research-article

Defending Against Web Application Attacks: Approaches, Challenges and Implications

Authors:

Dimitris Mitropoulos,

Panos Louridas,

Michalis Polychronakis,

Angelos Dennis KeromytisAuthors Info & Claims

IEEE Transactions on Dependable and Secure Computing, Volume 16, Issue 2

Pages 188 - 203

https://doi.org/10.1109/TDSC.2017.2665620

Published: 01 March 2019 Publication History

Abstract

Some of the most dangerous web attacks, such as Cross-Site Scripting and sql injection, exploit vulnerabilities in web applications that may accept and process data of uncertain origin without proper validation or filtering, allowing the injection and execution of dynamic or domain-specific language code. These attacks have been constantly topping the lists of various security bulletin providers despite the numerous countermeasures that have been proposed over the past 15 years. In this paper, we provide an analysis on various defense mechanisms against web code injection attacks. We propose a model that highlights the key weaknesses enabling these attacks, and that provides a common perspective for studying the available defenses. We then categorize and analyze a set of 41 previously proposed defenses based on their accuracy, performance, deployment, security, and availability characteristics. Detection accuracy is of particular importance, as our findings show that many defense mechanisms have been tested in a poor manner. In addition, we observe that some mechanisms can be bypassed by attackers with knowledge of how the mechanisms work. Finally, we discuss the results of our analysis, with emphasis on factors that may hinder the widespread adoption of defenses in practice.

Cited By

View all

Aladi C(2024)Web Application Security: A Pragmatic ExposéDigital Threats: Research and Practice10.1145/36443945:2(1-9)Online publication date: 7-Feb-2024
https://dl.acm.org/doi/10.1145/3644394
Rus AEl-Hajj MSarmah D(2024)NAISSComputers and Security10.1016/j.cose.2024.103797140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103797
Kumar ADutta SPranav P(2024)Analysis of SQL injection attacks in the cloud and in WEB applicationsSecurity and Privacy10.1002/spy2.3707:3Online publication date: 18-Apr-2024
Show More Cited By

Defending Against Web Application Attacks: Approaches, Challenges and Implications
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Defending against flooding-based distributed denial-of-service attacks: a tutorial

Flooding-based distributed denial-of-service (DDoS) attack presents a very serious threat to the stability of the Internet. In a typical DDoS attack, a large number of compromised hosts are amassed to send useless packets to jam a victim, or its ...
Defending against Web Application Vulnerabilities

Although no single tool or technique can guard against the host of possible attacks, a defense-in-depth approach, with overlappingprotections, can help secure Web applications.
Seven Deadliest Web Application Attacks: Syngrass Seven Deadlest Attacks

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image IEEE Transactions on Dependable and Secure Computing

IEEE Transactions on Dependable and Secure Computing Volume 16, Issue 2

March 2019

185 pages

ISSN:1545-5971

Issue’s Table of Contents

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 March 2019

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Aladi C(2024)Web Application Security: A Pragmatic ExposéDigital Threats: Research and Practice10.1145/36443945:2(1-9)Online publication date: 7-Feb-2024
https://dl.acm.org/doi/10.1145/3644394
Rus AEl-Hajj MSarmah D(2024)NAISSComputers and Security10.1016/j.cose.2024.103797140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103797
Kumar ADutta SPranav P(2024)Analysis of SQL injection attacks in the cloud and in WEB applicationsSecurity and Privacy10.1002/spy2.3707:3Online publication date: 18-Apr-2024
Chaliasos SMetaxopoulos GArgyros GMitropoulos D(2019)Mime Artist: Bypassing Whitelisting for the Web with JavaScript Mimicry AttacksComputer Security – ESORICS 201910.1007/978-3-030-29962-0_27(565-585)Online publication date: 23-Sep-2019
https://dl.acm.org/doi/10.1007/978-3-030-29962-0_27

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Recommendations

Defending against flooding-based distributed denial-of-service attacks: a tutorial

Defending against Web Application Vulnerabilities

Seven Deadliest Web Application Attacks: Syngrass Seven Deadlest Attacks

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations