|
Bypass Testing of Web Applications
|
|
Hits: 37 |
|
Date added: 12/05/2007 |
|
Web software applications are increasingly being deployed
in sensitive situations. Web applications are used
to transmit, accept and store data that is personal, company
confidential and sensitive. Input validation testing
(IVT) checks user inputs to ensure that they conform to
the program’s requirements, which is particularly important
for software that relies on user inputs, including
Web applications. A common technique in Web applications
is to perform input validation on the client
with scripting languages such as JavaScript. An insidious
problem with client-side input validation is that end
users can bypass this validation. Bypassing validation
can reveal faults in the software, and can also break the
security on Web applications, leading to unauthorized
access to data, system failures, invalid purchases and
entry of bogus data. We are developing a strategy called
bypass testing to create IVT tests. This paper describes
the strategy, defines specific rules and adequacy criteria
for tests, describes a proof-of-concept automated tool,
and presents initial empirical results from applying bypass
testing. |
|
|
|
|
|
|
Automatically Hardenning Web Applications Using Pr
|
|
Hits: 6 |
|
Date added: 12/01/2007 |
|
Automatically Hardenning Web Applications Using Precise Tainting
Most web applications contain security vulnerabilities. The simple and natural
ways of creating a web application are prone to SQL injection attacks and
cross-site scripting attacks as well as other less common vulnerabilities. In
response, many tools have been developed for detecting or mitigating common
web application vulnerabilities. Existing techniques either require effort from
the site developer or are prone to false positives. This paper presents a fully
automated approach to securely hardening web applications. It is based on
precisely tracking taintedness of data and checking specifically for dangerous
content only in parts of commands and output that came from untrustworthy
sources. Unlike previous work in which everything that is derived from tainted
input is tainted, our approach precisely tracks taintedness within data values. |
|
|
|
|
|
|
TestingWeb Services by XML Perturbation
|
|
Hits: 1 |
|
Date added: 12/01/2007 |
|
The eXtensible Markup Language (XML) is widely used
to transmit data across the Internet. XML schemas are used
to define the syntax of XML messages. XML-based applications
can receive messages from arbitrary applications, as
long as they follow the protocol defined by the schema. A
receiving application must either validate XML messages,
process the data in the XML message without validation,
or modify the XML message to ensure that it conforms to
the XML schema. A problem for developers is how well the
application performs the validation, data processing, and,
when necessary, transformation. This paper describes and
gives examples of a method to generate tests for XML-based
communication by modifying and then instantiating XML
schemas. The modified schemas are based on precisely defined
schema primitive perturbation operators. |
|
|
|
|
|
|
The Design and Evaluation of a Defense System
|
|
Hits: 4 |
|
Date added: 11/30/2007 |
|
The Design and Evaluation of a Defense System
for Internet Worms
Many areas of society have become heavily dependent on services such as transportation facilities, utilities
and so on that are implemented in part by large numbers of computers and communications links. Both past
incidents and research studies show that a well-engineered Internet worm can disable such systems in a fairly
simple way and, most notably, in a matter of a few minutes. This indicates the need for defenses against
worms but their speed rules out the possibility of manually countering worm outbreaks. We present a
platform that emulates the epidemic behavior of Internet active worms. For purposes of experimentation, the
platform has been deployed on a cluster of computers to emulate worm outbreaks in very large networks. A
wide variety of worm properties can be studied and network topologies of interest constructed. A reactive
control system, based on the Willow architecture and the OOPS policy framework, operates on top of the
platform and provides a monitor/analyze/respond approach to deal with infections automatically. The logic
driving the control system is synthesized from a formal specification, which is based on control rules
correlating sensor events. Details of our highly configurable platform, the theory of operation of the Willow
architecture, the features of the specification language, and various experimental performance results are
presented. |
|
|
|
|
|
The 80/20 Rule for Web Application Security
|
|
Hits: 7 |
|
Date added: 11/28/2007 |
|
After performing hundreds of web security assessments you're bound to encounter many frighteningly insecure websites. Websites so badly protected you could literally make off with the credit card numbers in a way reminiscent of the movie Gone in Sixty Seconds. On the other hand there are many websites frustratingly impervious to attack. What I'll describe below are the subtle variations between the security haves and have-nots . Using the age old 80/20 rule , we'll look at a few techniques anyone can use to decrease the risk of their website being hacked. And to make it really easy you won't have to alter a single line of code! But before jumping too far ahead lets first discuss the 80/20 rule. |
|
|
|
