This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Specifying and Enforcing Application-Level Web Security Policies
July/August 2003 (vol. 15 no. 4)
pp. 771-783

Abstract—Application-level Web security refers to vulnerabilities inherent in the code of a Web-application itself (irrespective of the technologies in which it is implemented or the security of the Web-server/back-end database on which it is built). In the last few months, application-level vulnerabilities have been exploited with serious consequences: Hackers have tricked e-commerce sites into shipping goods for no charge, usernames and passwords have been harvested, and confidential information (such as addresses and credit-card numbers) has been leaked. In this paper, we investigate new tools and techniques which address the problem of application-level Web security. We 1) describe a scalable structuring mechanism facilitating the abstraction of security policies from large Web-applications developed in heterogeneous multiplatform environments; 2) present a set of tools which assist programmers in developing secure applications which are resilient to a wide range of common attacks; and 3) report results and experience arising from our implementation of these techniques.

[1] S. Mu, S. Goodley, Security Hole Threatens British E-Tailers The Daily Telegraph Newspaper (UK), available athttp://www.telegraph.co.uk/et?pg=/et/01/ 1/25ecnsecu2.html, 25 Jan. 2001.
[2] L. Lorek, New E-Rip-Off Maneuver: Swapping Price Tags ZD-Net, available athttp://www.zdnet.com/intweek/stories/news 0,4164,2692337,00.html, 5 Mar. 2001.
[3] Internet Security Systems (ISS), Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications ISS alert, available athttp://xforce.iss.net/alertsadvise42.php , 2003.
[4] R. Peteanu, Best Practices for Secure Web Development Security Portal,http://securityportal.com/covercoverstor y20001030.html , 2002.
[5] R. Peteanu, Best Practices for Secure Web Development: Technical Details Security Portal, available athttp://security portal.com/articlesWebdev20001103.html , 2002.
[6] L.D. Stein, Referer Refresher http://www.Webtechniques. com/archives/1998/ 09Webm/, 2003.
[7] Microsoft, HOWTO: Review ASP Code for CSSI Vulnerability http://support.microsoft.com/support/kb/ articles/Q253/119.ASP, 2003.
[8] D. Scott and R. Sharp, Abstracting Application-Level Web Security Proc. 11th Int'l World Wide Web Conf., pp. 396-407, May 2002.
[9] D. Flanagan, JavaScript: The Definitive Guide, third ed. O'Reilly, 1998.
[10] PHP Hypertext Preprocessor, available athttp:/www.php.net/, 2003.
[11] R. Petrusha, P. Lomax, and M. Childs, VBscript in a Nutshell: A Desktop Quick Reference, first ed. O'Reilly, 2000.
[12] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Sourcecode in C. New York: John Wiley&Sons, 1994.
[13] R. Milner, M. Tofte, R. Harper, and D. MacQueen, The Definition of Standard ML (Revised). MIT Press, 1997.
[14] R. Milner, A Theory of Type-Polymorphism in Programming J. Computer and System Sciences, vol. 17, no. 3, 1978.
[15] M. Bellare, R. Canetti, and H. Krawczyk, Keying Hash Functions for Message Authentication Advances of Cryptology Crypto '96 Proc., 1996.
[16] P. Syverson, A Taxonomy of Replay Attacks Proc Seventh Computer Security Foundations Workshop, pp. 131-136, June 1994.
[17] Squid Web Proxy Cache, available athttp:/www.squid-cache.org/, 2003.
[18] MySQL Database Server, available athttp:/www.mysql.com/, 2003.
[19] E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, Fine Grained Access Control for Soap E-Services Proc. 10th Int'l World Wide Web Conf., pp. 504-513, May 2001.
[20] D. Box, Simple Object Access Protocol (SOAP) 1.1. World Wide Web Consortium (W3C) http://www.w3.org/TRSOAP, May 2000.
[21] The<Bigwig>Project http://www.brics.dkbigwig/, 2003.
[22] C. Brabrand, A. Mller, M. Ricky, and M. Schwartzbach, Powerforms: Declarative Client-Side Form Field Validation World Wide Web J., vol. 3, no. 4, 2000.
[23] Sanctum Inc, AppShield White Paper Mar. 2001. Available fromhttp:/www.sanctuminc.com/, 2003.

Index Terms:
Application-level Web security, security policy description languages, component-based design.
Citation:
David Scott, Richard Sharp, "Specifying and Enforcing Application-Level Web Security Policies," IEEE Transactions on Knowledge and Data Engineering, vol. 15, no. 4, pp. 771-783, July-Aug. 2003, doi:10.1109/TKDE.2003.1208998
Usage of this product signifies your acceptance of the Terms of Use.