@inproceedings{01bc6924ab7a4aea934872847cb2b62f,
title = "Web application security assessment by fault injection and behavior monitoring",
abstract = "As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.",
keywords = "black-box testing, complete crawling, fault injection, security assessment, web application testing",
author = "Huang, {Yao Wen} and Shih-Kun Huang and Lin, {Tsung Po} and Tsai, {Chung Hung}",
year = "2003",
doi = "10.1145/775152.775174",
language = "English",
isbn = "1581136803",
series = "Proceedings of the 12th International Conference on World Wide Web, WWW 2003",
pages = "148--159",
booktitle = "Proceedings of the 12th International Conference on World Wide Web, WWW 2003",
note = "12th International Conference on World Wide Web, WWW 2003 ; Conference date: 20-05-2003 Through 24-05-2003",
}