Academic Papers in Web Application Security |
This list represents an attempt to collect academic papers on the subject of Web application security sorted by the year of publication. Please let me know if something is missing from the list. |
 back to Griffin Software Security Project |
| Paper | Author(s) | Conference |
|---|---|---|
| Static analysis | ||
| An Analysis Framework for Security in Web Applications | Gary Wassermann and Zhendong Su | SAVCBS '04 |
| JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications | Carl Gould, Zhendong Su, and Premkumar Devanbu | ICSE '04 |
| Static Checking of Dynamically Generated Queries in Database Applications | Carl Gould, Zhendong Su, and Premkumar Devanbu | ICSE '04 |
| Securing Web Application Code by Static Analysis and Runtime Protection | Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo | WWW '04 |
| Finding Security Vulnerabilities in Java Applications with Static Analysis | Benjamin Livshits and Monica S. Lam | Usenix '05 |
| Precise Alias Analysis for Syntactic Detection of Web Application Vulnerabilities | Nenad Jovanovic, Christopher Kruegel, and Engin Kirda | PLAS '06 |
| Static Detection of Security Vulnerabilities in Scripting Languages | Yichen Xie and Alex Aiken | Usenix '06 |
| Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities | Nenad Jovanovic, Christopher Kruegel and Engin Kirda | Oakland '06 |
| Bridging the gap between Web application firewalls and Web applications | Lieven Desmet, Frank Piessens, Wouter Joosen, Pierre Verbaeten | FMSE '06 |
| Runtime (dynamic) analysis | ||
| Finding Application Errors and Security Flaws Using PQL: a Program Query Language | Michael Martin, Benjamin Livshits, and Monica S. Lam | OOPSLA '05 |
| AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks | W. Halfond and A. Orso | ASE '05 |
| Automatically Hardening Web Applications using Precise Tainting | Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Green, Jeffrey Shirley, David Evans. | SEC '05 |
| A Learning-Based Approach to the Detection of SQL Attacks | F. Valeur, D. Mutz, and G. Vigna | DIMVA '05 |
| Defending against Injection Attacks through Context-Sensitive String Evaluation | Tadeusz Pietraszek, Chris Vanden Berghe | RAID '05 |
| Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. | James Newsome and Dawn Song | NDSS '05 |
| Taint Propagation for Java | Vivek Haldar, Deepak Chandra and Michael Franz | ACSAC '05 |
| Enforcing Privacy in Web Applications | Ariel Futoransky and Ariel Waissbein | PST '05 |
| A Practical Approach for Defeating a Wide Range of Attacks | Wei Xu, Sandeep Bhatkar, R. Sekar | Usenix '06 |
| The Essence of Command Injection Attacks in Web Applications | Zhendong Su and Gary Wassermann | POPL '06 |
| Client-side Solutions | ||
| Noxes: A Client-Side Solution for Mitigating Cross Site Scripting Attacks | Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic | SAC '06 |
| RequestRodeo: Client Side Protection against Session Riding | Martin Johns and Justus Winter | OWASP '06 |
| Testing | ||
| Using a SQL Coverage Measurement for Testing Database Applications | María José Suárez-Cabal and Javier Tuya | FSE '04 |
| Bypass Testing of Web Applications | Jeff Offutt, Ye Wu, Xiaochen Du and Hong Huang | ISSRE '04 |
| IDS | ||
| Anomaly detection of Web-based attacks | Christopher Kruegel and Giovanni Vigna | CCCS '03 |
| Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks | W. Robertson, G. Vigna, C. Kruegel, R. Kemmerer | NDSS '06 |
| Detection of Web-Based Attacks through Markovian Protocol Parsing | Juan M. Estevez-Tapiador, Pedro Garcia-Teodoro, and Jesus E. Diaz-Verdejo | ISCC '06 |
| The Rest | ||
| SQLrand: Preventing SQL Injection Attacks | Stephen W. Boyd and Angelos D. Keromytis | ACNS '04 |
| Defining a Set of Common Benchmarks for Web Application Security | Benjamin Livshits | SoftSecTools '05 |
| A Safety-Oriented Platform for Web Applications | Richard S. Cox, Jacob Gorm Hansen, Steven D. Gribble, and Henry M. Levy | Oakland '06 |
| Using parse tree validation to prevent SQL injection attacks | Gregory T. Buehrer, Bruce W. Weide, and Paolo A. G. Sivilotti | SEM '05 |