Ecole d'ingénieur et centre de recherche en Sciences du numérique

Have things changed now? An empirical study on input validation vulnerabilities in web applications

Scholte, Theodoor; Balzarotti, Davide; Kirda, Engin

"Computers and Security", 2012, ISSN: 0167-4048

In this paper, we perform an empirical analysis of a large number of web vulnerability reports with the aim of understanding how input validation flaws have evolved in the last decade. In particular, we are interested in finding out if developers are more aware of web security problems today than they used to be in the past. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Hence, despite awareness programs provided by organizations such as MITRE, SANS Institute and OWASP, application developers seem to be either not aware of these classes of vulnerabilities, or unable to implement effective countermeasures. Therefore, we believe that there is a growing need for languages and application platforms that attack the root of the problem and secure applications by design.

Document Doi Bibtex

Titre:Have things changed now? An empirical study on input validation vulnerabilities in web applications
Mots Clés:Security; Software engineering; Web security; Vulnerability study; Input validation ; Web application
Type:Journal
Langue:English
Ville:
Date:
Département:Sécurité numérique
Eurecom ref:3611
Copyright: © Elsevier. Personal use of this material is permitted. The definitive version of this paper was published in "Computers and Security", 2012, ISSN: 0167-4048 and is available at : http://dx.doi.org/10.1016/j.cose.2011.12.013
Bibtex: @article{EURECOM+3611, doi = {http://dx.doi.org/10.1016/j.cose.2011.12.013}, year = {2011}, month = {12}, title = {{H}ave things changed now? {A}n empirical study on input validation vulnerabilities in web applications }, author = {{S}cholte, {T}heodoor and {B}alzarotti, {D}avide and {K}irda, {E}ngin}, journal = {"{C}omputers and {S}ecurity", 2012, {ISSN}: 0167-4048}, url = {http://www.eurecom.fr/publication/3611} }
Voir aussi: