An Empirical Analysis of Input Validation Mechanisms in Web Applications and Languages

  • Theodoor Scholte, William Robertson, Davide Balzarotti, Engin Kirda
  • Proceedings of the ACM Symposium on Applied Computing (SAC)
  • PDF
Abstract.

Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and attacks such as XSS and SQL injection are still common.

In this paper, we present an empirical study of more than 7,000 input validation vulnerabilities with the aim of gaining deeper insights into how these common web vulnerabilities can be prevented. In particular, we focus on the relationship between the specific programming language used to develop web applications and the vulnerabilities that are commonly reported. Our findings suggest that most SQL injection and a significant number of XSS vulnerabilities can be prevented using straight-forward validation mechanisms based on common data types. We elaborate on these common data types, and discuss how support could be provided in web application frameworks.