scispace - formally typeset

Topic

File inclusion vulnerability

About: File inclusion vulnerability is a(n) research topic. Over the lifetime, 104 publication(s) have been published within this topic receiving 1749 citation(s).
Papers
More filters

Patent
29 May 2001-
Abstract: Providing a user with assurance that a networked computer is secure, typically before completion of the log-in operation This can be accomplished by extending the local log-in process to perform a host assessment of the workstation prior to requesting the user's credentials If the assessment finds a vulnerability, the log-in process can inform the user that the machine is or may be compromised, or repair the vulnerability, prior to completion of the log-in operation By performing vulnerability assessment at the level of the workstation, a network server is able to determine whether the workstation is a “trusted” platform from which to accept authentication requests If the vulnerability assessment shows that the workstation is compromised, or if the possibility of remote compromise is high, the network server can elect to fail the authentication on the grounds that the workstation cannot be trusted Optionally, a vulnerability assessment tool may be able to repair the vulnerability of the workstation, and then allow the authentication to proceed

232 citations


Proceedings Article
08 Aug 2012-
TL;DR: It is shown that the state-aware black-box web vulnerability scanner is able to not only exercise more code of the web application, but also discover vulnerabilities that other vulnerability scanners miss.
Abstract: Black-box web vulnerability scanners are a popular choice for finding security vulnerabilities in web applications in an automated fashion. These tools operate in a point-and-shootmanner, testing any web application-- regardless of the server-side language--for common security vulnerabilities. Unfortunately, black-box tools suffer from a number of limitations, particularly when interacting with complex applications that have multiple actions that can change the application's state. If a vulnerability analysis tool does not take into account changes in the web application's state, it might overlook vulnerabilities or completely miss entire portions of the web application. We propose a novel way of inferring the web application's internal state machine from the outside--that is, by navigating through the web application, observing differences in output, and incrementally producing a model representing the web application's state. We utilize the inferred state machine to drive a black-box web application vulnerability scanner. Our scanner traverses a web application's state machine to find and fuzz user-input vectors and discover security flaws. We implemented our technique in a prototype crawler and linked it to the fuzzing component from an open-source web vulnerability scanner. We show that our state-aware black-box web vulnerability scanner is able to not only exercise more code of the web application, but also discover vulnerabilities that other vulnerability scanners miss.

118 citations


Proceedings ArticleDOI
Zhen Li1, Deqing Zou1, Shouhuai Xu2, Hai Jin1  +2 moreInstitutions (2)
05 Dec 2016-
TL;DR: Vulnerability Pecker is presented, a system for automatically detecting whether a piece of software source code contains a given vulnerability or not, and experiments show that VulPecker detects 40 vulnerabilities that are not published in the National Vulnerability Database (NVD).
Abstract: Software vulnerabilities are the fundamental cause of many attacks. Even with rapid vulnerability patching, the problem is more complicated than it looks. One reason is that instances of the same vulnerability may exist in multiple software copies that are difficult to track in real life (e.g., different versions of libraries and applications). This calls for tools that can automatically search for vulnerable software with respect to a given vulnerability. In this paper, we move a step forward in this direction by presenting Vulnerability Pecker (VulPecker), a system for automatically detecting whether a piece of software source code contains a given vulnerability or not. The key insight underlying VulPecker is to leverage (i) a set of features that we define to characterize patches, and (ii) code-similarity algorithms that have been proposed for various purposes, while noting that no single code-similarity algorithm is effective for all kinds of vulnerabilities. Experiments show that VulPecker detects 40 vulnerabilities that are not published in the National Vulnerability Database (NVD). Among these vulnerabilities, 18 are not known for their existence and have yet to be confirmed by vendors at the time of writing (these vulnerabilities are "anonymized" in the present paper for ethical reasons), and the other 22 vulnerabilities have been "silently" patched by the vendors in the later releases of the vulnerable products.

97 citations


Patent
07 Mar 2002-
Abstract: A system to monitor the vulnerability of a computer system is provided. The system comprises an configuration information storing unit to store the configuration information on the computer system to be monitored, a manager information storing unit to register the information on the system manager who does the vulnerability management work for the computer system to be monitored, a vulnerability information storing unit to store various types of vulnerability information, a vulnerability information offering unit to retrieve from the aforementioned vulnerability information storing unit the vulnerability information to be applied to the computer system to be monitored based on the aforementioned configuration information and to offer it to the aforementioned system manager, and a vulnerability measure information submission unit to generate vulnerability measure information based on the work log of the vulnerability modification measures that the system manager has taken and to submit this to the supervisor of the system manager who has done the aforementioned vulnerability modification work.

77 citations


Patent
02 Mar 2006-
Abstract: Security vulnerability information aggregation techniques are disclosed. Vulnerability information associated with one or more security vulnerabilities is obtained from multiple sources and aggregated into respective unified vulnerability definitions for the one or more security vulnerabilities. Aggregation may involve format conversion, content aggregation, or both in some embodiments. Unified vulnerability definitions may be distributed to vulnerability information consumers in accordance with consumer-specific policies. Storage of vulnerability information received from the sources may allow the aggregation process to be performed on existing vulnerability information "retro-actively". Related data structures and Graphical User Interfaces (GUIs) are also disclosed.

72 citations


Network Information
Related Topics (5)
Intrusion detection system

28.4K papers, 509.5K citations

78% related
Cloud computing security

27.1K papers, 511.8K citations

78% related
Computer security model

18.1K papers, 352.9K citations

77% related
Password

35K papers, 389.6K citations

76% related
Access control

32.6K papers, 475K citations

76% related
Performance
Metrics
No. of papers in the topic in previous years
YearPapers
20211
20201
20191
20184
20173
20169

Top Attributes

Show by:

Topic's top 5 most impactful authors

Hiroto Kawashiro

3 papers, 4 citations

Masahiro Asano

3 papers, 4 citations

Aleksandra Mileva

2 papers, 7 citations

Dave Aitel

2 papers, 2 citations

Hossain Shahriar

2 papers, 13 citations