Web Application Security—Past, Present, and Future

Web application security remains a major roadblock to universal acceptance of the Web for many kinds of online transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities has been attributed to Web application bugs. In software engineering, software testing is an established and well-researched process for improving software quality. Recently, formal verification tools have also shown success in discovering vulnerabilities in C programs. In this chapter we shall discuss how to apply software testing and verification algorithms to Web applications and improve their security attributes. Two of the most common Web application vulnerabilities that are known to date are script injection, e.g., SQL injection, and cross-site scripting (XSS). We will formalize these vulnerabilities as problems related to information flow security—a conventional topic in security research. Using this formalization, we then present two tools, WAVES (Web Application Vulnerability and Error Scanner) and Web-SSARI (Web Application Security via Static Analysis and Runtime Inspection), which respectively utilize software testing and verification to deal in particular with script injection and XSS and address in general the Web application security problems. Finally we will present some results obtained by applying these tools to real-world Web applications that are in use today, and give some suggestions about the future research direction in this area.

[1]  R. Balzer Assuring the safety of opening email attachments , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[2]  CRISPIN COWAN,et al.  Software Security for Open-Source Systems , 2003, IEEE Secur. Priv..

[3]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[4]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[5]  Elaine J. Weyuker,et al.  Selecting Software Test Data Using Data Flow Information , 1985, IEEE Transactions on Software Engineering.

[6]  Richard Sharp,et al.  Developing Secure Web Applications , 2002, IEEE Internet Comput..

[7]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[8]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[9]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[10]  Lauri Auronen Tool-Based Approach to Assessing Web Application Security , 2002 .

[11]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[12]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[13]  John Cocke,et al.  A program data flow analysis procedure , 1976, CACM.

[14]  David W. Embley,et al.  Extracting Data behind Web Forms , 2002, ER.

[15]  Peter G. Neumann Risks to the Public , 2005, SOEN.

[16]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[17]  Paolo Tonella,et al.  Web application transformations based on rewrite rules , 2002, Inf. Softw. Technol..

[18]  Luis Gravano,et al.  Distributed Search over the Hidden Web: Hierarchical Database Sampling and Selection , 2002, VLDB.

[19]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[20]  Peter G. Neumann,et al.  Risks to the public in computers and related systems , 2001, SOEN.

[21]  Michael K. Bergman White Paper: The Deep Web: Surfacing Hidden Value , 2001 .

[22]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[23]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[24]  Michael Benedikt,et al.  VeriWeb: Automatically Testing Dynamic Web Sites , 2002 .

[25]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[26]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[27]  Peter Ørbæk Can you Trust your Data? , 1995, TAPSOFT.

[28]  Giuseppe A. Di Lucca,et al.  WARE: a tool for the reverse engineering of Web applications , 2002, Proceedings of the Sixth European Conference on Software Maintenance and Reengineering.

[29]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[30]  Larry M. Augustin,et al.  Accelerating software development through collaboration , 2002, ICSE '02.

[31]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[32]  Laurie J. Hendren,et al.  SableCC, an object-oriented compiler framework , 1998, Proceedings. Technology of Object-Oriented Languages. TOOLS 26 (Cat. No.98EX176).

[33]  D. T. Lee,et al.  Verifying Web applications using bounded model checking , 2004, International Conference on Dependable Systems and Networks, 2004.

[34]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[35]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[36]  Calvin Lin,et al.  Detecting Errors with Configurable Whole-program Dataflow Analysis , 2002 .

[37]  Larry Wall,et al.  Programming Perl , 1991 .

[38]  Kyung-Goo Doh,et al.  Detection of information leak by data flow analysis , 2002, SIGP.

[39]  Robert Cartwright,et al.  A practical soft type system for scheme , 1997, TOPL.

[40]  Paolo Tonella,et al.  Understanding and Restructuring Web Sites with ReWeb , 2001, IEEE Multim..

[41]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[42]  David Walker,et al.  A type system for expressive security policies , 2000, POPL '00.

[43]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[44]  B. Huberman,et al.  The Deep Web : Surfacing Hidden Value , 2000 .

[45]  Udi Manber,et al.  WebGlimpse: combining browsing and searching , 1997 .

[46]  Jeffrey M. Barth A practical interprocedural data flow analysis algorithm , 1978, CACM.

[47]  Krishna Bharat,et al.  SPHINX: A Framework for Creating Personal, Site-Specific Web Crawlers , 1998, Comput. Networks.

[48]  Chris Shiflett,et al.  Essential PHP security - a guide to building secure web applications , 2005 .

[49]  R. Sekar,et al.  Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications , 1999, USENIX Security Symposium.

[50]  Gerard J. Holzmann,et al.  The logic of bugs , 2002, SIGSOFT '02/FSE-10.

[51]  Paolo Tonella,et al.  Web application slicing , 2001, Proceedings IEEE International Conference on Software Maintenance. ICSM 2001.

[52]  Sriram Raghavan,et al.  Crawling the Hidden Web , 2001, VLDB.

[53]  Jeffrey D. Ullman,et al.  Analysis of a simple algorithm for global data flow problems , 1973, POPL.

[54]  SQL Injection Signatures Evasion , 2004 .

[55]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[56]  Fritz Henglein Dynamic Typing , 1992, ESOP.

[57]  Walid G. Aref,et al.  Security models for web-based applications , 2001, CACM.

[58]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[59]  Daniel Le Métayer,et al.  Compile-Time Detection of Information Flow in Sequential Programs , 1994, ESORICS.

[60]  Peter B. Danzig,et al.  Harvest: A Scalable, Customizable Discovery and Access System , 1994 .

[61]  Hector Garcia-Molina,et al.  Parallel crawlers , 2002, WWW.

[62]  Mark N. Wegman,et al.  A Fast and Usually Linear Algorithm for Global Flow Analysis , 1976, J. ACM.

[63]  Franklin L. DeRemer,et al.  Simple LR(k) grammars , 1971, Commun. ACM.

[64]  Calvin Ko,et al.  Detecting and countering system intrusions using software wrappers , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[65]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[66]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[67]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[68]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[69]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[70]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[71]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[72]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[73]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[74]  Paolo Tonella,et al.  Restructuring Web applications via transformation rules , 2001, Proceedings First IEEE International Workshop on Source Code Analysis and Manipulation.

[75]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[76]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[77]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[78]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[79]  Paolo Tonella,et al.  Analysis and testing of Web applications , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[80]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[81]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[82]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[83]  Giuliano Antoniol,et al.  An approach for reverse engineering of web-based applications , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[84]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[85]  Kazuhito Ohmaki Open source software research activities in AIST towards secure open systems , 2002, 7th IEEE International Symposium on High Assurance Systems Engineering, 2002. Proceedings..

[86]  Paolo Tonella,et al.  Web site analysis: structure and evolution , 2000, Proceedings 2000 International Conference on Software Maintenance.

[87]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.