012. SENTINEL: Securing database from logic flaws in web applications. In CODASPY'12: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 25--36.

Digital Library

[61]

V. Benjamin Livshits and Monica S. Lam. 2005. Finding security vulnerabilities in Java applications with static analysis. In USENIX'05: Proceedings of the 14th Conference on USENIX Security Symposium. 18.

Digital Library

[62]

Federico Maggi, William Robertson, Christopher Kruegel, and Giovanni Vigna. 2009. Protecting a moving target: Addressing web application concept drift. In RAID'09: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. 21--40.

Digital Library

[63]

Ziqing Mao, Ninghui Li, and Ian Molloy. 2009. Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In FC'09: Proceedings of the 13th International Conference on Financial Cryptography and Data Security. 238--255.

Digital Library

[64]

Gervase Markham. 2006. Content Restrictions. http://www.gerv.net/security/content-restrictions/.

[65]

Michael Martin and Monica S. Lam. 2008. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In USENIX'08: Proceedings of the 17th Conference on USENIX Security Symposium. 31--43.

Digital Library

[66]

Sean Mcallister, Engin Kirda, and Christopher Kruegel. 2008. Leveraging user interactions for in-depth testing of web applications. In RAID'08: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection. 191--210.

Digital Library

[67]

Russell A. McClure and Ingolf H. Krüger. 2005. SQL DOM: Compile time checking of dynamic SQL statements. In ICSE'05: Proceedings of the 27th International Conference on Software Engineering. 88--96.

Digital Library

[68]

Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A security-oriented subset of Java. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium. 357--374.

[69]

Yasuhiko Minamide. 2005. Static approximation of dynamically generated web pages. In WWW'05: Proceedings of the 14th International Conference on World Wide Web. 432--441.

Digital Library

[70]

Andrew C. Myers, Lantian Zheng, Steve Zdancewic, Stephen Chong, and Nathaniel Nystrom. n.d. Jif: Java Information Flow. http://www.cs.cornell.edu/jif.

[71]

Yacin Nadji, Prateek Saxena, and Dawn Song. 2009. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.

[72]

Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2007. Cross-site scripting prevention with dynamic data tainting and static analysis. In NDSS'07: Proceedings of the 14th Network and Distributed System Security Symposium.

[73]

Anh Nguyen-tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. 2005. Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference. 372--382.

[74]

NoScript. NoScript Features: Anti-XSS Protection. http://noscript.net/.

[75]

OWASP Top 10. 2013. Open Web Application Security Project Top Ten Security Risk (Feburary 2013). http://www.owasp.org/index.php/Top_10_2013

[76]

Chris Palmer. 2008. Secure Session Management with Cookies for Web Applications. https://www.isecpartners.com/media/12009/web-session-management.pdf.

[77]

Bryan Parno, Jonathan M. McCune, Dan Wendlandt, David G. Andersen, and Adrian Perrig. 2009. CLAMP: Practical prevention of large-scale data leaks. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy.

Digital Library

[78]

Tadeusz Pietraszek and Chris Vanden Berghe. 2005. Defending against injection attacks through context-sensitive string evaluation. In RAID'05: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.

Digital Library

[79]

Rails. Ruby-on-Rails Security Guide. http://guides.rubyonrails.org/security.html.

[80]

Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. 2006. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In OSDI'06: Proceedings of the 7th Symposium on Operating Systems Design and Implementation. 61--74.

Digital Library

[81]

William Robertson and Giovanni Vigna. 2009. Static enforcement of web application integrity through strong typing. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 283--298.

Digital Library

[82]

William Robertson, Giovanni Vigna, Christopher Kruegel, and Richard Kemmerer. 2006. Using generalization and characterization techniques in the anomaly-based detection of web attacks. In NDSS'06: Proceedings of the 13th Network and Distributed System Security Symposium.

[83]

David Ross. 2008. IE 8 XSS Filter Architecture. http://blogs.technet.com/swi/archive/2008/08/19/ie-8-xss-filter -architecture-implementation.aspx.

[84]

Mike Samuel, Prateek Saxena, and Dawn Song. 2011. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 587--600.

Digital Library

[85]

Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. 2010a. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium.

[86]

Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010b. A Symbolic Execution Framework for JavaScript. In SP'10: Proceedings of the 2010 IEEE Symposium on Security and Privacy. 513--528.

Digital Library

[87]

Prateek Saxena, David Molnar, and Benjamin Livshits. 2011. SCRIPTGUARD: Automatic context-sensitive sanitization for large-scale legacy web applications. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 601--614.

Digital Library

[88]

Theodoor Scholte, William Robertson, Davide Balzarotti, and Engin Kirda. 2012. Preventing input validation vulnerabilities in web applications through automated type analysis. In COMPSAC'12: Proceedings of the IEEE 36th Annual Computer Software and Applications Conference.

Digital Library

[89]

David Scott and Richard Sharp. 2002. Abstracting application-level web security. In WWW'02: Proceedings of the 11th International Conference on World Wide Web. 396--407.

Digital Library

[90]

R. Sekar. 2009. An efficient black-box technique for defeating web application attacks. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.

[91]

Eric Sheridan. 2008. OWASP CSRFGuard Project. http://www.owasp.org/index.php/CSRF_Guard.

[92]

Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2011. RoleCast: Finding missing security checks when you do not know what checks are. In OOPSLA'11: Proceedings of the 26th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications. 1069--1084.

Digital Library

[93]

Yingbo Song, Angelos D. Keromytis, and Salvatore J. Stolfo. 2009. Spectrogram: A mixture-of-Markov-chains model for anomaly detection in web traffic. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.

[94]

Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In Proceedings of the 19th International Conference on World Wide Web(WWW'10). 921--930.

Digital Library

[95]

Zhendong Su and Gary Wassermann. 2006. The essence of command injection attacks in web applications. In POPL'06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 372--382.

Digital Library

[96]

Fangqi Sun, Liang Xu, and Zhendong Su. 2011. Static detection of access control vulnerabilities in web applications. In USENIX'11: Proceedings of the 20th USENIX Security Symposium.

Digital Library

[97]

Nikhil Swamy, Brian J. Corcoran, and Michael Hicks. 2008. Fable: A language for enforcing user-defined security policies. In Oakland'08: Proceedings of the 29th IEEE Symposium on Security and Privacy. 369--383.

Digital Library

[98]

Shuo Tang, Haohui Mai, and Samuel T. King. 2010. Trust and protection in the Illinois browser operating system. In OSDI'10: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. 1--8.

Digital Library

[99]

Mike Ter Louw and V. N. Venkatakrishnan. 2009. Blueprint: Precise browser-neutral prevention of cross-site scripting attacks. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy.

[100]

Fredrik Valeur, Darren Mutz, and Giovanni Vigna. 2005. A learning-based approach to the detection of SQL attacks. In DIMVA'05: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment. 123--140.

Digital Library

[101]

Verizon. 2010. Verizon 2010 Data Breach Investigations Report. http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf.

[102]

K. Vikram, Abhishek Prateek, and Benjamin Livshits. 2009. Ripley: Automatically securing web 2.0 applications through replicated execution. In CCS'09: Proceedings of the 16th ACM Conference on Computer and Communications Security. 173--186.

Digital Library

[103]

Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. 2009. The multi-principal OS construction of the gazelle web browser. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 417--432.

Digital Library

[104]

Rui Wang, Shuo Chen, XiaoFeng Wang, and Shaz Qadeer. 2011. How to shop for free online—security analysis of cashier-as-a-service based web stores. In Oakland'11: Proceedings of the 32nd IEEE Symposium on Security and Privacy.

Digital Library

[105]

WASS. 2007. 2007 Web Application Security Statistics. http://projects.webappsec.org/w/page/13246989/WebApplication/SecurityStatistics.

[106]

Gary Wassermann and Zhendong Su. 2007. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI'07: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation. 32--41.

Digital Library

[107]

Gary Wassermann and Zhendong Su. 2008. Static detection of cross-site scripting vulnerabilities. In ICSE'08: Proceedings of the ACM/IEEE 30th International Conference on Software Engineering.

Digital Library

[108]

Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song. 2011. A systematic analysis of XSS sanitization in web application frameworks. In ESORICS'11: Proceedings of the 16th European Symposium on Research in Computer Security.

Digital Library

[109]

WhiteHat. 2010. WhiteHat Website Security Statistic Report 2010. https://www.whitehatsec.com/resource/stats.html.

[110]

Yichen Xie and Alex Aiken. 2006. Static detection of security vulnerabilities in scripting languages. In USENIX'06: Proceedings of the 15th Conference on USENIX Security Symposium.

Digital Library

[111]

Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2009. Improving application security with data flow assertions. In SOSP'09: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. 291--304.

Digital Library

[112]

Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. 2007. JavaScript instrumentation for browser security. In POPL'07: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 237--249.

Digital Library

Cited By

Oz HTuncay GAris AKharraz AUluagac S(2025)Beyond the Upload Button: A 10-Year Retrospective on Security Issues Within File UploadIEEE Communications Magazine10.1109/MCOM.001.240025363:2(104-110)Online publication date: Feb-2025
https://doi.org/10.1109/MCOM.001.2400253
Dharmaadi IAthanasopoulos ETurkmen F(2025)Fuzzing frameworks for server-side web applications: a surveyInternational Journal of Information Security10.1007/s10207-024-00979-w24:2Online publication date: 5-Feb-2025
https://doi.org/10.1007/s10207-024-00979-w
Gazis AKatsiri E(2024)Streamline Intelligent Crowd Monitoring with IoT Cloud Computing MiddlewareSensors10.3390/s2411364324:11(3643)Online publication date: 4-Jun-2024
https://doi.org/10.3390/s24113643
Show More Cited By

Index Terms

A survey on server-side approaches to securing web applications
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Securing native XML database-driven web applications from XQuery injection vulnerabilities

Detects XQuery injection vulnerabilities in web applications using native XML DBs.Implements a prototype system "XQueryFuzzer" based on the proposed approach.Demonstrates the effectiveness of the prototype on benchmark web applications.Three types of ...
Exposing private information by timing web applications
WWW '07: Proceedings of the 16th international conference on World Wide Web

We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 46, Issue 4

April 2014

463 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/2597757

Issue’s Table of Contents

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 March 2014

Accepted: 01 October 2013

Revised: 01 June 2013

Received: 01 March 2012

Published in CSUR Volume 46, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Division of Computing and Communication Foundations

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

109
Total Citations
View Citations
2,581
Total Downloads

Downloads (Last 12 months)133
Downloads (Last 6 weeks)14

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Oz HTuncay GAris AKharraz AUluagac S(2025)Beyond the Upload Button: A 10-Year Retrospective on Security Issues Within File UploadIEEE Communications Magazine10.1109/MCOM.001.240025363:2(104-110)Online publication date: Feb-2025
https://doi.org/10.1109/MCOM.001.2400253
Dharmaadi IAthanasopoulos ETurkmen F(2025)Fuzzing frameworks for server-side web applications: a surveyInternational Journal of Information Security10.1007/s10207-024-00979-w24:2Online publication date: 5-Feb-2025
https://doi.org/10.1007/s10207-024-00979-w
Gazis AKatsiri E(2024)Streamline Intelligent Crowd Monitoring with IoT Cloud Computing MiddlewareSensors10.3390/s2411364324:11(3643)Online publication date: 4-Jun-2024
https://doi.org/10.3390/s24113643
Xie KYin JYu HFu HChu Y(2024)Passive Aggressive Ensemble for Online Portfolio SelectionMathematics10.3390/math1207095612:7(956)Online publication date: 23-Mar-2024
https://doi.org/10.3390/math12070956
Chen ZWei LMa HLiu YYue MShi J(2024)Study on Hydrocarbon Fuel Ignition Characterization Based on Optimized BP Neural NetworkEnergies10.3390/en1709207217:9(2072)Online publication date: 26-Apr-2024
https://doi.org/10.3390/en17092072
Zhang WCao WJi J(2024)A Biased Non-Convex Optimization Algorithm based on Alternating Direction Method of MultipliersProceedings of the International Conference on Computer Vision and Deep Learning10.1145/3653804.3654721(1-6)Online publication date: 19-Jan-2024
https://dl.acm.org/doi/10.1145/3653804.3654721
Zhang WCao WJi J(2024)Deep Learning-Enabled Non-convex Optimization: Encoder-Decoder Forecasting and ADMM SolverProceedings of the International Conference on Computer Vision and Deep Learning10.1145/3653781.3653823(1-6)Online publication date: 19-Jan-2024
https://dl.acm.org/doi/10.1145/3653781.3653823
Imran HAbdullah KHabib MAhmad M(2024)Enhanced Detection and Prevention of SQL Injection and Cross-Site Scripting Attacks in Web Applications: Analysing Algorithms and Threat Modeling Approaches2024 18th International Conference on Open Source Systems and Technologies (ICOSST)10.1109/ICOSST64562.2024.10871142(1-6)Online publication date: 26-Dec-2024
https://doi.org/10.1109/ICOSST64562.2024.10871142
Dong LZheng H(2024)Soft imitation reinforcement learning with value decomposition for portfolio managementApplied Soft Computing10.1016/j.asoc.2023.111108151(111108)Online publication date: Jan-2024
https://doi.org/10.1016/j.asoc.2023.111108
Bakır RBakır H(2024)Swift Detection of XSS Attacks: Enhancing XSS Attack Detection by Leveraging Hybrid Semantic Embeddings and AI TechniquesArabian Journal for Science and Engineering10.1007/s13369-024-09140-050:2(1191-1207)Online publication date: 3-Jun-2024
https://doi.org/10.1007/s13369-024-09140-0
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents