• Documents
  • Authors
  • Tables
  • Log in
  • Sign up
  • MetaCart
  • DMCA
  • Donate

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations

DMCA

Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper) (2006)

Cached

  • Download as a PDF

Download Links

  • [www.auto.tuwien.ac.at]
  • [www.cs.ucsb.edu]
  • [www.cs.ucsb.edu]
  • [www.cs.ucsb.edu]
  • [cs.ucsb.edu]
  • [www.cs.ucsb.edu]
  • [auto.tuwien.ac.at]
  • [www.seclab.tuwien.ac.at]
  • [www.iseclab.org]
  • [iseclab.org]
  • [www.iseclab.net]
  • [seclab.ccs.neu.edu]
  • [iseclab.org]
  • [www.seclab.tuwien.ac.at]
  • [www.iseclab.org]
  • [iseclab.org]

    • Other Repositories/Bibliography

  • DBLP
  • Save to List
  • Add to Collection
  • Correct Errors
  • Monitor Changes
by Nenad Jovanovic , Christopher Kruegel , Engin Kirda
Venue:IN 2006 IEEE SYMPOSIUM ON SECURITY AND PRIVACY
Citations:212 - 23 self
  • Summary
  • Citations
  • Active Bibliography
  • Co-citation
  • Clustered Documents
  • Version History

BibTeX

@INPROCEEDINGS{Jovanovic06pixy:a,
    author = {Nenad Jovanovic and Christopher Kruegel and Engin Kirda},
    title = {Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)},
    booktitle = {IN 2006 IEEE SYMPOSIUM ON SECURITY AND PRIVACY},
    year = {2006},
    pages = {258--263},
    publisher = {}
}

Share

Facebook Twitter Reddit Bibsonomy

OpenURL

 

Abstract

The number and the importance of Web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable Web applications by means of static source code analysis. More precisely, we use flow-sensitive, interprocedural and context-sensitive data flow analysis to discover vulnerable points in a program. In addition, alias and literal analysis are employed to improve the correctness and precision of the results. The presented concepts are targeted at the general class of taint-style vulnerabilities and can be applied to the detection of vulnerability types such as SQL injection, cross-site scripting, or command injection. Pixy, the open source prototype implementation of our concepts, is targeted at detecting cross-site scripting vulnerabilities in PHP scripts. Using our tool, we discovered and reported 15 previously unknown vulnerabilities in three web applications, and reconstructed 36 known vulnerabilities in three other web applications. The observed false positive rate is at around 50 % (i.e., one false positive for each vulnerability) and therefore, low enough to permit effective security audits.

Keyphrases

web application    detecting web application vulnerability    static analysis tool    short paper    open source prototype implementation    security vulnerability    manual code review    vulnerability type    command injection    presented concept    last year    taint-style vulnerability    automated solution    effective security audit    unknown vulnerability    php script    vulnerable web application    static source code analysis    observed false positive rate    vulnerable point    context-sensitive data flow analysis    sql injection    literal analysis    general class    cross-site scripting    known vulnerability   

Powered by: Apache Solr
  • About CiteSeerX
  • Submit and Index Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2019 The Pennsylvania State University