Remember Me
Or use your Academic/Social account:


Or use your Academic/Social account:


You have just completed your registration at OpenAire.

Before you can login to the site, you will need to activate your account. An e-mail will be sent to you with the proper instructions.


Please note that this site is currently undergoing Beta testing.
Any new content you create is not guaranteed to be present to the final version of the site upon release.

Thank you for your patience,
OpenAire Dev Team.

Close This Message


Verify Password:
Verify E-mail:
*All Fields Are Required.
Please Verify You Are Human:
fbtwitterlinkedinvimeoflicker grey 14rssslideshare1
Roberts-Morpeth, P.; Ellman, Jeremy (2010)
Publisher: IEEE Xplore
Languages: English
Types: Unknown
Subjects: G400
This report investigates whether a vulnerability found in one web framework may be used to find a vulnerability in a different web framework. To test this hypothesis, several open source applications were installed in a secure test environment together with security analysis tools. Each one of the applications were developed using a different software framework. The results show that a vulnerability identified in one framework can often be used to find similar vulnerabilities in other frameworks. Crosssite scripting security issues are the most likely to succeed when being applied to more than one framework.
  • The results below are discovered through our pilot algorithms. Let us know how we are doing!

    • [1] Bachle M & Kirchberg P. 2007 Ruby on Rails. IEEE Software, v 24, n 6, pp 105-108
    • [2] Fayad M & Schmidt D.1997 Object-oriented application frameworks. CACM, pp32-38,
    • [3] Lok F, Fang S, Stan J & Bimlesh W.A Comparative Study of Maintainability of Web Applications on J2EE, .NET and Ruby on Rails. Nat. Uni. Singapore, 2008
    • [10] Portswigger, (22/06/2009)
    • [5] Peters L, De Turck F, Moerman I, Dhoedt B & Demeester P. Network Layer Solutions forWireless Shadow Networks. Proc. Mobile Comms and Learn. Tech (2006)
    • [6] Grossman J 2007 10 “Things You Should Know about Website Security.” http://www.whitehatsec.com/home/resource/whitepapers/website_ security.html
    • [7] Gollmann D. Securing Web applications. Hamburg Uni. Technology, Hamburg 21071, Germany. Information on Security Technical Report, pp 1-9, 2008.
    • [8] Brinhosa R, Westphall CB and Westphall MC. 2008 A.Security framework for Input Validation. Network & Management Lab, Fed Uni. Santa Catarina, Brasil
    • [9] Fonseca, J, Vieira, M & Madeira, H. Testing and Comparing Web vulnerability Scanning Tools for SQL Injection and XSS Attacks. Proc.13th PRDC 2007, pp 365-372
    • [11] Scambray J, Shema M & Sima C. 2006 Hacking Web Applications Exposed. McGraw
    • [12] Braganza R. 2006 Cross-site scripting - an alternative view. Network Security no 9
    • [13] Wassermann G & Su GW Static Detection of cross-site scripting vulnerabilities, Uni. California, pp 171-180, 2008
    • [14] Krebs B 2006 'Hacked Ad Seen on MySpace Served Spyware to a Million' The Washington Post "http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad _served_adware_to_mo.html" accessed Feb 2010
    • [15] Stuttard Dafydd; Marcus Pinto 2007 "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws" John Wiley & Sons
    • [16] OWASP 2010 " OWASP WebScarab Project" accessed Feb 2010 http://www.owasp.org/index.php/Category:OWASP_WebScarab_ Project
    • [17] Hope Paco; Walther Ben 2008 "Web Security Testing Cookbook" (Cookbook) O'Reilly Media, Inc.
    • [18] Bisson R 2005. SQL Injection, The Computer Bulletin, No 47, pp25
    • [19] Jovanovic N and Kruegel C and KirdaA E. Static Analysis Tool for Detecting Web Application vulnerabilities, Technical Uni. Vienna, 2006.
    • [20] Microsoft 2008 “The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code” http://support.microsoft.com/kb/954476
    • [21] Microsoft(a) http://msdn.microsoft.com/enus/library/ms998274.aspx (2009)
    • [22] Andrews M and Whittaker J.A 2006 "How to Break Web Software." pp 59 Pearson Ed.
    • [23] Endler D. 2001 Brute-Force Exploitation of Web Application Session Ids. iDefense Labs,
    • [24] Adida B 2008 SessionLock: Securing Web Sessions against Eavesdropping, CRCS Harvard University, Refereed Track: Security and Privacy - Web Client Security
    • [25] Dierks T & Allen C 1999 The TLS protocol version 1.0, RFC 2246, www.ietf.org
    • [26] Roberts-Morpeth Paul 2009 An investigation into security vulnerabilities of Web based frameworks. MSc Thesis, Northumbria University. Available on request.
    • [27] Radiant CMS Accessed forum.com/topic/116043
    • [28] Schiller F and Mattes T and Weber U 2009 Undetectable Manipulation of CRC Checksums for Communication and Data Storage, 1st International Business Conference, ChinacomBiz, Communications and Networking in China, Vol 26, pp 1-9,
  • No related research data.
  • No similar publications.

Share - Bookmark

Cite this article