Static Enforcement of Web Application Integrity Through Strong Typing.

In this work, we present a web application framework that leverages existing work on strong type systems to statically enforce a separation between the structure and content of both web documents and database ... and dynamic analyses of server-side web application code, and client-side security policy enforcement. ... We would also like to thank Adam Barth for providing feedback on an earlier version of this paper. ...

dblp:conf/uss/RobertsonV09 fatcat:plln545qcfcn5nrhovmrlgijqq

through static program analysis • [Volpano & Smith 96], formalizes Denning's approach through a type system • public is a subtype of secret • Biba model [Biba 77] • Dual model to Bell-LaPadula • Enforces ... EU 08 Detection of string-based code injection • Instruction set randomization for web applications Similarities within the bug pattern: • String-based foreign code assembly • [Unmediated interfaces to ... through static program analysis • [Volpano & Smith 96], formalizes Denning's approach through a type system • public is a subtype of secret • Compile time enforcement through type checking Formal ...

doi:10.1007/978-3-642-11747-3_8 fatcat:m6hc6ufwdfexxbbt4qni3jz6hi

This paper reports on the first case-study of using IFC to enforce Web users' self-defined privacy constraints. ... Information flow control (IFC) is a technical approach to prevent the unintended leakage and manipulation of sensitive information, and could provide strong guarantees that deployed applications respect ... ACKNOWLEDGEMENT Alastair Beresford and Florian Kammüller have provided helpful comments on earlier versions of this work. ...

doi:10.1109/policy.2011.23 dblp:conf/policy/Preibusch11 fatcat:pis3n2lnv5eevo2gf7h6mr7o2m

We implemented this approach in a tool called BLUEPRINT that was integrated with several popular web applications. ... In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest. ... Through extensive experimental analysis, we have learned that the return value of this script is a static property value type and thus is not useful as an XSS injection vector. ...

doi:10.1109/sp.2009.33 dblp:conf/sp/LouwV09 fatcat:rmng7p7i2bfolgsq3bd6iqlzkq

The dynamism of web applications is provided by the use of web scripts, and in particular JavaScript, that accesses this information through a browserprovided set of APIs. ... We observe a rapid growth of web-based applications every day. These applications are executed in the web browser, where they interact with a variety of information belonging to the user. ... Originally web pages were simple HTML pages containing simple elements such as paragraphs, buttons, input boxes etc. With the evolution of the web, the new type of web applications appeared: mashups. ...

doi:10.1016/j.jlap.2013.05.001 fatcat:5pntdqk5fnasnpmjvfgsgkk5za

Szczepanski

These phases are secure construction of new web applications, security analysis/testing of legacy web applications and runtime protection of legacy web applications. ... We first present the unique aspects of the web application development which cause inherent challenges in building secure web applications. ... DSI [Nadji et al. 2009 ] enforces the structure integrity of web documents through parserlevel isolation of untrusted data in the browser based on a server-specified policy. ...

doi:10.1145/2541315 fatcat:bjbtc55l4rf2bhbwznyhbldbge

This paper shows how to guarantee the absence of runtime errors due to broken dependencies on session data in Web applications. ... Web applications are widely adopted and their correct functioning is mission critical for many businesses. ... Thus, WAFs are typically configured without a strong binding to the implementation of the Web application they protect and because of this, there is no strong guarantee that a configured WAF actually mitigates ...

doi:10.1109/tse.2007.70742 fatcat:dkw3scuvqjhajh3xvs7tj44uou

Web applications have become an integral part of the daily lives of millions of users. ... In this paper, we present IPAAS, a novel technique for preventing the exploitation of XSS and SQL injection vulnerabilities based on automated data type detection of input parameters. ... This work has also been supported by the French National Research Agency through the CESSA and VAMPIRE projects. We would also like to thank Secure Business Austria for their support. ...

doi:10.1109/compsac.2012.34 dblp:conf/compsac/ScholteRBK12 fatcat:uuno4er3b5bj3ioqn7zzgjk5um

We discuss the design of our main case study : a web-based Collaborative Planning Application that will permit a collection of users, with varying security requirements and clearances, to access sensitive ... We are enhancing existing techniques from the field of Security-oriented Programming Languages to construct a new language for the construction of secure networked applications, SELINKS. ... The remainder of this paper is structured as follows. In Section 2 we describe the functionality and security goals of a web-based application that integrates with the network of Figure 1 . ...

doi:10.1109/milcom.2007.4455189 fatcat:7kfgqxjdkrhvxl3xmgugldhk4i

daunting challenge of ensuring the security and privacy of information in such Web-based applications [4] . ... At the same time, there is a growing concern over the security of Web-based applications, which are rapidly being deployed over the Internet [4] . ... For Web-based applications, multilevel classification of information may be an essential requirement that can be enforced by a service provider to distinguish among the users and the type of information ...

doi:10.1145/359205.359224 fatcat:vsa4ca3kabfvzeve6zp7kkg2ze

Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. ... We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS). ... Acknowledgements This work was supported by grants EP/F042469 and EP/F044216 ("Smart-Flow: Extendable Event-Based Middleware") and grant EP/I501053 ("SafeWeb: Demonstrating End-to-End Security of NHS Patient ...

doi:10.1007/978-3-642-25821-3_25 fatcat:uow54ctyzbbvxmrvj2qhxrlbru

"Service-izing" digital assets consists of encapsulating assets in software that exposes them to web and mobile applications via well-defined yet flexible, network accessible, application programming interfaces ... As scalable information technology evolves to a more cloud-like model, digital assets (code, data and software environments) increasingly require curation as web-accessible services. ... EAGER also extends PaaS with support for the specification and analysis of governance policies for APIs and their application to cloud-hosted web services statically, during deployment, and at runtime. ...

doi:10.1109/ic2e.2014.90 dblp:conf/ic2e/KrintzJDPWB14 fatcat:sp7zr654mfhjrkrm5l2pywyrie

Keyt oo ur approach is the use of at rusted multi-levels ecurity virtual machine, inside of which all secrets remain locked at all times. ... We present asoftware architecture in which applications can be completely untrusted, even when theym anipulate secrets. ... Denning wasalso one of the first to point out that the information flowproperty should be enforced statically to contain label creep, and to avoid leaks through implicit flows. ...

dblp:conf/se/Franz08 fatcat:6vryj3bgizdghgk7cydnkhjv3y

particulars of the cloud software stack in order to effect enforcement. ... In this paper we describe the properties of cloud computing-Platform-as-a-Service clouds in particular-and review a range of IFC models and implementations to identify opportunities for using IFC within ... It uses IFC to track data flows through all tiers of the web application infrastructure, in order to ensure endto-end data confidentiality and integrity. ...

doi:10.1109/tnsm.2013.122313.130423 fatcat:oczijxwkfvdtrgar6nvab4ypem

To this end, we review major categories of approaches to make client-side applications secure and discuss uses of aspects that exist for some of them. ... In this position paper we argue that aspects are wellsuited to describe and implement a range of strategies to make secure JavaScript-based applications. ... Acknowledgments This work has been partially funded by the SecCloud project of the French "Laboratoire d'Excellence" CominLabs. ...

doi:10.1145/2451613.2451616 fatcat:7yrvqlusmjbcli5qjuffdngeqy

Static Enforcement of Web Application Integrity Through Strong Typing

Preserved Fulltext

Secure Code Generation for Web Applications [chapter]

Preserved Fulltext

Information Flow Control for Static Enforcement of User-Defined Privacy Policies

Preserved Fulltext

Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

Preserved Fulltext

Survey on JavaScript security policies and their enforcement mechanisms in a web browser

Preserved Fulltext

A survey on server-side approaches to securing web applications

Preserved Fulltext

Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies

Preserved Fulltext

Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis

Preserved Fulltext

Verified Enforcement of Security Policies for Cross-Domain Information Flows

Preserved Fulltext

Security models for web-based applications

Preserved Fulltext

SafeWeb: A Middleware for Securing Ruby-Based Web Applications [chapter]

Preserved Fulltext

Cloud Platform Support for API Governance

Preserved Fulltext

Eliminating Trust From Application Programs By Way Of Software Architecture

Preserved Fulltext

Information Flow Control for Secure Cloud Computing

Preserved Fulltext

Aspectizing JavaScript security

Preserved Fulltext