Bridging the gap between web application firewalls and web applications
read more
Citations
Detecting web attacks with end-to-end deep learning
InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations.
A Machine-Learning-Driven Evolutionary Approach for Testing Web Application Firewalls
Adaptive Rule Loading and Session Control for Securing Web-Delivered Services
Web Application Firewall: Network Security Models and Configuration
References
The spec# programming system: an overview
An overview of JML tools and applications
Securing web application code by static analysis and runtime protection
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
SQLrand: Preventing SQL Injection Attacks
Related Papers (5)
Frequently Asked Questions (13)
Q2. What have the authors contributed in "Bridging the gap between web application firewalls and web applications" ?
The main contribution of this paper is that it shows how, through a combination of static and dynamic verification, WAFs can formally guarantee the absence of certain kinds of erroneous behaviour in web applications. The authors have done a prototype implementation of their approach building on an existing static verification tool for Java, and they have applied their approach to a medium-sized J2EE based web application.
Q3. What is the language used to verify if a component adheres to its contract?
In order to use existing verifiers to check if the implementation of a component adheres to its contract, the problemspecific contracts are translated into the Java Modeling Language (JML) [18] which is a popular formal contract specification language for components written in Java.
Q4. What is the main contribution of this paper?
The main contribution of this paper is that it shows how, through a combination of static and dynamic verification, WAFs can formally guarantee the absence of certain kinds of erroneous behaviour in web applications.
Q5. What is the definition of forceful browsing?
Forceful browsing is the act of directly accessing web pages (URLs) without consideration for their context within an application session.
Q6. What is the main function of a servlet?
A container casts incoming HTTP requests into an object-oriented form (i.e. a HTTPServletRequest object) and checks to see if there is a servlet registered for processing that request.
Q7. What is the main problem with WAFs?
One of the problems with using WAFs for the strict request flow enforcement is the fact that they tend to have a loose coupling between their configuration and the application implementation.
Q8. What is the purpose of this paper?
This paper has focussed on bridging the gap between WAFs which enforce strict request flow, and some of the implementation-specific bugs that these kind of firewalls try to protect.
Q9. What is the overhead of the ESC/Java2 test?
Instead of letting ESC/Java2 verify the modifies clauses, the authors use a component-specific specification of the session repository, in which the authors constrain the allowed write operations to the actual write interactions that the component claims to have in its modifies clauses.
Q10. What is the implementation of the enforcement engine?
At deployment time, their enforcement engine is loaded with an object-oriented instantiation of the labelled state transition system (figure 4).
Q11. What is the simplest way to verify a component’s state change?
}In case the component’s implementation triggers an unspecified state change in the shared data repository, the verification of the component with ESC/Java2 will detect this contract violation (even without checking the component’s modifies clauses), since the state change will also violate the precondition of the component-specific setAttribute annotation of the shared repository.
Q12. What is the servlet for the Duke’s Bookstore?
The Duke’s BookStore web application is an exemplary Java Servlet application that is bundled together with the J2EE 1.4 Tutorial [1].
Q13. What is the precondition for the setAttribute method?
Listing 7 is an example of such a component-specific annotation to use with the ShowCartServlet : the precondition of the setAttribute method states that only write operations are allowed for the cart and currency data item.