On the Automated Creation of Understandable Positive Security Models for Web Applications

Web applications pose new security-related challenges since attacks on web applications strongly differ from those on client-server applications. Traditional network-based firewall systems offer no protection against this kind of attacks since they occur on the application-level. The current solution is the manual definition of large sets of filtering rules which should prevent malicious attempts from being successful. We propose a new framework which should avoid this tedious work. The basic idea is the definition of a description language for positive security models taking the particularities of web applications into account. We then present adaptive techniques which employ this description language in order to describe the valid communication to a given web application. The simplicity of the description language allows the easy identification of unintentionally incorporated vulnerabilities. Experiments for several real- world web applications demonstrate the usefulness of the proposed approach.