A Security Framework for Input Validation

Input manipulation attacks are becoming one of the most common attacks against Web applications and Web services security. As the use of firewalls and other security mechanisms are not effective against application-level attacks, new means of defense are needed. This paper presents a framework proposal to solve this problem, securing applications against input manipulation attacks. The proposed mechanism offers a reusable approach by the use of XML files and a XML Schema for security parameters specification. Furthermore, a case of study and experiment results are presented. The experiment demonstrates how common input manipulation flaws could be observed.

[1]  Cheng-Hsiung Liu,et al.  An Automatic Mechanism for Adjusting Validation Function , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[2]  A. Jefferson Offutt,et al.  Bypass testing of Web applications , 2004, 15th International Symposium on Software Reliability Engineering.

[3]  Weider D. Yu,et al.  Software Vulnerability Analysis for Web Services Software Systems , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[4]  A. Jefferson Offutt,et al.  Increased software reliability through input validation analysis and testing , 1999, Proceedings 10th International Symposium on Software Reliability Engineering (Cat. No.PR00443).

[5]  Vidyasagar Potdar,et al.  Modeling Input Validation in UML , 2008 .

[6]  Hui Liu,et al.  An Approach to Aid the Understanding and Maintenance of Input Validation , 2006, 2006 22nd IEEE International Conference on Software Maintenance.

[7]  Michael Sonntag Ajax Security in Groupware , 2006, 32nd EUROMICRO Conference on Software Engineering and Advanced Applications (EUROMICRO'06).

[8]  Yong Joon Park,et al.  Web Application Intrusion Detection System for Input Validation Attack , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[9]  Jin-Cherng Lin,et al.  An Automatic Revised Tool for Anti-Malicious Injection , 2006, The Sixth IEEE International Conference on Computer and Information Technology (CIT'06).

[10]  Chao Liu,et al.  Web Application Model Recovery for User Input Validation Testing , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[11]  Jae-Chul Park,et al.  Web Attack Detection : Classifying Parameter Information according to Dynamic Web page , .