Skip to main content
SpringerLink
Log in

Enforcing Input Validation through Aspect Oriented Programming

  • Conference paper
  • First Online:
Book cover Data Privacy Management and Autonomous Spontaneous Security (DPM 2013, SETOP 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8247))

Abstract

Injection vulnerabilities are still prevalent today, ranking first on OWASP top ten threats to software security. Developers often have trouble to adopt secure coding practices during the software development life cycle, failing to prevent these vulnerabilities. This paper addresses the problem of modular input validation for web applications as a countermeasure to several kinds of code injection attacks. The solution relies on annotations that enrich the metadata concerning the application’s input parameters. This information is then used to automatically insert validation code in the target application, using aspect-oriented programming. Our approach allows to mitigate risks and to maintain security functionality separated from the application logic.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

References

  1. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP ’08, pp. 387–401. IEEE Computer Society, Washington, DC (2008). http://dx.doi.org/10.1109/SP.2008.22

  2. Bernard, E., Peterson, S.: JSR 303: bean validation, bean validation expert group. http://jcp.org/aboutJava/communityprocess/pfd/jsr303/index.html (2009)

  3. Chen, S.: The web application vulnerability scanner evaluation project - v1.2. https://code.google.com/p/wavsep/ (2012)

  4. Foundation, T.A.S.: Struts 2. http://struts.apache.org/ (2011)

  5. Hafiz, M., Johnson, R.: Improving perimeter security with security-oriented program transformations. In: ICSE Workshop on Software Engineering for Secure Systems, SESS ’09, pp. 61–67 (2009)

    Google Scholar 

  6. Halfond, W.G.J., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, SIGSOFT ’06/FSE-14, pp. 175–185. ACM, New York http://doi.acm.org/10.1145/1181775.1181797 (2006)

  7. Hookom, J.: Validating objects through metadata. http://www.onjava.com/pub/a/onjava/2005/01/19/metadata_validation.html (2005)

  8. Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: WWW ’04: Proceedings of the 13th International Conference on World Wide Web, pp. 40–52. ACM, New York (2004)

    Google Scholar 

  9. Imperva: The securesphere web application firewall. http://www.imperva.com/products/wsc_web-application-firewall.html (2011)

  10. Inc., B.N.: The barracuda web application firewall. http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php (2011)

  11. Ismail, O., Etoh, M., Kadobayashi, Y., Yamaguchi, S.: A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability. In: 18th International Conference on Advanced Information Networking and Applications, AINA 2004, vol. 1, pp. 145–151 (2004)

    Google Scholar 

  12. JBoss: Hibernate validator. http://hibernate.org/subprojects/validator (2011)

  13. Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW ’07, pp. 601–610. ACM, New York (2007). http://doi.acm.org/10.1145/1242572.1242654

  14. Johns, M., Beyerlein, C.: Smask: preventing injection attacks in web applications by approximating automatic data/code separation. In: Proceedings of the 2007 ACM Symposium on Applied Computing, SAC ’07, pp. 284–291. ACM, New York (2007). http://doi.acm.org/10.1145/1244002.1244071

  15. Johns, M., Beyerlein, C., Giesecke, R., Posegga, J.: Secure code generation for web applications. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 96–113. Springer, Heidelberg (2010)

    Google Scholar 

  16. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP ’06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society, Washington, DC (2006)

    Google Scholar 

  17. Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: PLAS ’06: Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security, pp. 27–36. ACM, New York (2006)

    Chapter  Google Scholar 

  18. Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C., Loingtier, J.M., Irwin, J.: Aspect-oriented programming. In: Aksit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)

    Google Scholar 

  19. Kirda, E., Krgel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC’06, pp. 330–337 (2006)

    Google Scholar 

  20. Laranjeiro, N., Vieira, M., Madeira, H.: Improving web services robustness. In: IEEE International Conference on Web Services, ICWS 2009, pp. 397–404 (2009)

    Google Scholar 

  21. Laskos, T.: Arachni 0.4.2 - web application security scanner framework. http://www.arachni-scanner.com/ (2013)

  22. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: SSYM’05: Proceedings of the 14th Conference on USENIX Security Symposium, p. 18. USENIX Association, Berkeley (2005)

    Google Scholar 

  23. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: SEC, pp. 295–308 (2005)

    Google Scholar 

  24. Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)

    Google Scholar 

  25. Riancho, A.: W3af 1.0 - open source web application security scanner. http://w3af.org/ (2011)

  26. Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM’09, pp. 283–298. USENIX Association, Berkeley (2009)

    Google Scholar 

  27. Scholte, T., Balzarotti, D., Kirda, E.: Have things changed now? an empirical study on input validation vulnerabilities in web applications. Comput. Secur. 31(3), 344–356 (2012)

    Article  Google Scholar 

  28. Scholte, T., Robertson, W.K., Balzarotti, D., Kirda, E.: Preventing input validation vulnerabilities in web applications through automated type analysis. In: Bai, X., Belli, F., Bertino, E., Chang, C.K., Elçi, A., Seceleanu, C.C., Xie, H., Zulkernine, M. (eds.) COMPSAC, pp. 233–243. IEEE Computer Society (2012)

    Google Scholar 

  29. Scott, D., Sharp, R.: Abstracting application-level web security. In: Proceedings of the 11th International Conference on World Wide Web, WWW ’02, pp. 396–407. ACM, New York (2002). http://doi.acm.org/10.1145/511446.511498

  30. Source, S.: Spring web mvc. http://www.springsource.org/go-webflow2 (2011)

  31. Trustwave: Trustwave webdefend - web application firewall. https://www.trustwave.com/web-application-firewall.php (2011)

  32. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., KrĂĽgel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS. The Internet Society (2007)

    Google Scholar 

  33. Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’07, pp. 32–41. ACM, New York (2007). http://doi.acm.org/10.1145/1250734.1250739

  34. Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE ’08: Proceedings of the 30th International Conference on Software Engineering, pp. 171–180. ACM, New York (2008)

    Google Scholar 

  35. Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15. USENIX Association, Berkeley (2006). http://portal.acm.org/citation.cfm?id=1267336.1267349

Download references

Author information

Authors and Affiliations

  1. Eurecom, Biot, France

    Gabriel Serme

  2. SAP Labs, Mougins, France

    Theodoor Scholte & Anderson Santana de Oliveira

Authors
  1. Gabriel Serme
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Theodoor Scholte
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anderson Santana de Oliveira
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anderson Santana de Oliveira .

Editor information

Editors and Affiliations

  1. TELECOM SudParis, Evry, France

    Joaquin Garcia-Alfaro

  2. National Technical University of Athens, Athens, Greece

    Georgios Lioudakis

  3. TELECOM Bretagne, Cesson Sévigné, France

    Nora Cuppens-Boulahia

  4. University College Cork, Cork, Ireland

    Simon Foley

  5. IDA Ovens, EMC Information Systems International, Cork, Ireland

    William M. Fitzgerald

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Serme, G., Scholte, T., de Oliveira, A.S. (2014). Enforcing Input Validation through Aspect Oriented Programming. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2013 2013. Lecture Notes in Computer Science(), vol 8247. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54568-9_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-54568-9_20

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-54567-2

  • Online ISBN: 978-3-642-54568-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation