Context-oriented web application protection model

摘要

Due to growing user demand, web application development is becoming increasingly complicated. Multiple programming languages along with the complex multi-tier architecture commonly involved in web application development contribute to the probability of programming mistakes. Such mistakes may cause serious security vulnerabilities, which can then be exploited by malicious users. Current classifications include a wide variety of web application vulnerabilities, such as SQL injections, Cross-Site Scripting and File Inclusion. Various different protections exist against attacks associated with these vulnerabilities making it difficult to apply a single universal solution. This paper takes an alternative view of the core root of the vulnerabilities. Based on the discovered common traits, a unified extensible context-based model of web applications is proposed. A concept of context is introduced and different attacks are reformulated in terms of context boundary violation. The proposed model can be used to implement a more universal web application protection suitable against different types of attacks.