Amélioration de la sécurité par la conception des logiciels web

Abstract : The web has become a backbone of our industry and daily life. The growing popularity of web applications and services and the increasing number of critical transactions being performed, has raised security concerns. For this reason, much effort has been spent over the past decade to make web applications more secure. Despite these efforts, recent data from SANS institute estimates that up to 60% of Internet attacks target web applications and critical vulnerabilities such as cross-site scripting and SQL injection are still very common. In this thesis, we conduct two empirical studies on a large number of web applications vulnerabilities with the aim of gaining deeper insights in how input validation flaws have evolved in the past decade and how these common vulnerabilities can be prevented. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Our studies also show that most SQL injection and a significant number of cross-site scripting vulnerabilities can be prevented using straight-forward validation mechanisms based on common data types. With these empirical results as foundation, we present IPAAS which helps developers that are unaware of security issues to write more secure web applications than they otherwise would do. It includes a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. We show that this technique results in significant and tangible security improvements for real web applications.
Complete list of metadatas

Cited literature [100 references]  Display  Hide  Download

https://pastel.archives-ouvertes.fr/tel-01225776
Contributor : Abes Star <>
Submitted on : Friday, November 6, 2015 - 4:54:05 PM
Last modification on : Friday, May 17, 2019 - 12:29:47 PM
Long-term archiving on : Friday, April 28, 2017 - 5:50:44 AM

File

TheseScholte.pdf
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-01225776, version 1

Citation

Theodoor Scholte. Amélioration de la sécurité par la conception des logiciels web. Web. Télécom ParisTech, 2012. Français. ⟨NNT : 2012ENST0024⟩. ⟨tel-01225776⟩

Share

Metrics

Record views

947

Files downloads

870