Defending Against Web Application Attacks: Approaches, Challenges and Implications

被引:22
作者
Mitropoulos, Dimitris [1 ]
Louridas, Panos [2 ]
Polychronakis, Michalis [3 ]
Keromytis, Angelos Dennis [1 ]
机构
[1] Columbia Univ, Dept Comp Sci, New York, NY 10027 USA
[2] Athens Univ Econ & Business, Dept Management Sci & Technol, Athina 10434, Greece
[3] SUNY Stony Brook, Comp Sci Dept, Stony Brook, NY 11794 USA
基金
美国国家科学基金会;
关键词
Web application security; protection mechanisms; exploitation models; software testing; SQL injection; XSS; PREVENTION;
D O I
10.1109/TDSC.2017.2665620
中图分类号
TP3 [计算技术、计算机技术];
学科分类号
0812 ;
摘要
Some of the most dangerous web attacks, such as Cross-Site Scripting and SQL injection, exploit vulnerabilities in web applications that may accept and process data of uncertain origin without proper validation or filtering, allowing the injection and execution of dynamic or domain-specific language code. These attacks have been constantly topping the lists of various security bulletin providers despite the numerous countermeasures that have been proposed over the past 15 years. In this paper, we provide an analysis on various defense mechanisms against web code injection attacks. We propose a model that highlights the key weaknesses enabling these attacks, and that provides a common perspective for studying the available defenses. We then categorize and analyze a set of 41 previously proposed defenses based on their accuracy, performance, deployment, security, and availability characteristics. Detection accuracy is of particular importance, as our findings show that many defense mechanisms have been tested in a poor manner. In addition, we observe that some mechanisms can be bypassed by attackers with knowledge of how the mechanisms work. Finally, we discuss the results of our analysis, with emphasis on factors that may hinder the widespread adoption of defenses in practice.
引用
收藏
页码:188 / 203
页数:16
相关论文
共 75 条
[1]   Code share [J].
不详 .
NATURE, 2014, 514 (7524) :536-536
[2]  
[Anonymous], 2012, 10 USENIX S OPERATIN
[3]  
[Anonymous], 2005, INPROCEEDINGS 20 IEE
[4]  
[Anonymous], 2009, P NETW DISTR SYST SE
[5]  
[Anonymous], 2011, P NETW DISTR SYST SE
[6]  
[Anonymous], 2003, Proceedings of The 10th ACM Conference on Computer and Communications Security
[7]  
Athanasopoulos E., 2010, P 2010 USENIX C WEB, P13
[8]  
Axelsson S., 2000, ACM Transactions on Information and Systems Security, V3, P186, DOI 10.1145/357830.357849
[9]  
Bauer L., 2015, P NETW DISTR SYST SE
[10]  
Bisht P, 2008, LECT NOTES COMPUT SC, V5137, P23, DOI 10.1007/978-3-540-70542-0_2