Defending Against Injection Attacks Through Context-Sensitive String Evaluation

Pietraszek, Tadeusz; Berghe, Chris Vanden

doi:10.1007/11663812_7

Cited by 198 publications

(179 citation statements)

References 5 publications

(5 reference statements)

Supporting

Mentioning

175

Contrasting

Order By: Relevance

“…The main means of attack Six out of the 12 gathered works [2,[11][12][13][14][15] involves classifying different types of WA injections.…”

Section: 2mentioning

confidence: 99%

“…All the studied works [2,[11][12][13][14][15] in one way or another discuss means of attack in terms of programming languages. This paper continues this tradition, using a categorization similar to that of [2].…”

Section: 2mentioning

confidence: 99%

“…Three out of 12 studied works discuss topics related to known and unknown WA injection vulnerabilities and exploits [11][12][13].…”

Section: Vulnerabilities and Exploitsmentioning

confidence: 99%

“…Pietraszek and Berghe [11] propose that the CVE (Common Vulnerabilities and Exposures) identification number should be included in the vulnerability information, if applicable. That is, the vulnerability can be known to the public at large.…”

Section: Vulnerabilities and Exploitsmentioning

confidence: 99%

“…The categorization used in this paper distinguish, as [11], between known and unknown vulnerabilities. A vulnerability known to the public at large is an easy target for an attacker as it often also has publicly known exploits, or at least ideas for how to conceive an exploit available.…”

Section: Vulnerabilities and Exploitsmentioning

confidence: 99%

See 4 more Smart Citations

A Metamodel for Web Application Injection Attacks and Countermeasures

Holm¹,

Ekstedt²

2012

Lecture Notes in Business Information Processing

View full text Add to dashboard Cite

Abstract. Web application injection attacks such as cross site scripting and SQL injection are common and problematic for enterprises. In order to defend against them, practitioners with large heterogeneous system architectures and limited resources struggle to understand the effectiveness of different countermeasures under various conditions. This paper presents an enterprise architecture metamodel that can be used by enterprise decision makers when deciding between different countermeasures for web application injection attacks. The scope of the model is to provide low-effort guidance on an abstraction level of use for an enterprise decision maker. This metamodel is based on a literature review and revised according to the judgment by six domain experts identified through peer-review.

show abstract

“…The main means of attack Six out of the 12 gathered works [2,[11][12][13][14][15] involves classifying different types of WA injections.…”

Section: 2mentioning

confidence: 99%

Section: 2mentioning

confidence: 99%

“…Three out of 12 studied works discuss topics related to known and unknown WA injection vulnerabilities and exploits [11][12][13].…”

Section: Vulnerabilities and Exploitsmentioning

confidence: 99%

Section: Vulnerabilities and Exploitsmentioning

confidence: 99%

Section: Vulnerabilities and Exploitsmentioning

confidence: 99%

See 3 more Smart Citations

A Metamodel for Web Application Injection Attacks and Countermeasures

Holm¹,

Ekstedt²

2012

Lecture Notes in Business Information Processing

View full text Add to dashboard Cite

show abstract

Improving penetration testing through static and dynamic analysis

Halfond

Choudhary

Orso

2011

Software Testing Verif & Rel

View full text Add to dashboard Cite

SUMMARYPenetration testing is widely used to help ensure the security of web applications. Using penetration testing, testers discover vulnerabilities by simulating attacks on a target web application. To do this efficiently, testers rely on automated techniques that gather input vector information about the target web application and analyze the application's responses to determine whether an attack was successful. Techniques for performing these steps are often incomplete, which can leave parts of the web application untested and vulnerabilities undiscovered. This paper proposes a new approach to penetration testing that addresses the limitations of current techniques. The approach incorporates two recently developed analysis techniques to improve input vector identification and detect when attacks have been successful against a web application. This paper compares the proposed approach against two popular penetration testing tools for a suite of web applications with known and unknown vulnerabilities. The evaluation results show that the proposed approach performs a more thorough penetration testing and leads to the discovery of more vulnerabilities than both the tools.

show abstract

Privacy Injector — Automated Privacy Enforcement Through Aspects

Berghe

Schunter

2006

Privacy Enhancing Technologies

View full text Add to dashboard Cite

Defending Against Injection Attacks Through Context-Sensitive String Evaluation

Cited by 198 publications

References 5 publications

A Metamodel for Web Application Injection Attacks and Countermeasures

A Metamodel for Web Application Injection Attacks and Countermeasures

Improving penetration testing through static and dynamic analysis

Privacy Injector — Automated Privacy Enforcement Through Aspects

Contact Info

Product

Resources

About