ABSTRACT
Attackers are increasingly targeting web applications. Buffer overflows had been the most common vulnerability type since CERT began collecting statistics, but web application vulnerabilities like cross-site scripting have dominated vulnerability reports since 2005. Despite billions of dollars spent on network security, the amount lost to computer crime, much of it the result of the insecurity of web applications, grows every year. In part, this problems results from the fact that perimeter security techniques like firewalls do little to protect web applications.
In order for students to be prepared for the current threat environment, we need to integrate web application security into the IT curriculum. Both information security and web programming classes need to cover this topic. This paper describes techniques, tools, and labs for integrating web application security into both types of classes. Some techniques, such as penetration testing using web proxies, are applicable to both types of classes. Other techniques, such as secure programming guidelines, are primarily useful in web programming classes, while some tools, like web application firewalls, are more important in information security classes.
We use the open source web application security teaching tool WebGoat for introductory labs that teach the students about the nature of specific vulnerabilities like SQL injection. These labs also introduce students to open source web testing proxies, such as Burp Suite, which they use more deeply in later labs that focus on penetration testing of a complete web application. Students in security classes also learn how to use web vulnerability scanners and web application firewalls, while web programming classes focus on learning how to write code without common vulnerabilities.
- SIGITE Curriculum Committee (2005). Computing curriculum 2005, IT volume. http://sigite.acm.org/activities/curriculum/, 2005.Google Scholar
- CERT. Vulnerability remediation statistics. http://www.cert.org/stats/vulnerability remediation.html, 2007.Google Scholar
- M. P. Dafydd Stuttard. The Web Application Hacker's Handbook. Wiley, 2007.Google Scholar
- J. Gregoire, K. Buyens, B. D. Win, R. Scandariato, and W. Joosen. On the secure software development process: CLASP and SDL compared. In SESS '07: Proceedings of the Third International Workshop on Software Engineering for Secure Systems, page 1, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarDigital Library
- A. Judson. Tamper data. https://addons.mozilla.org/en-US/firefox/addon/966, 2008.Google Scholar
- R. A. Mark Curphey. Hacme bank. http://www.foundstone.com/us/resources/proddesc/hacmebank.htm, 2006.Google Scholar
- B. Mayhew. Webgoat. http://www.owasp.org/index.php/Category:OWASP WebGoat Project, 2008.Google Scholar
- G. McGraw. Software Security: Building Security In. Addison-Wesley, 2006. Google ScholarDigital Library
- NetContinuum. Bad store. http://www.badstore.net/, 2008.Google Scholar
- OWASP. OWASP top 10. http://www.owasp.org/index.php/Top 10 2007, 2007.Google Scholar
- OWASP. Web scarab. http://www.owasp.org/index.php/Category:OWASP WebScarab Project, 2008.Google Scholar
- Paros. Paros proxy. http://www.parosproxy.org/, 2008.Google Scholar
- PortSwigger. Burp suite. http://portswigger.net/suite/, 2008.Google Scholar
- I. Ristic. mod security. http://www.modsecurity.org/, 2008.Google Scholar
- R. S.Christey. Vulnerability type distributions in CVE. http://cve.mitre.org/docs/vuln-trends/index.html, 2007.Google Scholar
- N. Surribas. Wapiti. http://wapiti.sourceforge.net/, 2008.Google Scholar
- A. van der Stock (ed). OWASP guide to building secure web applications. http://www.owasp.org/index.php/OWASP_Guide_Project, 2008.Google Scholar
- Websense. Research highlights q3-q4: 2007. http://www.websense.com/securitylabs/docs/SecurityLabsReport_Q4_011808.pdf, 2007.Google Scholar
- M. Zitser, R. Lippmann, and T. Leek. Testing static analysis tools using exploitable buffer overflows from open source code. 29(6):97--106, 2004. Google ScholarDigital Library
Index Terms
Integrating web application security into the IT curriculum
Recommendations
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Parameter manipulation attack prevention and detection by using web application deception proxy
IMCOM '17: Proceedings of the 11th International Conference on Ubiquitous Information Management and CommunicationThe attack abusing web application vulnerabilities are currently classified into traditional attack threats. However, security breaches by web application attacks are still reported via mass media. Although the vulnerabilities in popular products such ...
Web Application Security: An Investigation on Static Analysis with other Algorithms to Detect Cross Site Scripting
AbstractAmong web application vulnerabilities, XSS is the most frequently occurring. Where a web application accepts a user-input, it is possible for such vulnerability to inject malicious scripts. The greater part of the literature concentrated on the ...
Comments