Web application security assessment by fault injection and behavior monitoring

Yao Wen Huang, Shih-Kun Huang, Tsung Po Lin, Chung Hung Tsai

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

192 Scopus citations

Abstract

As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.

Original languageEnglish
Title of host publicationProceedings of the 12th International Conference on World Wide Web, WWW 2003
Pages148-159
Number of pages12
DOIs
StatePublished - 1 Dec 2003
Event12th International Conference on World Wide Web, WWW 2003 - Budapest, Hungary
Duration: 20 May 200324 May 2003

Publication series

NameProceedings of the 12th International Conference on World Wide Web, WWW 2003

Conference

Conference12th International Conference on World Wide Web, WWW 2003
CountryHungary
CityBudapest
Period20/05/0324/05/03

Keywords

  • black-box testing
  • complete crawling
  • fault injection
  • security assessment
  • web application testing

Fingerprint Dive into the research topics of 'Web application security assessment by fault injection and behavior monitoring'. Together they form a unique fingerprint.

Cite this