{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:33:39Z","timestamp":1759091619053},"publisher-location":"Berlin, Heidelberg","reference-count":43,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"type":"print","value":"9783642341625"},{"type":"electronic","value":"9783642341632"}],"license":[{"start":{"date-parts":[[2012,1,1]],"date-time":"2012-01-01T00:00:00Z","timestamp":1325376000000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2012]]},"DOI":"10.1007\/978-3-642-34163-2_12","type":"book-chapter","created":{"date-parts":[[2012,10,6]],"date-time":"2012-10-06T06:45:04Z","timestamp":1349505904000},"page":"198-217","source":"Crossref","is-referenced-by-count":5,"title":["A Metamodel for Web Application Injection Attacks and Countermeasures"],"prefix":"10.1007","author":[{"given":"Hannes","family":"Holm","sequence":"first","affiliation":[]},{"given":"Mathias","family":"Ekstedt","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"12_CR1","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1109\/MSP.2005.159","volume":"3","author":"K. Tsipenyuk","year":"2005","unstructured":"Tsipenyuk, K., Chess, B., McGraw, G.: Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy\u00a03, 81\u201384 (2005)","journal-title":"IEEE Security & Privacy"},{"key":"12_CR2","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1108\/09685221111153555","volume":"19","author":"M.D. Mitropoulos","year":"2011","unstructured":"Mitropoulos, M.D., Karakoidas, V., Louridas, P., Spinellis, D.: Countering Code Injection Attacks: A Unified Approach. Information Management & Computer Security\u00a019, 3 (2011)","journal-title":"Information Management & Computer Security"},{"key":"12_CR3","unstructured":"One, A.: Smashing the stack for fun and profit (1996), http:\/\/ezano-secu.fr\/securite\/Applicatif\/Smashing_the_stack_for_fun_and_profit.pdf"},{"key":"12_CR4","unstructured":"OWASP: 2010 OWASP Top 10 (2010)"},{"key":"12_CR5","unstructured":"Martin, B., Brown, M., Paller, A., Kirby, D., Christey, S.: 2011 CWE\/SANS Top 25 Most Dangerous Software Errors (2011)"},{"key":"12_CR6","doi-asserted-by":"crossref","unstructured":"Scholtea, T., Balzarottib, D., Kirdac, E.: Have things changed now? An empirical study on input validation vulnerabilities in web applications. Computers and Security (2012)","DOI":"10.1016\/j.cose.2011.12.013"},{"key":"12_CR7","unstructured":"Suto, L.: Analyzing the Effectiveness of Web Application Firewalls (2011)"},{"key":"12_CR8","doi-asserted-by":"publisher","first-page":"31","DOI":"10.1016\/j.cose.2004.06.011","volume":"24","author":"S. Hansman","year":"2005","unstructured":"Hansman, S., Hunt, R.: A taxonomy of network and computer attacks. Computers & Security\u00a024, 31\u201343 (2005)","journal-title":"Computers & Security"},{"key":"12_CR9","unstructured":"Howard, J.D.: An analysis of security incidents on the Internet 1989-1995 (1997)"},{"key":"12_CR10","unstructured":"NVD: National Vulnerability Database, http:\/\/nvd.nist.gov\/"},{"key":"12_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"124","DOI":"10.1007\/11663812_7","volume-title":"Recent Advances in Intrusion Detection","author":"T. Pietraszek","year":"2006","unstructured":"Pietraszek, T., Berghe, C.: Defending Against Injection Attacks Through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol.\u00a03858, pp. 124\u2013145. Springer, Heidelberg (2006)"},{"key":"12_CR12","doi-asserted-by":"crossref","unstructured":"Sidharth, N., Liu, J.: IAPF: A Framework for Enhancing Web Services Security. The Computer Society (2007)","DOI":"10.1109\/COMPSAC.2007.22"},{"key":"12_CR13","doi-asserted-by":"crossref","unstructured":"Vorobiev, A., Han, J.: Security attack ontology for web services. In: Second International Conference on Semantics, Knowledge and Grid, SKG 2006, p. 42. IEEE (2006)","DOI":"10.1109\/SKG.2006.85"},{"key":"12_CR14","unstructured":"Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Int\u2019l Symp. on Secure Software Engineering, Citeseer (2006)"},{"key":"12_CR15","unstructured":"Zuchlinski, G.: The Anatomy of Cross Site Scripting (November 2003)"},{"key":"12_CR16","doi-asserted-by":"publisher","first-page":"435","DOI":"10.1016\/S0167-4048(03)00512-1","volume":"22","author":"G. \u00c1lvarez","year":"2003","unstructured":"\u00c1lvarez, G., Petrovi, S.: A new taxonomy of web attacks suitable for efficient encoding. Computers & Security\u00a022, 435\u2013449 (2003)","journal-title":"Computers & Security"},{"key":"12_CR17","unstructured":"Stamos, A., Stender, S.: Attacking Web Services: The Next Generation of Vulnerable Enterprise Apps. In: BlackHat 2005 (2005)"},{"key":"12_CR18","unstructured":"Klein, A.: Blind XPath Injection. Whitepaper from Watchfire (2005)"},{"key":"12_CR19","doi-asserted-by":"crossref","unstructured":"Ghourabi, A., Abbes, T., Bouhoula, A.: Experimental analysis of attacks against web services and countermeasures. In: Proceedings of the 12th International Conference on Information Integration and Web-based Applications & Services, pp. 195\u2013201. ACM (2010)","DOI":"10.1145\/1967486.1967519"},{"key":"12_CR20","unstructured":"Nystrom, M.: Sql injection defenses. O\u2019Reilly Media, Inc. (2007)"},{"key":"12_CR21","unstructured":"Shin, Y., Williams, L.: Toward A Taxonomy of Techniques to Detect Cross-site Scripting and SQL Injection Vulnerabilities (2008)"},{"key":"12_CR22","doi-asserted-by":"crossref","unstructured":"Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE\/ACM International Conference on Automated Software Engineering, pp. 174\u2013183. ACM (2005)","DOI":"10.1145\/1101908.1101935"},{"key":"12_CR23","doi-asserted-by":"crossref","unstructured":"Huang, Y., Huang, S.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wide Web, pp. 148\u2013159. ACM (2003)","DOI":"10.1145\/775173.775174"},{"key":"12_CR24","unstructured":"Shavlik: Shavlik Technologies, http:\/\/www.shavlik.com\/"},{"key":"12_CR25","doi-asserted-by":"crossref","unstructured":"McClure, R.A., Kr\u00fcger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: Proceedings of the 27th International Conference on Software Engineering, pp. 88\u201396 (2005)","DOI":"10.1145\/1062455.1062487"},{"key":"12_CR26","doi-asserted-by":"crossref","unstructured":"Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: Proceedings aof the 2006 IEEE Symposium on Security and Privacy, pp. 258\u2013263. IEEE Computer Society (2006)","DOI":"10.1109\/SP.2006.29"},{"key":"12_CR27","doi-asserted-by":"crossref","unstructured":"Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, pp. 106\u2013113. ACM (2005)","DOI":"10.1145\/1108473.1108496"},{"key":"12_CR28","unstructured":"Cisco: Cisco Application Velocity System, http:\/\/www.cisco.com\/en\/US\/products\/ps6499\/index.html"},{"key":"12_CR29","unstructured":"Livshits, B., Martin, M., Lam, M.S.: Securifly: Runtime protection and recovery from web application vulnerabilities (2006)"},{"key":"12_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"292","DOI":"10.1007\/978-3-540-24852-1_21","volume-title":"Applied Cryptography and Network Security","author":"S.W. Boyd","year":"2004","unstructured":"Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol.\u00a03089, pp. 292\u2013302. Springer, Heidelberg (2004)"},{"key":"12_CR31","doi-asserted-by":"crossref","unstructured":"Denning, D.E.: An intrusion-detection model. IEEE Transactions on Software Engineering, 222\u2013232 (1987)","DOI":"10.1109\/TSE.1987.232894"},{"key":"12_CR32","unstructured":"apache-scalp: Apache log analyzer for security, http:\/\/code.google.com\/p\/apache-scalp\/"},{"key":"12_CR33","doi-asserted-by":"crossref","unstructured":"Lankhorst, M.: Enterprise architecture at work: Modelling, communication and analysis. Springer-Verlag New York Inc. (2009)","DOI":"10.1007\/978-3-642-01310-2_12"},{"key":"12_CR34","first-page":"33","volume":"3","author":"R. Lagerstr\u00f6m","year":"2007","unstructured":"Lagerstr\u00f6m, R.: Analyzing system maintainability using enterprise architecture models. Journal of Enterprise Architecture\u00a03, 33\u201342 (2007)","journal-title":"Journal of Enterprise Architecture"},{"key":"12_CR35","doi-asserted-by":"publisher","first-page":"37","DOI":"10.1080\/17517575.2010.507878","volume":"5","author":"P. N\u00e4rman","year":"2011","unstructured":"N\u00e4rman, P., Holm, H., Johnson, P., K\u00f6nig, J., Chenine, M., Ekstedt, M.: Data accuracy assessment using enterprise architecture. Enterprise Information Systems\u00a05, 37\u201358 (2011)","journal-title":"Enterprise Information Systems"},{"key":"12_CR36","unstructured":"Sommestad, T., Ekstedt, M., Holm, H.: The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures. IEEE Systems Journal (to be available)"},{"key":"12_CR37","doi-asserted-by":"publisher","first-page":"655","DOI":"10.1016\/j.ress.2007.03.001","volume":"93","author":"R. Cooke","year":"2008","unstructured":"Cooke, R.: Special issue on expert judgment. Reliability Engineering & System Safety\u00a093, 655\u2013656 (2008)","journal-title":"Reliability Engineering & System Safety"},{"key":"12_CR38","doi-asserted-by":"publisher","first-page":"104","DOI":"10.1518\/hfes.45.1.104.27233","volume":"45","author":"D.J. Weiss","year":"2003","unstructured":"Weiss, D.J., Shanteau, J.: Empirical Assessment of Expertise. Human Factors: The Journal of the Human Factors and Ergonomics Society\u00a045, 104\u2013116 (2003)","journal-title":"Human Factors: The Journal of the Human Factors and Ergonomics Society"},{"key":"12_CR39","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/0167-9236(94)90061-2","volume":"11","author":"F. Bolger","year":"1994","unstructured":"Bolger, F., Wright, G.: Assessing the quality of expert judgment: Issues and analysis. Decision Support Systems\u00a011, 1\u201324 (1994)","journal-title":"Decision Support Systems"},{"key":"12_CR40","unstructured":"Holm, H., Sommestad, T., Ekstedt, M., Honeth, N.: Indicators of expert judgment and their value: an empirical investigation in the area of cyber security. Expert Systems: The Journal of Knowledge Engineering (to be available)"},{"key":"12_CR41","doi-asserted-by":"crossref","unstructured":"Bodeau, D.J., Graubart, R., Fabius-Greene, J.: Improving Cyber Security and Mission Assurance Via Cyber Preparedness (Cyber Prep) Levels. In: 2010 IEEE Second International Conference on Social Computing, pp. 1147\u20131152. IEEE (2010)","DOI":"10.1109\/SocialCom.2010.170"},{"key":"12_CR42","doi-asserted-by":"crossref","unstructured":"Moser, C.: Interview bias. Review of the International Statistical Institute, 28\u201340 (1951)","DOI":"10.2307\/1401500"},{"key":"12_CR43","doi-asserted-by":"publisher","first-page":"99","DOI":"10.1086\/265924","volume":"12","author":"L. Crespi","year":"1948","unstructured":"Crespi, L.: The interview effect in polling. Public Opinion Quarterly\u00a012, 99\u2013111 (1948)","journal-title":"Public Opinion Quarterly"}],"container-title":["Lecture Notes in Business Information Processing","Trends in Enterprise Architecture Research and Practice-Driven Research on Enterprise Transformation"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-642-34163-2_12","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,1,30]],"date-time":"2022-01-30T01:35:17Z","timestamp":1643506517000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-642-34163-2_12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2012]]},"ISBN":["9783642341625","9783642341632"],"references-count":43,"URL":"https:\/\/doi.org\/10.1007\/978-3-642-34163-2_12","relation":{},"ISSN":["1865-1348","1865-1356"],"issn-type":[{"type":"print","value":"1865-1348"},{"type":"electronic","value":"1865-1356"}],"subject":[],"published":{"date-parts":[[2012]]}}}