Journal of Information Processing Systems

  • 제6권4호
  • /
  • Pages.563-574
  • /
  • 2010
  • /
  • 1976-913X(pISSN)
  • /
  • 2092-805X(eISSN)
한국정보처리학회 (Korea Information Processing Society)
권호 표지
DOI QR코드

DOI QR Code

Intercepting Filter Approach to Injection Flaws

  • Salem, Ahmed (Department of computer science at California State University, Sacramento(CSUS))
  • 투고 : 2010.11.02
  • 심사 : 2010.11.22
  • 발행 : 2010.12.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

The growing number of web applications in the global economy has made it critically important to develop secure and reliable software to support the economy's increasing dependence on web-based systems. We propose an intercepting filter approach to mitigate the risk of injection flaw exploitation- one of the most dangerous methods of attacking web applications. The proposed approach can be implemented in Java or .NET environments following the intercepting filter design pattern. This paper provides examples to illustrate the proposed approach.

키워드

참고문헌

  1. OWASP.org, the OWASP Top Ten is a list of vulnerabilities that require immediate remediation, http://www.owasp.org/documentation/topten/introduction.html
  2. SPI Dynamics Inc, SQL Injection White Paper, SPI Dynamics Inc., 2002.
  3. Advisees Consulting Group, Writing Secure Web Applications, Advisees Consulting Group, 2004.
  4. $CERT{\circledR}$ Coordination Center, $CERT{\circledR}$ Advisory CA-2000-02, Malicious HTML Tags Embedded in Client Web Requests, CERT Coordination Center, Carnegie Mellon University, Pittsburgh PA 15213-3890, USA, 2000.
  5. Duffy, Kevin, et al., Professional JSP Site Design, Wrox Press, 2001.
  6. Anderson, Richard, et al., Professional ASP.NET 1.0, Wrox Press, 2002.
  7. $CERT{\circledR}$ Coordination Center, Understanding Malicious Content Mitigation for Web Developers, CERT Coordination Center, Carnegie Mellon University, Pittsburgh PA 15213-3890, USA, 2000.
  8. Ollmann, Gunter, Understanding the cause and effect of CSS (XSS) Vulnerabilities, http://www.technicalinfo.net/papers/CSS.html
  9. W. Halfond and A. Orso, Combining Static Analysis and Runtime Monitoring to Counter SQLInjection Attacks, Proceedings of the Third International ICSE Workshop on Dynamic Analysis, WODA 2005.
  10. W. Halfond and A. Orso, AMNESIA: Analysis and Monitoring for Neutralizing SQL-Injection Attacks, Proceedings of the IEEE and ACM International Conference on Automated Software Engineering, ASE 2005.
  11. Rabek, Jesse C., et al, Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code, Defense Advanced Project Agency (DARPA), Copyright Association for Computing Machinery, ACM, 2003.
  12. Huang, Yao-Wen, et al, Securing Web Application Code by Static Analysis and Runtime Protection, New York, New York, USA, 2004.
  13. Jerry Lee Ford, Jr and William R. Stanek, Increase Your Web Traffic, fourth edition, Thomson Course Technology, 2006.
  14. Joel Scramby, Mike Shema and Caled Sima, Hacking Web Applications Exposed, second edition, The McGraw-Hill Companies, 2006, pp.238.
  15. Stuart McClure, Joel Scramby and George Kurtz, Hacking Exposed, Network Security Secrets & Solutions, fifth edition, The McGraw-Hill Companies, 2005, pp.581-582.
  16. Hackademix website-http://hackademix.net/2007/08/12/united-nations-vs-sql-injections/