A Survey on Server-side Approaches to Securing Web Applications

A Survey on Server-side Approaches to Securing Web Applications
Xiaowei Li, Yuan Xue

Citation
Xiaowei Li, Yuan Xue. "A Survey on Server-side Approaches to Securing Web Applications". ACM Computing Surveys, 46(4), 2014.

Abstract
Web applications are one of the most prevalent platforms for information and service delivery over the Internet today. As they are increasingly used for critical services, web applications have become a popular and valuable target for security attacks. Although a large body of techniques have been developed to fortify web applications and mitigate attacks launched against web applications, there has been little effort devoted to drawing connections among these techniques and building the big picture of web application security research. This paper surveys the area of securing web applications from the server side, with the aim of systematizing the existing techniques into a big picture that promotes future research. We first present the unique aspects of the web application development which cause inherent challenges in building secure web applications. We then discuss three commonly seen security vulnerabilities within web applications: input validation vulnerabilities, session management vulnerabilities and application logic vulnerabilities, along with attacks that exploit these vulnerabilities. We organize the existing techniques along two dimensions: (1) the security vulnerabilities and attacks that they address; (2) the design objective and the phases of a web application during which they can be carried out. These phases are secure construction of new web applications, security analysis/ testing of legacy web applications and runtime protection of legacy web applications. Finally, we summarize the lessons learnt and discuss future research opportunities in this area.

Electronic downloads

Survey-Final.pdf · application/pdf · 347 kbytes

Citation formats

HTML

Xiaowei Li, Yuan Xue. <a
href="http://www.truststc.org/pubs/910.html" >A
Survey on Server-side Approaches to Securing Web
Applications</a>, <i>ACM Computing
Surveys</i>, 46(4),  2014.

Plain text

Xiaowei Li, Yuan Xue. "A Survey on Server-side
Approaches to Securing Web Applications". <i>ACM
Computing Surveys</i>, 46(4),  2014.

BibTeX

@article{LiXue14_SurveyOnServersideApproachesToSecuringWebApplications,
    author = {Xiaowei Li and Yuan Xue},
    title = {A Survey on Server-side Approaches to Securing Web
              Applications},
    journal = {ACM Computing Surveys},
    volume = {46},
    number = {4},
    year = {2014},
    abstract = {Web applications are one of the most prevalent
              platforms for information and service delivery
              over the Internet today. As they are increasingly
              used for critical services, web applications have
              become a popular and valuable target for security
              attacks. Although a large body of techniques have
              been developed to fortify web applications and
              mitigate attacks launched against web
              applications, there has been little effort devoted
              to drawing connections among these techniques and
              building the big picture of web application
              security research. This paper surveys the area of
              securing web applications from the server side,
              with the aim of systematizing the existing
              techniques into a big picture that promotes future
              research. We first present the unique aspects of
              the web application development which cause
              inherent challenges in building secure web
              applications. We then discuss three commonly seen
              security vulnerabilities within web applications:
              input validation vulnerabilities, session
              management vulnerabilities and application logic
              vulnerabilities, along with attacks that exploit
              these vulnerabilities. We organize the existing
              techniques along two dimensions: (1) the security
              vulnerabilities and attacks that they address; (2)
              the design objective and the phases of a web
              application during which they can be carried out.
              These phases are secure construction of new web
              applications, security analysis/ testing of legacy
              web applications and runtime protection of legacy
              web applications. Finally, we summarize the
              lessons learnt and discuss future research
              opportunities in this area.},
    URL = {http://www.truststc.org/pubs/910.html}
}

Posted by Yuan Xue on 9 Nov 2013.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.