Non-detrimental Web application security scanning

The World Wide Web has become a sophisticated platform capable of delivering a broad range of applications. However, its rapid growth has resulted in numerous security problems that current technologies cannot address. Researchers from both academic and private sector are devoting a considerable amount of resources to the development of Web application security scanners (i.e., automated software testing platforms for Web application security auditing) with some success. However, little is known about their potential side effects. It is possible for an auditing process to induce permanent changes in an application's state. Due to this potential, we have so far avoided large-scale empirical evaluations of our Web Application Vulnerability and Error Scanner (WAVES). we introduce a testing methodology that allows for harmless auditing, define three testing modes - heavy, relaxed, and safe modes, and report our results from two experiments. In the first, we compared the coverage and side effects of the three scanning modes using 5 real-world Web applications chosen from the 38 found vulnerable in a previous static verification effort. In the second, we used the relaxed mode to conduct a 48-hour test involving 1120 random Web sites, of which 55 were found to be vulnerable.

[1]  Hector Garcia-Molina,et al.  Parallel crawlers , 2002, WWW.

[2]  Paolo Tonella,et al.  Analysis and testing of Web applications , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[3]  Ravi S. Sandhu,et al.  Secure Cookies on the Web , 2000, IEEE Internet Comput..

[4]  Luis Gravano,et al.  Distributed Search over the Hidden Web: Hierarchical Database Sampling and Selection , 2002, VLDB.

[5]  Sriram Raghavan,et al.  Crawling the Hidden Web , 2001, VLDB.

[6]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[7]  B. Huberman,et al.  The Deep Web : Surfacing Hidden Value , 2000 .

[8]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[9]  Gregg Rothermel,et al.  Improving web application testing with user session data , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[10]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[11]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[12]  Udi Manber,et al.  WebGlimpse: combining browsing and searching , 1997 .

[13]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[14]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[15]  A. Jefferson Offutt,et al.  Testing Web applications by modeling with FSMs , 2005, Software & Systems Modeling.

[16]  Krishna Bharat,et al.  SPHINX: A Framework for Creating Personal, Site-Specific Web Crawlers , 1998, Comput. Networks.

[17]  Peter G. Neumann Risks to the Public , 2005, SOEN.

[18]  Paolo Tonella,et al.  Web application slicing , 2001, Proceedings IEEE International Conference on Software Maintenance. ICSM 2001.

[19]  Chris Shiflett,et al.  Essential PHP security - a guide to building secure web applications , 2005 .

[20]  Paolo Tonella,et al.  Understanding and Restructuring Web Sites with ReWeb , 2001, IEEE Multim..

[21]  Peter G. Neumann,et al.  Risks to the public in computers and related systems , 2001, SOEN.

[22]  D. T. Lee,et al.  Verifying Web applications using bounded model checking , 2004, International Conference on Dependable Systems and Networks, 2004.

[23]  David Chenho Kung,et al.  Structural testing of Web applications , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[24]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[25]  A. Jefferson Offutt,et al.  Web application bypass testing , 2004, Proceedings of the 28th Annual International Computer Software and Applications Conference, 2004. COMPSAC 2004..

[26]  Michael Benedikt,et al.  VeriWeb: Automatically Testing Dynamic Web Sites , 2002 .

[27]  Kazuhito Ohmaki Open source software research activities in AIST towards secure open systems , 2002, 7th IEEE International Symposium on High Assurance Systems Engineering, 2002. Proceedings..

[28]  Paolo Tonella,et al.  Web site analysis: structure and evolution , 2000, Proceedings 2000 International Conference on Software Maintenance.

[29]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[30]  David Chenho Kung,et al.  Object-based data flow testing of web applications , 2000, Proceedings First Asia-Pacific Conference on Quality Software.

[31]  Paolo Tonella,et al.  Restructuring Web applications via transformation rules , 2001, Proceedings First IEEE International Workshop on Source Code Analysis and Manipulation.

[32]  Peter B. Danzig,et al.  Harvest: A Scalable, Customizable Discovery and Access System , 1994 .

[33]  Sanjit A. Seshia,et al.  Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods , 2003, CAV.

[34]  Elaine J. Weyuker,et al.  Selecting Software Test Data Using Data Flow Information , 1985, IEEE Transactions on Software Engineering.

[35]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[36]  David W. Embley,et al.  Extracting Data behind Web Forms , 2002, ER.

[37]  Paolo Tonella,et al.  Web application transformations based on rewrite rules , 2002, Inf. Softw. Technol..

[38]  A. Jefferson Offutt,et al.  Quality Attributes of Web Software Applications , 2002, IEEE Softw..

[39]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.