Abstracting application-level web security

Application-level web security refers to vulnerabilities inherent in the code of a web-application itself (irrespective of the technologies in which it is implemented or the security of the web-server/back-end database on which it is built). In the last few months application-level vulnerabilities have been exploited with serious consequences: hackers have tricked e-commerce sites into shipping goods for no charge, user-names and passwords have been harvested and condential information (such as addresses and credit-card numbers) has been leaked.In this paper we investigate new tools and techniques which address the problem of application-level web security. We (i) describe a scalable structuring mechanism facilitating the abstraction of security policies from large web-applications developed in heterogenous multi-platform environments; (ii) present a tool which assists programmers develop secure applications which are resilient to a wide range of common attacks; and (iii) report results and experience arising from our implementation of these techniques.

[1]  Damien Doligez,et al.  The Objective Caml system release 2.04 , 2002 .

[2]  D. Box,et al.  Simple Object Access Protocol (SOAP) 1.1, W3C Note , 2000 .

[3]  Paul Lomax,et al.  VBScript in a nutshell - a desktop quick reference: covers VBScript 5.6 (2. ed.) , 1995 .

[4]  Chuck Musciano Bill Kennedy HTML & XHTML: The Definitive Guide , 2000 .

[5]  Robin Milner,et al.  Definition of standard ML , 1990 .

[6]  Paul Syverson,et al.  A Taxonomy of Replay Attacks , 1994 .

[7]  Claus Brabrand,et al.  PowerForms: Declarative client-side form field validation , 2004, World Wide Web.

[8]  Ernesto Damiani,et al.  Fine grained access control for SOAP E-services , 2001, WWW '01.

[9]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[10]  D. Box,et al.  Simple object access protocol (SOAP) 1.1 , 2000 .

[11]  Xavier Leroy The objective caml system release 3 , 2001 .

[12]  Markus G. Kuhn,et al.  Real World Patterns of Failure in Anonymity Systems , 2001, Information Hiding.

[13]  David Flanagan,et al.  JavaScript (2nd ed.): the definitive guide , 1997 .

[14]  Claus Brabrand,et al.  The < bigwig > Project , 2022 .

[15]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[16]  David Flanagan,et al.  JavaScript: The Definitive Guide , 1996 .

[17]  Bruce Schneier,et al.  Applied cryptography : protocols, algorithms, and source codein C , 1996 .

[18]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[19]  Robin Milner,et al.  A Theory of Type Polymorphism in Programming , 1978, J. Comput. Syst. Sci..

[20]  David B. MacQueen,et al.  The Definition of Standard ML (Revised) , 1997 .