Title: Web application security
Language: English
Authors: Jovanovic, Nenad 
Qualification level: Doctoral
Keywords: Sicherheit; Webanwendungen; statische Analyse
Advisor: Krügel, Christopher
Issue Date: 2007
Number of Pages: 115
Qualification level: Doctoral
During the last years, the web has evolved into an integral part of our daily lives. Unfortunately, as our dependency on the web increases, so does the interest of attackers in exploiting security vulnerabilities in web applications. This thesis presents novel approaches aimed at the detection of such vulnerabilities, and at the protection of clients against web-based attacks.
Vulnerability Detection.
The most prominent types of web application vulnerabilities (such as SQL Injection and Cross-Site Scripting) belong to the general class of Taint-Style Vulnerabilities. In this thesis, we describe novel techniques for detecting these types of vulnerabilities by statically analyzing the source code of potentially vulnerable applications. More precisely, our techniques are based on flow-sensitive, interprocedural and context-sensitive data flow analysis to discover vulnerable points in a program. In this context, we present algorithms for the solution of problems unique to the analysis of web applications.
Client Protection.
Apart from proactively detecting and fixing vulnerabilities at the server side, it is also beneficial to employ real-time methods for protecting web application users against attacks. In particular, Cross-Site Request Forgery is a dangerous type of attack that is capable of bypassing the authentication mechanism of vulnerable applications. Existing approaches to mitigating this threat are incomplete, time-consuming, and error-prone. We present a proxy-based solution that provides a reliable and fully automatic user protection for existing web applications. Applying this solution is straightforward, and does not interfere with the regular behavior of the protected web application.
The proposed techniques have been implemented and evaluated on real-world examples, demonstrating their feasibility, effectiveness, and usefulness.
Our prototype implementations have been released under an open-source license, and are available for download at our web site.
URI: https://resolver.obvsg.at/urn:nbn:at:at-ubtuw:1-16505
Library ID: AC05035162
Organisation: E183 - Institut für Rechnergestützte Automation (Automatisierungssysteme. Mustererkennung) 
Publication Type: Thesis
Appears in Collections:Thesis

Files in this item:

File Description SizeFormat
Web application security.pdf810.51 kBAdobe PDFThumbnail
Show full item record

Page view(s)

checked on Mar 1, 2021


checked on Mar 1, 2021

Google ScholarTM


Items in reposiTUm are protected by copyright, with all rights reserved, unless otherwise indicated.