Research on Web Application Security

21.12.2005 / Links, Programming Languages, Security /

This is my list of research in web application security. It is
incomplete and ever-growing.. Send me mail if you think
something should be added here.

Web Application Security Research
Paper Authors Language/platform Links
Finding Security Vulnerabilities in Java Applications with Static Analysis, USENIX Security 2005. Benjamin Livshits and Monica S. Lam Java Virtual Machine
Finding Application Errors and Security Flaws Using PQL: a Program Query Language, OOPSLA 2005. Michael Martin, Benjamin Livshits, and Monica S. Lam Java Virtual Machine
WebSSARI — Web application Security via Static Analysis and Runtime Inspection Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo PHP WWW ‘04 paper
AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, ASE 2005. W. Halfond and A. Orso Java Virtual Machine
The Essence of Command Injection Attacks in Web Applications, POPL 2006. Zhendong Su and Gary Wassermann Language agnostic, but evaluated with JSP and PHP.
Static analysis of role-based access control in J2EE applications, TAVWEB 2004 Gleb Naumovich and Paolina Centonze Java Virtual Machine
Automatically Hardening Web Applications using Precise Tainting. Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Green, Jeffrey Shirley, David Evans. PHP
How safe is it out there? Moran Surf and Amichai Shulman. Study of web app security
OWASP Top Ten Vulnerabilities in Web Applications Open Web Application Security Project
Java String Analyzer Aske Simon Christensen, Anders Mller and Michael I. Schwartzbach SAS’03 paper
Static Detection of Security Vulnerabilities in Scripting Languages Yichen Xie and Alex Aiken PHP
A Learning-Based Approach to the Detection of SQL Attacks F. Valeur, D. Mutz, and G. Vigna. Languge-agnostic — works at DB level. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Vienna, Austria, July 2005.
Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks W. Robertson, G. Vigna, C. Kruegel, R. Kemmerer. Languge-agnostic — works at DB level. In the Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS)
Defending against Injection Attacks through Context-Sensitive String Evaluation Tadeusz Pietraszek, Chris Vanden Berghe At the VM level (PHP and JVM) Project webpage
Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. James Newsome and Dawn Song. x86 ISA In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS ’05), February 2005.

Taint Propagation for Java, ACSAC 2005. Vivek Haldar, Deepak Chandra and Michael Franz Java Virtual Machine Slides of talk

Comments:

  1. Vivek’s Soapbox » Says:
    27.12.2005 at 11:19 am

    […] Added a couple of new papers to the list of web application security research. Thanks to Benjamin Livshits for pointing out the paper by Yichen Xie and Alex Aiken. Filed under: Security — Vivek @ 11:19 am December 27, 2005 […]

  2. Ofer Shezaf Says:
    2.1.2006 at 1:41 am

    Additional great research on web application security is done by Giovanni Vigna: http://www.cs.ucsb.edu/~vigna/publications.html

  3. Llaicky o webu a jiných exotinách » Blog Archive » Security - sources Says:
    2.1.2006 at 8:19 am

    […] Vivek’s Soapbox […]

  4. Vivek’s Soapbox » Blog Archive » Various solutions to web application security Says:
    10.1.2006 at 10:30 pm

    […] Various solutions to web application security Was doodling around on my Tablet, and drew a map of the space of solutions for web application security. (Also, see my list of research papers on the topic). […]

  5. Vivek’s Soapbox » Archive du blog » Talk on web application security Says:
    19.1.2006 at 5:26 pm

    […] I’m going to give a talk about web application security in a seminar class held by my advisor Prof. Michael Franz later this afternoon. This blog post is supposed to be the accompanying “see here for more” link for the talk. Here are a few resources and pointers to go look at if you want to dive deeper into some of the topics I’m going to talk about.The OWASP page is a great resource for web app security in general. It’s the home of the top ten web vulnerabilities, as well as WebGoat and WebScarab.I maintain a list of research papers on the topic of web application security, with a strong tilt towards beating command injection attacks. There’s also a related doodle of the various proposed solutions. This area has gotten a lot of attention from CS researchers lately.Here at UCIrvine, we’ve done some work on hardening the JVM against attacks on web applications. I presented a paper on this at the last ACSAC. Here’s the paper (Taint Propagation for Java - PDF), and here are the slides for that talk (PDF).Finally, here are the slides of the talk. (PDF) […]

Leave a Comment:

Previous Post
Next Post