1. Publications
  2. An empirical analysis of input validation mechanisms in web applications and languages
print

An empirical analysis of input validation mechanisms in web applications and languages

Scholte, Theodoor; Balzarotti, Davide; Robertson, William; Kirda, Engin
SAC 2012, 27th ACM Symposium On Applied Computing, Security Track, March 26-30, 2012, Trento, Italy

Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and attacks such

as XSS and SQL injection are still common. In this paper, we present an empirical study of more than 7000 input validation vulnerabilities with the aim of gaining deeper insights into how these common web vulnerabilities can be prevented. In particular, we focus on the relationship between the specific programming language used to develop web applications and the vulnerabilities that are commonly reported. Our findings suggest that most SQL injection and a significant number of XSS vulnerabilities can be prevented using straight-forward validation mechanisms based on common data types. We elaborate on these common data types, and discuss how support could be provided in web application frameworks.


Detail
Document
DOI
BIBTEX
Type:
Conference
City:
Trento
Date:
2012-03-26
Department:
Digital Security
Eurecom Ref:
3550
Copyright:
© ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in SAC 2012, 27th ACM Symposium On Applied Computing, Security Track, March 26-30, 2012, Trento, Italy http://dx.doi.org/10.1145/2245276.2232004
See also:
BALZAROTTI Davide
SCHOLTE Theodoor
PERMALINK : https://www.eurecom.fr/publication/3550