Defending Against Web Application Attacks: Approaches, Challenges and Implications

Mitropoulos Dimitris; Louridas Panos; Polychronakis Michalis; Keromytis Angelos Dennis

首页> 外文期刊>IEEE transactions on dependable and secure computing >Defending Against Web Application Attacks: Approaches, Challenges and Implications

【24h】

Defending Against Web Application Attacks: Approaches, Challenges and Implications

机译：防止Web应用程序攻击：方法，挑战和含义

获取原文

获取原文并翻译 | 示例

掌桥外文数据库（机构版） >>

开具论文收录证明 >>

文献代查 >>

页面导航

摘要
著录项
相似文献
相关主题

摘要

Some of the most dangerous web attacks, such as Cross-Site Scripting and SQL injection, exploit vulnerabilities in web applications that may accept and process data of uncertain origin without proper validation or filtering, allowing the injection and execution of dynamic or domain-specific language code. These attacks have been constantly topping the lists of various security bulletin providers despite the numerous countermeasures that have been proposed over the past 15 years. In this paper, we provide an analysis on various defense mechanisms against web code injection attacks. We propose a model that highlights the key weaknesses enabling these attacks, and that provides a common perspective for studying the available defenses. We then categorize and analyze a set of 41 previously proposed defenses based on their accuracy, performance, deployment, security, and availability characteristics. Detection accuracy is of particular importance, as our findings show that many defense mechanisms have been tested in a poor manner. In addition, we observe that some mechanisms can be bypassed by attackers with knowledge of how the mechanisms work. Finally, we discuss the results of our analysis, with emphasis on factors that may hinder the widespread adoption of defenses in practice.

机译：一些最危险的Web攻击，例如跨站点脚本和SQL注入，在Web应用程序中利用漏洞，可以接受和处理不确定原点的数据而无需正确验证或过滤，允许注入和执行动态或特定于域语言代码。尽管过去15年来提出了许多对策，但这些攻击一直在不断调整各种安全公告提供商的列表。在本文中，我们对Web代码注入攻击的各种防御机制提供了分析。我们提出了一种模型，突出了能够实现这些攻击的关键弱点，并为研究可用防御提供了共同的视角。然后，我们根据他们的准确性，性能，部署，安全性和可用性特征进行分析和分析一组41个先前提出的防御。检测准确性特别重要，因为我们的研究结果表明，许多防御机制已经以较差的方式进行了测试。此外，我们观察到，攻击者可以通过了解机制如何工作的攻击者来绕过一些机制。最后，我们讨论了我们分析的结果，重点是可能阻碍在实践中普遍采用防御的因素。

著录项

来源
《IEEE transactions on dependable and secure computing》 |2019年第2期|188-203|共16页
作者
Mitropoulos Dimitris; Louridas Panos; Polychronakis Michalis; Keromytis Angelos Dennis;
展开▼
作者单位

Columbia Univ Dept Comp Sci New York NY 10027 USA;

Athens Univ Econ & Business Dept Management Sci & Technol Athina 10434 Greece;

SUNY Stony Brook Comp Sci Dept Stony Brook NY 11794 USA;

Columbia Univ Dept Comp Sci New York NY 10027 USA;

展开▼
收录信息
原文格式 PDF
正文语种 eng
中图分类
关键词
Web application security; protection mechanisms; exploitation models; software testing; SQL injection; XSS;

机译：Web应用程序安全;保护机制;剥削模型;软件测试;SQL注射;XSS;

相似文献

外文文献
中文文献
专利

1. Defending Against Web Application Attacks: Approaches, Challenges and Implications [J] . Mitropoulos Dimitris, Louridas Panos, Polychronakis Michalis, IEEE transactions on dependable and secure computing . 2019,第2期

机译：防御Web应用程序攻击：方法，挑战和启示
2. DDoS Attacks at the Application Layer: Challenges and Research Perspectives for Safeguarding Web Applications [J] . Praseed Amit, Thilagam P. Santhi Communications Surveys & Tutorials, IEEE . 2019,第1期

机译：应用程序层的DDoS攻击：维护Web应用程序的挑战和研究前景
3. Securing web applications from injection and logic vulnerabilities: Approaches and challenges [J] . Deepa G., Thilagam P. Santhi Information and software technology . 2016,第juna期

机译：保护Web应用程序免受注入和逻辑漏洞的危害：方法和挑战
4. Application of a Defender-Attacker-Defender Model to the U.S. Air Transportation Network [C] . Karl H. Thompson, Huy T. Tran IEEE International Symposium on Technologies for Homeland Security . 2018

机译：Defender-Attacker-Defender模型在美国航空运输网络中的应用
5. A unified cyber-enhanced approach for detecting cross-site scripting attacks on Web applications [D] . Gurijala, Bhanukiran 2016

机译：一种用于检测Web应用程序上跨站点脚本攻击的统一的网络增强方法
6. A Smart Sensor for Defending against Clock Glitching Attacks on the I2C Protocol in Robotic Applications [O] . Raúl Jiménez-Naharro, Fernando Gómez-Bravo, Jonathan Medina-García, 2017

机译：用于防御机器人应用中I2C协议的时钟毛刺攻击的智能传感器
7. The optimal employment and defense of a deep seaweb acoustic network for submarine communications at speed and depth using a defender-attacker-defender model [O] . Hendricksen Andrew D. 2013

机译：使用防御者-攻击者-防御者模型以深度和速度进行海底通信的深海网声网的最佳使用和防御

Defending Against Web Application Attacks: Approaches, Challenges and Implications

摘要

著录项

相似文献

相关主题

期刊订阅