Ecole d'ingénieur et centre de recherche en Sciences du numérique

An empirical analysis of input validation mechanisms in web applications and languages

Scholte, Theodoor; Balzarotti, Davide; Robertson, William; Kirda, Engin

SAC 2012, 27th ACM Symposium On Applied Computing, Security Track, March 26-30, 2012, Trento, Italy

Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and attacks such as XSS and SQL injection are still common. In this paper, we present an empirical study of more than 7000 input validation vulnerabilities with the aim of gaining deeper insights into how these common web vulnerabilities can be prevented. In particular, we focus on the relationship between the specific programming language used to develop web applications and the vulnerabilities that are commonly reported. Our findings suggest that most SQL injection and a significant number of XSS vulnerabilities can be prevented using straight-forward validation mechanisms based on common data types. We elaborate on these common data types, and discuss how support could be provided in web application frameworks.

Document Doi Bibtex

Titre:An empirical analysis of input validation mechanisms in web applications and languages
Mots Clés:Input validation, web application, programming language, security
Type:Conférence
Langue:English
Ville:Trento
Pays:ITALIE
Date:
Département:Sécurité numérique
Eurecom ref:3550
Copyright: © ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in SAC 2012, 27th ACM Symposium On Applied Computing, Security Track, March 26-30, 2012, Trento, Italy http://dx.doi.org/10.1145/2245276.2232004
Bibtex: @inproceedings{EURECOM+3550, doi = {http://dx.doi.org/10.1145/2245276.2232004}, year = {2012}, title = {{A}n empirical analysis of input validation mechanisms in web applications and languages}, author = {{S}cholte, {T}heodoor and {B}alzarotti, {D}avide and {R}obertson, {W}illiam and {K}irda, {E}ngin}, booktitle = {{SAC} 2012, 27th {ACM} {S}ymposium {O}n {A}pplied {C}omputing, {S}ecurity {T}rack, {M}arch 26-30, 2012, {T}rento, {I}taly }, address = {{T}rento, {ITALIE}}, month = {03}, url = {http://www.eurecom.fr/publication/3550} }
Voir aussi: