The web has become a backbone of our industry and daily life. Millions of users use web applications on a daily basis to obtain information, perform transactions, have fun, socialize, and communicate. The growing popularity of web applications and services and the increasing number of critical transactions being performed, has raised security concerns. For this reason, much effort has been spent over the past decade to make web applications more secure. A number of organizations have emphasized the importance of improving the security education and creating security awareness. The security research community has worked on a number of tools and techniques to improve the security of web applications. Despite these efforts, recent data from SANS institute estimates that up to 60% of Internet attacks target web applications and critical vulnerabilities such as cross-site scripting and SQL injection are still very common.
In this thesis, we conduct two empirical studies on a large number of web applications vulnerabilities with the aim of gaining deeper insights in how input validation flaws have evolved in the past decade and how these common vulnerabilities can be prevented. We build a comprehensive dataset of 10.000 input validation vulnerabilities disclosed since the year 2000. Based on this data, we analyze if developers are more aware of web security problems today than they used to be in the past and we analyze the relationship between programming language used to develop a web application and the vulnerabilities being reported. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Our studies also show that most SQL injection and a significant number of cross-site scripting vulnerabilities can be prevented using straight-forward validation mechanisms based on common data types.
With these empirical results as foundation, we present IPAAS which helps developers that are unaware of security issues to write more secure web applications than they otherwise would do. It includes a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. We show that this technique results in significant and tangible security improvements for real web applications.
