Article

Bridging the gap between web application firewalls and web applications

Authors:

Frank Piessens,

Pierre VerbaetenAuthors Info & Claims

FMSE '06: Proceedings of the fourth ACM workshop on Formal methods in security

Pages 67 - 77

https://doi.org/10.1145/1180337.1180344

Published: 03 November 2006 Publication History

Abstract

Web applications are the Achilles heel of our current ICT infrastructure. NIST's national vulnerability database clearly shows that the percentage of vulnerabilities located in the application layer increases steadily. Web Application Firewalls (WAFs) play an important role in preventing exploitation of vulnerabilities in web applications. However, WAFs are very pragmatic and ad hoc, and it is very hard to state precisely what security guarantees they offer.The main contribution of this paper is that it shows how, through a combination of static and dynamic verification, WAFs can formally guarantee the absence of certain kinds of erroneous behaviour in web applications. We have done a prototype implementation of our approach building on an existing static verification tool for Java, and we have applied our approach to a medium-sized J2EE based web application.

References

[1]

E Armstrong, J. Ball, S. Bodoff, D. B. Carson, I. Evans, D. Green, K. Haase, and E. Jendrock The J2EE 1.4 Tutorial. Sun Microsystems, Inc., December 2005.

[2]

I. Bar-Gad. Web application firewalls protect data. http://www.networkworld.com/news/tech/2002/0603tech.html, March 2002.

[3]

M. Barnett, K. R. M. Leino, and W. Schulte. The Spec# Programming System: An Overview.

[4]

S. W. Boyd and A. D. Keromytis. Sqlrand: Preventing sql injection attacks. In ACNS, pages 292--302, 2004.

[5]

L. Burdy, Y. Cheon, D. Cok, M. Ernst, J. Kiniry, G. T. Leavens, K. R. M. Leino, and E. Poll. An overview of JML tools and applications. International Journal on Software Tools for Technology Transfer (STTT), 7(3):212--232, June 2005.

Digital Library

[6]

D. R. Cok. ESC/Java2 Implementation Notes. http://secure.ucd.ie/products/opensource/ESCJava2/ESCTools/docs/Escjava% 2-ImplementationNotes/Escjava2-ImplementationNotes.pdf.

[7]

W. A. S. Consortium. The Web Hacking Incidents Database. http://www.webappsec.org/projects/whid/.

[8]

L. Desmet, F. Piessens, W. Joosen, and P. Verbaeten. Static Verification of Indirect Data Sharing in Loosely-coupled Component Systems. In Software Composition, volume 4089 of Lecture Notes in Computer Science, pages 34--49. Springer Berlin / Heidelberg, 2006.

Digital Library

[9]

R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol -- HTTP/1.1. http://www.ietf.org/rfc/rfc2616.txt, 1999. Request For Comments: 2616 (Category: Standards Track).

Digital Library

[10]

K. Golnabi, R. K. Min, L. Khan, and E. Al-Shaer. Analysis of Firewall Policy Rules Using Data Mining Techniques. In 10th IEEE/IFIP Network Operations and Management Symposium (NOMS 2006), April 2006.

[11]

V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for java. acsac, 0:303--311, 2005.

Digital Library

[12]

W. G. J. Halfond and A. Orso. Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In ASE '05: Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174--183, New York, NY, USA, 2005. ACM Press.

Digital Library

[13]

Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 40--52, New York, NY, USA, 2004. ACM Press.

Digital Library

[14]

J2EE platform specification. http://java.sun.com/j2ee/.

[15]

B. Jacobs, K. R. M. Leino, F. Piessens, and W. Schulte. Safe concurrency for aggregate objects with invariants. In Proceedings of the Third IEEE International Conference on Software Engineering and Formal Methods, pages 137--146. IEEE Computer Society, 2005.

Digital Library

[16]

Karl Forster, Lockstep Systems, Inc. Why Firewalls Fail to Protect Web Sites. http://www.lockstep.com/products/webagain/why-firewalls-fail.pdf.

[17]

KindSoftware. The Extended Static Checker for Java version 2 (ESC/Java2). http://secure.ucd.ie/products/opensource/ESCJava2/.

[18]

G. T. Leavens. The Java Modeling Language (JML). http://www.jmlspecs.org/.

[19]

K. R M. Leino, G. Nelson, and J. B. Saxe. ESC/Java User's Manual.

[20]

National Institute of Standards and Technology (NIST). National vulnerability database. http://nvd.nist.gov/statistics.cfm.

[21]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In SEC, pages 295--308, 2005.

[22]

J. Offutt, Y. Wu, X. Du, and H. Huang. Bypass testing of web applications. In ISSRE, pages 187--197, 2004.

Digital Library

[23]

Open Web Application Security Project (OWASP). Top ten most critical web application vulnerabilities. http://www.owasp.org/documentation/topten.html, 2005.

[24]

M. Pavlova, G. Barthe, L. Burdy, M. Huisman, and J.-L. Lanet. Enforcing high-level security properties for applets. In CARDIS, pages 1--16, 2004.

[25]

S. Pettit. Anatomy of a web application: Security considerations. Technical report, Sanctum, Inc., July 2001.

[26]

T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID2005), pages 124--145, 2005.

Digital Library

[27]

A. D. Raghavan and G. T. Leavens. Desugaring JML method specifications. Technical Report 00-03e, Iowa State University, Department of Computer Science, May 2005.

[28]

V. Raghvendra. Session tracking on the web. Internetworking, 3(1), March 2000.

[29]

I. Ristic. Web application firewalls primer. (IN)SECURE, 1(5):6--10, January 2006.

[30]

J. Smans, B. Jacobs, and F. Piessens. Static verification of code access security policy compliance of .NET applications. Journal of Object Technology, 5(3), April 2006.

[31]

Sun Microsystems, Inc. The essentials of filters. http://java.sun.com/products/servlet/Filters.html.

[32]

Sun Microsystems, Inc. Java Servlet Technology. http://java.sun.com/products/servlet/.

[33]

T. E. Uribe and S. Cheung. Automatic analysis of firewall and network intrusion detection system configurations. In FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 66--74, New York, NY, USA, 2004. ACM Press.

Digital Library

[34]

Web Application Security Consortium. Web Application Firewall Evaluation Criteria, version 1.0. http://www.webappsec.org/projects/wafec/, January 2006.

[35]

webScurity, Inc. The Weakest Link: Mitigating Web Application Vulnerabilities. http://www.webscurity.com/pdfs/webapp_vuln_wp.pdf.

Cited By

Li HLi JWang YZhou CYin M(2023)Leaving the Business Security Burden to LiSEA: A Low-Intervention Security Embedding Architecture for Business APIsApplied Sciences10.3390/app13211178413:21(11784)Online publication date: 27-Oct-2023
https://doi.org/10.3390/app132111784
Román‐Gallego JPérez‐Delgado MViñuela MVega‐Hernández M(2023)Artificial Intelligence Web Application Firewall for advanced detection of web injection attacksExpert Systems10.1111/exsy.13505Online publication date: 27-Nov-2023
https://doi.org/10.1111/exsy.13505
Carrillo-Mondéjar JTurtiainen HCostin AMartínez JSuarez-Tangil G(2023) HALE-IoT : Hardening Legacy Internet of Things Devices by Retrofitting Defensive Firmware Modifications and Implants IEEE Internet of Things Journal10.1109/JIOT.2022.322464910:10(8371-8394)Online publication date: 15-May-2023
https://doi.org/10.1109/JIOT.2022.3224649
Show More Cited By

Index Terms

Bridging the gap between web application firewalls and web applications

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

FMSE '06: Proceedings of the fourth ACM workshop on Formal methods in security

November 2006

84 pages

ISBN:1595935509

DOI:10.1145/1180337

General Chair:
Marianne Winslett
UIUC
,
Program Chairs:
Andrew D. Gordon
Microsoft Research, UK
,
David Sands
Chalmers University of Technology, Sweden

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS06

Sponsor:

CCS06: 13th ACM Conference on Computer and Communications Security 2006

November 3, 2006

Virginia, Alexandria, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
1,294
Total Downloads

Downloads (Last 12 months)35
Downloads (Last 6 weeks)5

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li HLi JWang YZhou CYin M(2023)Leaving the Business Security Burden to LiSEA: A Low-Intervention Security Embedding Architecture for Business APIsApplied Sciences10.3390/app13211178413:21(11784)Online publication date: 27-Oct-2023
https://doi.org/10.3390/app132111784
Román‐Gallego JPérez‐Delgado MViñuela MVega‐Hernández M(2023)Artificial Intelligence Web Application Firewall for advanced detection of web injection attacksExpert Systems10.1111/exsy.13505Online publication date: 27-Nov-2023
https://doi.org/10.1111/exsy.13505
Carrillo-Mondéjar JTurtiainen HCostin AMartínez JSuarez-Tangil G(2023) HALE-IoT : Hardening Legacy Internet of Things Devices by Retrofitting Defensive Firmware Modifications and Implants IEEE Internet of Things Journal10.1109/JIOT.2022.322464910:10(8371-8394)Online publication date: 15-May-2023
https://doi.org/10.1109/JIOT.2022.3224649
Chakir ORehaimi ASadqi YAbdellaoui Alaoui EKrichen MGaba GGurtov A(2023)An empirical assessment of ensemble methods and traditional machine learning techniques for web-based attack detection in industry 5.0Journal of King Saud University - Computer and Information Sciences10.1016/j.jksuci.2023.02.00935:3(103-119)Online publication date: Mar-2023
https://doi.org/10.1016/j.jksuci.2023.02.009
Wichmann PGroddeck AFederrath H(2022)FileUploadChecker: Detecting and Sanitizing Malicious File Uploads in Web Applications at the Request LevelProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3538999(1-10)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3538999
Büttner ANguyen HGruschka NLo Iacono L(2021)Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software SystemsICT Systems Security and Privacy Protection10.1007/978-3-030-78120-0_22(332-347)Online publication date: 2021
https://doi.org/10.1007/978-3-030-78120-0_22
Sadqi YMekkaoui M(2021)Design Challenges and Assessment of Modern Web Applications Intrusion Detection and Prevention Systems (IDPS)Innovations in Smart Cities Applications Volume 410.1007/978-3-030-66840-2_83(1087-1104)Online publication date: 13-Feb-2021
https://doi.org/10.1007/978-3-030-66840-2_83
Drakonakis KIoannidis SPolakis JLigatti JOu XKatz JVigna G(2020)The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization FlawsProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417869(1953-1970)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417869
Jaya Mabel Rani AVishnu Priya GVelmurugan LVamsi Krishnan V(2020)Data Leakage Prevention and Detection Techniques Using Internet Protocol AddressIntelligent Computing and Communication10.1007/978-981-15-1084-7_64(665-671)Online publication date: 18-Feb-2020
https://doi.org/10.1007/978-981-15-1084-7_64
Pan YSun FTeng ZWhite JSchmidt DStaples JKrause L(2019)Detecting web attacks with end-to-end deep learningJournal of Internet Services and Applications10.1186/s13174-019-0115-x10:1Online publication date: 27-Aug-2019
https://doi.org/10.1186/s13174-019-0115-x
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents