nach oben

International Journal of Information Security

Erschienen in:

11.01.2017 | Regular Contribution

Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications

verfasst von: G. Deepa, P. Santhi Thilagam, Furqan Ahmed Khan, Amit Praseed, Alwyn R. Pais, Nushafreen Palsetia

Erschienen in: International Journal of Information Security | Ausgabe 1/2018

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended for interacting with the applications. Even though precautionary measures such as user-input sanitization is employed at the client side of the application, the attackers can disable the JavaScript at client side and still inject attacks through HTTP parameters. The injected parameters result in attacks due to improper server-side validation of user input. The injected parameters may either contain malicious SQL/XML commands leading to SQL/XPath/XQuery injection or be invalid input that intend to violate the expected behavior of the web application. The former is known as an injection attack, while the latter is called a parameter tampering attack. While SQL injection has been intensively examined by the research community, limited work has been done so far for identifying XML injection and parameter tampering vulnerabilities. Database-driven web applications today rely on XML databases, as XML has gained rapid acceptance due to the fact that it favors integration of data with other applications and handles diverse information. Hence, this work proposes a black-box fuzzing approach to detect XQuery injection and parameter tampering vulnerabilities in web applications driven by native XML databases. A prototype XiParam is developed and tested on vulnerable applications developed with a native XML database, BaseX, as the backend. The experimental evaluation clearly demonstrates that the prototype is effective against detection of both XQuery injection and parameter tampering vulnerabilities.

Vorheriger Artikel Achieving dynamicity in security policies enforcement using aspects

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

https://cwe.mitre.org/data/definitions/472.html

Symantec Corporation: Symantec internet security threat report: vol. 19. Symantec Corporation. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us (2014)

Foundation, O.: Top 10 2013-top 10. https://www.owasp.org/index.php/Top_10_2013-Top_10 (2013)

CWE/SANS top 25 most dangerous software errors. http://www.sans.org/top25-software-errors/ (2011)

Gordeychik, S.: Web application security statistics. The Web Application Security Consortium. http://projects.webappsec.org/w/page/13246989/WebApplicationSecurityStatistics (2008)

Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: Notamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pp. 607–618. ACM, New York (2010)

Bisht, P., Hinrichs, T., Skrupsky, N., Venkatakrishnan, V.N.: Waptec: Whitebox analysis of web applications for parameter tampering exploit construction. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 575–586. ACM, New York (2011)

Skrupsky, N., Bisht, P., Hinrichs, T., Venkatakrishnan, V.N., Zuck, L.: Tamperproof: A server-agnostic defense for parameter tampering attacks on web applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY ’13, pp. 129–140. ACM, New York (2013)

Chaudhri, A., Zicari, R., Rashid, A.: XML Data Management: Native XML and XML Enabled DataBase Systems. Addison-Wesley Longman Publishing Co. Inc, Boston (2003)

Liu, Z.H., Murthy, R.: A decade of XML data management: An industrial experience report from oracle. In: IEEE 25th International Conference on Data Engineering, 2009. ICDE ’09, pp. 1351–1362 (2009). doi:10.1109/ICDE.2009.18

10.

Pavlovic-Lazetic, G.: Native XML databases vs. relational databases in dealing with XML documents. Kragujevac J. Math. 30, 181–199 (2007)MATH

11.

Staken, K.: Introduction to native XML databases. http://www.xml.com/pub/a/2001/10/31/nativexmldb.html (2001)

12.

Foundation, O.: Testing for XML injection. https://www.owasp.org/index.php/Testing_for_XML_Injection_OTG-INPVAL-008 (2014)

13.

Palsetia, N., Deepa, G., Khan, F.A., Thilagam, P.S., Pais, A.R.: Securing native XML database-driven web applications from XQuery injection vulnerabilities. J. Syst. Softw.122, 93–109 (2016). doi:10.1016/j.jss.2016.08.094. http://www.sciencedirect.com/science/article/pii/S0164121216301571

14.

Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, pp. 65–81 (2006)

15.

WASC: XQuery injection. http://projects.webappsec.org/w/page/13247006/XQueryInjection (2009)

16.

Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, pp. 40–52. ACM (2004)

17.

Halfond, W.G., Orso, A.: Amnesia: analysis and monitoring for neutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM (2005)

18.

Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, pp. 106–113. ACM (2005)

19.

Huang, Y.W., Tsai, C.H., Lin, T.P., Huang, S.K., Lee, D., Kuo, S.Y.: A testing framework for web application security assessment. Comput. Netw. 48(5), 739–761 (2005). Web SecurityCrossRef

20.

Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’06, pp. 372–382. ACM, New York (2006)

21.

Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. USENIX Secur. 6, 179–192 (2006)

22.

Kosuga, Y., Kernel, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: Syntactic and semantic analysis for automated testing against SQL injection. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 107–117. IEEE (2007)

23.

Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’07, pp. 32–41. ACM, New York (2007)

24.

Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: SQLProb: A proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC ’09, pp. 2054–2061. ACM, New York (2009)

25.

Bisht, P., Madhusudan, P., Venkatakrishnan, V.: Candid: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(2), 14 (2010)

26.

Jang, Y.S., Choi, J.Y.: Detecting SQL injection attacks using query result size. Comput. Secur. 44, 104–118 (2014)CrossRef

27.

Shahriar, H., Zulkernine, M.: Taxonomy and classification of automatic monitoring of program security vulnerability exploitations. J. Syst. Softw. 84(2), 250–269 (2011)CrossRef

28.

Shahriar, H., Zulkernine, M.: Mitigating program security vulnerabilities: Approaches and challenges. ACM Comput. Surv. 44(3), 11:1–11:46 (2012)CrossRef

29.

Li, X., Xue, Y.: A survey on server-side approaches to securing web applications. ACM Comput. Surv. 46(4), 54:1–54:29 (2014)CrossRefMATH

30.

Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160–180 (2016). doi:10.1016/j.infsof.2016.02.005. http://www.sciencedirect.com/science/article/pii/S0950584916300234

31.

Chandrashekhar, R., Mardithaya, M., Thilagam, P.S., Saha, D.: SQL injection attack mechanisms and prevention techniques. In: Advanced Computing, Networking and Security, pp. 524–533. Springer, Berlin (2012)

32.

Bravenboer, M., Dolstra, E., Visser, E.: Preventing injection attacks with syntax embeddings. In: Proceedings of the 6th International Conference on Generative Programming and Component Engineering, pp. 3–12. ACM (2007)

33.

OWASP: XPath injection. https://www.owasp.org/index.php/XPATH_Injection (2015)

34.

Truelove, J., Svoboda, D.: Ids09-j. prevent XPath injection. https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250 (2011)

35.

Mitropoulos, D., Karakoidas, V., Spinellis, D.: Fortifying applications against XPath injection attacks. In: Proceedings of the 4th Mediterranean Conference on Information Systems (MCIS’09), Athens, Greece, pp. 1169–1179 (2009)

36.

Mitropoulos, D., Karakoidas, V., Louridas, P., Spinellis, D.: Countering code injection attacks: a unified approach. Inf. Manag. Comput. Secur. 19(3), 177–194 (2011)CrossRef

37.

Rosa, T.M., Santin, A.O., Malucelli, A.: Mitigating XML injection 0-day attacks through strategy-based detection systems. IEEE Secur. Priv. 11(4), 46–53 (2013). doi:10.1109/MSP.2012.83

38.

Antunes, N., Vieira, M.: Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In: IEEE International Conference on Services Computing (SCC), pp. 104–111. IEEE (2011)

39.

Laranjeiro, N., Vieira, M., Madeira, H.: Protecting database centric web services against SQL/XPath injection attacks. In: Database and Expert Systems Applications, pp. 271–278. Springer, Berlin (2009)

40.

Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective detection of SQL/XPath injection vulnerabilities in web services. In: IEEE International Conference on Services Computing, pp. 260–267. IEEE (2009). doi:10.1109/SCC.2009.23

41.

Asmawi, A., Affendey, L.S., Udzir, N.I., Mahmod, R.: Model-based system architecture for preventing XPath injection in database-centric web services environment. In: 7th International Computing and Convergence Technology (ICCCT), pp. 621–625. IEEE (2012)

42.

Forbes, T.: Exploiting XPath injection vulnerabilities with xcat. http://tomforb.es/exploiting-xpath-injection-vulnerabilities-with-xcat-1 (2014)

43.

WebCruiser: Webcruiser-web vulnerability scanner. http://www.ehacking.net/2011/07/webcruiser-web-vulnerability-scanner.html (2011)

44.

XMLMao: XMLMao. https://www.soldierx.com/tools/XMLmao (2012)

45.

Acunetix: Acunetix. http://www.acunetix.com/ (2014)

46.

Laskos, T.: Web application vulnerability scanning framework. http://www.arachni-scanner.com/

47.

Wapiti: The web-application vulnerability scanner. http://wapiti.sourceforge.net/ (2013)

48.

Riancho, A.: w3af. http://w3af.sourceforge.net (2011)

49.

van der Loo, F.: Comparison of penetration testing tools for web applications. Ph.D. thesis, Master thesis, Radboud University Nijmegen, 2011. http://www.ru.nl/publish/pages/578936/frank_van_der_loo_scriptie.pdf (2011)

50.

Mouelhi, T., Le Traon, Y., Abgrall, E., Baudry, B., Gombault, S.: Tailored shielding and bypass testing of web applications. In: 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation (ICST), pp. 210–219 (2011)

51.

Alkhalaf, M., Choudhary, S.R., Fazzini, M., Bultan, T., Orso, A., Kruegel, C.: Viewpoints: Differential string analysis for discovering client- and server-side input validation inconsistencies. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pp. 56–66. ACM, New York (2012)

52.

Balduzzi, M., Gimenez, C.T., Balzarotti, D., Kirda, E.: Automated discovery of parameter pollution vulnerabilities in web applications. In: Proceedings of the 18th Network and Distributed System Security Symposium, NDSS’11. San Diego (2011)

53.

Redis: Redis. http://redis.io/

54.

WebSPHINX: WebSPHINX: A personal, customizable web crawler. http://www.cs.cmu.edu/~rcm/websphinx/ (2002)

55.

JSpider: Jspider. http://j-spider.sourceforge.net/ (2013)

56.

Django: Django-the web framework for perfectionists with deadlines. https://www.djangoproject.com/

57.

PostgreSQL: PostgreSQL-the world’s most advanced open source database. http://www.postgresql.org/

58.

BaseX: Basex-the XML database. http://basex.org/

Titel: Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications
verfasst von: G. Deepa
P. Santhi Thilagam
Furqan Ahmed Khan
Amit Praseed
Alwyn R. Pais
Nushafreen Palsetia
Publikationsdatum: 11.01.2017
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 1/2018
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-016-0359-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2018

Achieving dynamicity in security policies enforcement using aspects

Secure pay-TV for chained hotels

Privacy-preserving smart metering revisited

Formal modeling of random oracle programmability and verification of signature unforgeability using task-PIOAs

Generalized Elias schemes for efficient harvesting of truly random bits