Team for Research in
Ubiquitous Secure Technology

A Survey on Server-side Approaches to Securing Web Applications
Xiaowei Li, Yuan Xue

Citation
Xiaowei Li, Yuan Xue. "A Survey on Server-side Approaches to Securing Web Applications". ACM Computing Surveys, 46(4), 2014.

Abstract
Web applications are one of the most prevalent platforms for information and service delivery over the Internet today. As they are increasingly used for critical services, web applications have become a popular and valuable target for security attacks. Although a large body of techniques have been developed to fortify web applications and mitigate attacks launched against web applications, there has been little effort devoted to drawing connections among these techniques and building the big picture of web application security research. This paper surveys the area of securing web applications from the server side, with the aim of systematizing the existing techniques into a big picture that promotes future research. We first present the unique aspects of the web application development which cause inherent challenges in building secure web applications. We then discuss three commonly seen security vulnerabilities within web applications: input validation vulnerabilities, session management vulnerabilities and application logic vulnerabilities, along with attacks that exploit these vulnerabilities. We organize the existing techniques along two dimensions: (1) the security vulnerabilities and attacks that they address; (2) the design objective and the phases of a web application during which they can be carried out. These phases are secure construction of new web applications, security analysis/ testing of legacy web applications and runtime protection of legacy web applications. Finally, we summarize the lessons learnt and discuss future research opportunities in this area.

Electronic downloads

Citation formats  
  • HTML
    Xiaowei Li, Yuan Xue. <a
    href="http://www.truststc.org/pubs/910.html" >A
    Survey on Server-side Approaches to Securing Web
    Applications</a>, <i>ACM Computing
    Surveys</i>, 46(4),  2014.
  • Plain text
    Xiaowei Li, Yuan Xue. "A Survey on Server-side
    Approaches to Securing Web Applications". <i>ACM
    Computing Surveys</i>, 46(4),  2014.
  • BibTeX
    @article{LiXue14_SurveyOnServersideApproachesToSecuringWebApplications,
        author = {Xiaowei Li and Yuan Xue},
        title = {A Survey on Server-side Approaches to Securing Web
                  Applications},
        journal = {ACM Computing Surveys},
        volume = {46},
        number = {4},
        year = {2014},
        abstract = {Web applications are one of the most prevalent
                  platforms for information and service delivery
                  over the Internet today. As they are increasingly
                  used for critical services, web applications have
                  become a popular and valuable target for security
                  attacks. Although a large body of techniques have
                  been developed to fortify web applications and
                  mitigate attacks launched against web
                  applications, there has been little effort devoted
                  to drawing connections among these techniques and
                  building the big picture of web application
                  security research. This paper surveys the area of
                  securing web applications from the server side,
                  with the aim of systematizing the existing
                  techniques into a big picture that promotes future
                  research. We first present the unique aspects of
                  the web application development which cause
                  inherent challenges in building secure web
                  applications. We then discuss three commonly seen
                  security vulnerabilities within web applications:
                  input validation vulnerabilities, session
                  management vulnerabilities and application logic
                  vulnerabilities, along with attacks that exploit
                  these vulnerabilities. We organize the existing
                  techniques along two dimensions: (1) the security
                  vulnerabilities and attacks that they address; (2)
                  the design objective and the phases of a web
                  application during which they can be carried out.
                  These phases are secure construction of new web
                  applications, security analysis/ testing of legacy
                  web applications and runtime protection of legacy
                  web applications. Finally, we summarize the
                  lessons learnt and discuss future research
                  opportunities in this area.},
        URL = {http://www.truststc.org/pubs/910.html}
    }
    

Posted by Yuan Xue on 9 Nov 2013.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.