Investigating attack-aware web applications

Student thesis: Doctoral Thesis

Abstract

The Web has gone through a transformation of being a hyperlinked network of static content towards a platform for dynamic applications. This transformation, however, took place on top of the Web’s original design rather than being initiated by a complete makeover – a move which has consequences on the security of the Web and its applications. One of them is the lack of a mechanism or system that detects unintended application interactions since the original Web was never designed for interactivity in the first place. In client-server applications such as web applications, attackers can interact with the application in any way they want. Stopping attackers from doing what they want is not possible in this design, however, web applications are also not designed to be interacted with in any way either. Web applications and their developers can take advantage of this to detect malicious interactions and make their web applications attack-aware.

The aim of this thesis was to improve the integration of attack-awareness into web applications by investigating pragmatic and usable integration methods that leverage common web application development practices and frameworks.

The methodology comprises of three research investigations in which the practice of input validation, development with web application frameworks and exception handling has been investigated. A questionnaire-based survey was conducted to understand whether developers can detect attack attempts from input validation failures. Furthermore, a review-based survey of web application frameworks was conducted to evaluate how frameworks could improve the integration of attack-awareness. In the last investigation, attacker-induced exceptions were studied to analyse if they could be used for intrusion detection.

The results of the investigations show that the ability of a client to submit arbitrary input may not be entirely understood - benign looking but attacker-induced input validation failures need to be made more salient to developers. This would improve the integration of attack-awareness based on input validation controls, web application frameworks can provide further improvement with built-in components that readily emit security event artefacts. Lastly, the analysis of attacker-induced application exceptions provides another improvement and a promising detection approach based on the frequency pattern of exceptions that are caused by the trial-and-error stages of injection attacks.

The thesis has made a novel contribution to the research field of application intrusion detection and web application security. The investigation has explored the integration of attack-awareness and how common developer tools and practices can be best leveraged to make the integration pragmatic and usable. Future work seeks to further elaborate on the contributions made to the field of application intrusion detection through exploring the automation potential with autonomic programming techniques and by observing the development and maintenance of attack-aware web applications in real environments.
Date of Award1 Mar 2024
Original languageEnglish
Awarding Institution
  • Abertay University
SupervisorLynsay Shepherd (Supervisor), Natalie Coull (Supervisor) & Colin McLean (Supervisor)

Keywords

  • Application intrusion detection
  • Web application security
  • Software security
  • Web application development
  • Software development
  • Security logging

Cite this

'