Web application protection techniques: A taxonomy

The growing popularity of web applications makes them an attractive target for malicious users. Large amounts of private data commonly processed and stored by web applications are a valuable asset for attackers, resulting in more sophisticated web-oriented attacks. Therefore, multiple web application protections have been proposed. Such protections range from narrow, vector-specific solutions used to prevent some attacks only, to generic development practices aiming to build secure software from the ground up. However, due to the diversity of the proposed protection methods, choosing one to protect an existing or a planned application becomes an issue of its own.This paper surveys the web application protection techniques, aiming to systematise the existing approaches into a holistic big picture. First, a general background is presented to highlight the issues specific to web applications. Then, a novel classification of the protections is provided. A variety of existing protections is overviewed and systematised next, followed by a discussion of current issues and limitation inherent to the existing protection methods. Finally, the overall picture is summarised and future potentially beneficial research lines are discussed.

[1]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[2]  Yasuhiko Minamide,et al.  Static approximation of dynamically generated Web pages , 2005, WWW '05.

[3]  V. N. Venkatakrishnan,et al.  TamperProof: a server-agnostic defense for parameter tampering attacks on web applications , 2013, CODASPY '13.

[4]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[5]  Chuck Musciano Bill Kennedy HTML & XHTML: The Definitive Guide , 2000 .

[6]  Zhendong Su,et al.  Static Detection of Access Control Vulnerabilities in Web Applications , 2011, USENIX Security Symposium.

[7]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[8]  Yookun Cho,et al.  Intrusion Detection Using Noisy Training Data , 2004, ICCSA.

[9]  Yannis Smaragdakis,et al.  JTS: tools for implementing domain-specific languages , 1998, Proceedings. Fifth International Conference on Software Reuse (Cat. No.98TB100203).

[10]  Christopher Krügel,et al.  deDacota: toward preventing server-side XSS via automatic code and data separation , 2013, CCS.

[11]  Collin Jackson,et al.  Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[12]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[13]  Insup Lee,et al.  Analyzing and defending against web-based malware , 2013, CSUR.

[14]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[15]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[16]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[17]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[18]  Zbigniew Kotulski,et al.  Analysis of different architectures of neural networks for application in Intrusion Detection Systems , 2008, 2008 International Multiconference on Computer Science and Information Technology.

[19]  Ismael Ripoll,et al.  On the Effectiveness of NX, SSP, RenewSSP, and ASLR against Stack Buffer Overflows , 2014, 2014 IEEE 13th International Symposium on Network Computing and Applications.

[20]  Dawn Xiaodong Song,et al.  Context-sensitive auto-sanitization in web templating languages using type qualifiers , 2011, CCS '11.

[21]  Don Batory,et al.  Static Checking of Interoperating Components , 2006 .

[22]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.

[23]  Angelos Stavrou,et al.  SQLProb: a proxy-based architecture towards preventing SQL injection attacks , 2009, SAC '09.

[24]  A.H. Sung,et al.  Identifying important features for intrusion detection using support vector machines and neural networks , 2003, 2003 Symposium on Applications and the Internet, 2003. Proceedings..

[25]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[26]  Richard C. Holt,et al.  Architecture recovery of web applications , 2002, ICSE '02.

[27]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[28]  Leon Moonen,et al.  Generating robust parsers using island grammars , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[29]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[30]  Bill Kennedy,et al.  HTML: The Definitive Guide , 1996 .

[31]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[32]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[33]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[34]  Miguel Correia,et al.  Automatic detection and correction of web application vulnerabilities using data mining to predict false positives , 2014, WWW.

[35]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[36]  Yuebin Bai,et al.  Intrusion Detection Systems: technology and development , 2003, 17th International Conference on Advanced Information Networking and Applications, 2003. AINA 2003..

[37]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[38]  Eelco Visser,et al.  Preventing injection attacks with syntax embeddings , 2007, GPCE '07.

[39]  Xiangyu Zhang,et al.  Path sensitive static analysis of web applications for remote code execution vulnerability detection , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[40]  Jacob West,et al.  Dynamic taint propagation: Finding vulnerabilities without attacking , 2008, Inf. Secur. Tech. Rep..

[41]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[42]  Jian Li,et al.  The research and implementation of intelligent intrusion detection system based on artificial neural network , 2004, Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826).

[43]  Michael Kaufmann,et al.  Usage-based visualization of web localities , 2001 .

[44]  Shan Shan Huang,et al.  Domain-specific languages and program generation with meta-AspectJ , 2008, TSEM.

[45]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[46]  William K. Robertson,et al.  An empirical analysis of input validation mechanisms in web applications and languages , 2012, SAC '12.

[47]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[48]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[49]  Arie van Deursen,et al.  Automated security testing of web widget interactions , 2009, ESEC/FSE '09.

[50]  Heidar A. Malki,et al.  Network Intrusion Detection System Using Neural Networks , 2008, 2008 Fourth International Conference on Natural Computation.

[51]  Thorsten Holz,et al.  Crouching tiger - hidden payload: security risks of scalable vectors graphics , 2011, CCS '11.

[52]  Alessandro Orso,et al.  Precise interface identification to improve testing and analysis of web applications , 2009, ISSTA.

[53]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[54]  Giuliano Antoniol,et al.  Understanding Web applications through dynamic analysis , 2004, Proceedings. 12th IEEE International Workshop on Program Comprehension, 2004..

[55]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[56]  Xiangyu Zhang,et al.  Static detection of resource contention problems in server-side scripts , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[57]  Vitaly Shmatikov,et al.  A security policy oracle: detecting security holes using multiple API implementations , 2011, PLDI '11.

[58]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[59]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[60]  Sung-Bae Cho,et al.  Evolutionary neural networks for anomaly detection based on the behavior of a program , 2005, IEEE Trans. Syst. Man Cybern. Part B.

[61]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[62]  Giovanni Vigna,et al.  Static Enforcement of Web Application Integrity Through Strong Typing , 2009, USENIX Security Symposium.

[63]  Barton P. Miller,et al.  Binary-code obfuscations in prevalent packer tools , 2013, CSUR.

[64]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[65]  Franciszek Seredynski,et al.  Intrusion detection in web applications: Evolutionary approach , 2009, 2009 International Multiconference on Computer Science and Information Technology.

[66]  Xiaowei Li,et al.  A survey on server-side approaches to securing web applications , 2014, ACM Comput. Surv..

[67]  Jay Ligatti,et al.  Defining code-injection attacks , 2012, POPL '12.

[68]  Joshua Mason,et al.  English shellcode , 2009, CCS.

[69]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[70]  Salman Naseer,et al.  A Study of the Novel Approaches Used in Intrusion Detection and Prevention Systems , 2011 .

[71]  Frank Tip,et al.  Finding bugs in dynamic web applications , 2008, ISSTA '08.

[72]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[73]  Salvatore J. Stolfo,et al.  Real time data mining-based intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[74]  Xiaowei Li,et al.  BLOCK: a black-box approach for detection of state violation attacks towards web applications , 2011, ACSAC '11.

[75]  Benjamin Livshits,et al.  SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications , 2011, CCS '11.

[76]  V. N. Venkatakrishnan,et al.  WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction , 2011, CCS '11.

[77]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.

[78]  Giuliano Antoniol,et al.  Automated Protection of PHP Applications Against SQL-injection Attacks , 2007, 11th European Conference on Software Maintenance and Reengineering (CSMR'07).

[79]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[80]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[81]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[82]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[83]  Wenliang Du,et al.  Position paper: why are there so many vulnerabilities in web applications? , 2011, NSPW '11.

[84]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[85]  Dawn Xiaodong Song,et al.  Towards Client-side HTML Security Policies , 2011, HotSec.

[86]  Benjamin Livshits,et al.  Towards fully automatic placement of security sanitizers and declassifiers , 2013, POPL 2013.

[87]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[88]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[89]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[90]  Fang Yu,et al.  Stranger: An Automata-Based String Analysis Tool for PHP , 2010, TACAS.

[91]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.

[92]  Imran Ghafoor,et al.  Analysis of OpenSSL Heartbleed vulnerability for embedded systems , 2014, 17th IEEE International Multi Topic Conference 2014.

[93]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[94]  Jeffrey S. Foster,et al.  Checking type safety of foreign function calls , 2005, PLDI '05.

[95]  Vitaly Shmatikov,et al.  Diglossia: detecting code injection attacks with precision and efficiency , 2013, CCS.

[96]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[97]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[98]  Christopher Krügel,et al.  Protecting a Moving Target: Addressing Web Application Concept Drift , 2009, RAID.

[99]  Sebastian Schinzel,et al.  WAFFle: Fingerprinting Filter Rules of Web Application Firewalls , 2012, WOOT.

[100]  Alessandro Orso,et al.  Preventing SQL injection attacks using AMNESIA , 2006, ICSE.

[101]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.