An Early Testing and Defense Web Application Framework for Malicious Input Attacks
Michael Gegick and Laurie Williams
The 17th IEEE International Symposium on Software Reliability Engineering: Fast Abstracts (ISSRE 2006)
Raleigh, North Carolina, USA, November 6-10 2006
Abstract
We introduce a Java Web Application Reliability and Defense (WARD) framework, a two-part security solution composed of a vulnerability detection component, SecureUnit, and a vulnerability protection component, SecureFilter. SecureUnit enables developers to write automated, reusable, and customizable JUnit penetration tests that launch attacks on their systems to reveal security vulnerabilities. SecureFilter is a customizable server-side choke point containing a regular expression-based filter to match legal input according to system requirements. We integrated WARD v1.0 with WebGoat, an open-source web application security test bed, and successfully “warded off” 38 of 43 (88%) injected cross-site scripting exploits. WARD v2.0 will address the encoded (e.g. with HTML entities, hex characters) exploits that were not stopped from entering WebGoat in WARD v1.0.