Securing native XML database-driven web applications from XQuery injection vulnerabilities

Highlights

• Detects XQuery injection vulnerabilities in web applications using native XML DBs.

• Implements a prototype system “XQueryFuzzer” based on the proposed approach.

• Demonstrates the effectiveness of the prototype on benchmark web applications.

• Three types of XQuery injection attacks unlisted in OWASP are identified.

Abstract

Database-driven web applications today are XML-based as they handle highly diverse information and favor integration of data with other applications. Web applications have become the most popular way to deliver essential services to customers, and the increasing dependency of individuals on web applications makes them an attractive target for adversaries. The adversaries exploit vulnerabilities in the database-driven applications to craft injection attacks which include SQL, XQuery and XPath injections. A large amount of work has been done on identification of SQL injection vulnerabilities resulting in several tools available for the purpose. However, a limited work has been done so far for the identification of XML injection vulnerabilities and the existing tools only identify XML injection vulnerabilities which could lead to a specific type of attack. Hence, this work proposes a black-box fuzzing approach to detect different types of XQuery injection vulnerabilities in web applications driven by native XML databases. A prototype XQueryFuzzer is developed and tested on various vulnerable applications developed with BaseX as the native XML database. An experimental evaluation demonstrates that the prototype is effective against detection of XQuery injection vulnerabilities. Three new categories of attacks specific to XQuery, but not listed in OWASP are identified during testing.

Introduction

Extensible Markup Language (XML) is a data representation that favors integration and interoperability between heterogeneous web applications. The information exchanged between the applications in the form of XML documents can be processed efficiently when they are stored appropriately. These documents are stored in either an extended relational DBMS or a native XML database system (Chaudhri, Zicari, Rashid, 2003, Liu, Murthy, 2009). XQuery / XPath can be used as a query language for retrieving the data from XML documents.

A Native XML database (NXD) has XML document as its fundamental unit of storage, and defines a logical model based on the content in the XML document (Pavlovic-Lazetic, 2007). NXDs are employed in cases where the data involved do not fit the relational data model, but fit the XML data model. NXDs are generally preferred for applications that hold highly diverse information, involve integration of information from different set of applications, and handle rapidly evolving schemas. NXDs are also preferred for applications that work with a huge set of documents or large-sized documents (e.g., books, web pages, marketing brochures), and involve management of long-running transactions like finance, pharmaceuticals, etc. (Bourret, 2009). Use of relational databases and flat file systems for building such applications results in issues such as scalability and lack of structured queries. These issues can be overcome by using NXDs with XQuery/XPath as the query language for processing. Some of the popular NXDs are BaseX, eXistDB, and MarkLogic.

NXDs find applications in a wide variety of domains such as document management systems, healthcare systems, financial applications, business-to-business transaction records, catalog data, and corporate information portals (Staken, 2001). Real-world business applications that employ NXDs to manage their content are Elsevier Science publishers, Las Vegas Sun publishers (Bourret, 2009), the Tibetan Buddhist Resource Center (TBRC) (Siegel and Retter, 2014), etc. The Tasmanian government websites use NXD for helping users to track legislation. NXDs are used to store various other types of documents such as drug information sheets, contracts, case law, and insurance claims. Commerzbank and Hewlett Packard use NXD for integration of information from a variety of sources to handle financial and business transaction data (Bourret, 2009). Healthcare applications prefer to store electronic health records (EHR) in NXDs for efficient storage and retrieval of information from the available medical records (i.e., scan reports, prescriptions, etc.) (de la Torre, Díaz, Antón, Díez, Sainz, López, Hornero, López, 2011, Lee, Tang, Choi, 2013, Al-Hamdani, 2010).

The existing literature reveals that there is a growing demand towards usage of NXDs in web applications. Even though various XML security standards W3C, Hirsch such as XML Encryption, XML Digital Signature, and XML access-control markup language are defined for preserving confidentiality, integrity and access-control mechanisms of XML documents, when NXDs are used at the backend, any vulnerability in the source code of the application may allow an adversary to perform unwanted actions resulting in extraction/modification of information from/in the documents. As the content of highly sensitive applications like finance, healthcare, etc. are driven by NXDs, security of NXDs is vitally important to ensure the integrity, privacy and confidentiality (Baviskar and Thilagam, 2011), and to make sure that information is used appropriately (Huang, 2003).

According to the Internet Security Threat Report by Symantec Corporation (Symantec, 2014), one in eight web applications has critical unpatched vulnerabilities. A vulnerability is a coding flaw in the application and new types of attacks emerge from time to time to exploit these vulnerabilities. The security consortiums, OWASP (Top10, 2013), SANS (2011), and WASC (Gordeychik, 2010) list injection vulnerabilities as the most prevalent flaw in web applications. Injection vulnerabilities allow an attacker to compromise the security of the application, and permit them to steal confidential information or inject malicious data into the application. Injection attacks such as SQL injection and XML injection exploit the vulnerabilities for extraction/insertion of data from/into the database of the application. These attacks attempt to modify the query submitted to the database by providing malicious input to the web application server. If the web application submits SQL queries to a relational database, then the attack is referred to as an SQL injection attack. If the web application submits XQuery to an XML database, it is referred to as an XQuery injection attack. XQuery contains a superset of an XPath expression syntax. XQuery 1.0 includes XPath 2.0 as a sublanguage. According to the Payment Card Industry Data Security Standard (PCI DSS) and Common Vulnerability Scoring System (CVSS), XQuery and XPath injections are high risk threats, and hence detection of the vulnerabilities that could lead to these injection attacks is of critical importance (Gordeychik, 2010).

Even though a large body of literature exists for preventing SQL injection (Huang, Yu, Hang, Tsai, Lee, Kuo, 2004, Huang, Tsai, Lin, Huang, Lee, Kuo, 2005, Halfond, Orso, 2005, Buehrer, Weide, Sivilotti, 2005, Xie, Aiken, 2006, Su, Wassermann, 2006, Kosuga, Kernel, Hanaoka, Hishiyama, Takahama, 2007, Thomas, Williams, 2007, Wassermann, Su, 2007, Liu, Yuan, Wijesekera, Stavrou, 2009, Bisht, Madhusudan, Venkatakrishnan, 2010, Scholte, Robertson, Balzarotti, Kirda, 2012, Lee, Jeong, Yeo, Moon, 2012, Jang, Choi, 2014), only a limited number of articles exist for identifying XML injection vulnerabilities in web applications (Huang, Antunes, Laranjeiro, Vieira, Madeira, 2009, Antunes, Vieira, 2011, Asmawi, Affendey, Udzir, Mahmod, 2012). The existing works on SQL injection focus on detection/prevention of known patterns of SQL injection attacks. The proposed solutions for detecting SQL injection have their own pros and cons, and they are described as follows. Secure programming imparts overhead on developers for implementing the security guidelines during development (Bravenboer, Dolstra, Visser, 2007, XPath-Injection, Truelove, Svoboda). Signature-based approach does not prevent zero-day attacks, and suffers from false negatives when attack query matches the structure of a legitimate query (Huang, Mitropoulos, Karakoidas, Louridas, Spinellis, 2011, Antunes, Vieira, 2011). The knowledge-based approach requires new training whenever modifications are made to the source code of the application (Huang, Tsai, Lin, Huang, Lee, Kuo, 2005, Mitropoulos, Karakoidas, Spinellis, 2009, Rosa, Santin, Malucelli, 2013). The accuracy of machine learning approach is dependent on appropriate selection of the training set (Scholte, Robertson, Balzarotti, Kirda, 2012, Valeur, Mutz, Vigna, 2005, Menahem, Schclar, Rokach, Elovici, 2012, Chan, Lee, Heng, 2013). Existing approaches for addressing XML injection concentrate on detection/prevention of vulnerabilities/attacks in web services only, and cover a certain types of XML injection attacks only. Therefore, there is a demand for a system that is capable of detecting different kinds of XQuery injection vulnerabilities in native XML database-driven applications. Hence, this paper focuses on development of a prototype for the detection of XQuery injection vulnerabilities in web applications.

Taking into account the limitations of existing approaches, a prototype is developed following a query model-based approach for identifying XQuery injection vulnerabilities. The existing query model-based approaches employ static analysis for preventing SQL injection attacks and involve code instrumentation for identifying and preventing the attacks, whereas the proposed approach is a fully-automated black-box fuzzer which does not require access to the source code of the application and concentrates on identifying XQuery injection vulnerabilities. To the best of our knowledge, this is the first work that focuses on identifying XQuery injection vulnerabilities in web applications driven by native XML databases. The prototype detects different types of XQuery injection vulnerabilities as specified in OWASP (2014) guidelines. While the existing approaches detect different kinds of SQL injection attacks that are predefined, we have identified three new categories of attack vectors which are not listed in OWASP.

The major contributions of this work are as follows:

• We propose an automated black-box approach for identifying XQuery injection vulnerabilities in native XML database-driven web applications.

• We implement a prototype system called XQueryFuzzer based on the proposed approach.

• We propose an attack grammar to generate different types of XQuery attack strings for identifying vulnerabilities existing in the application and prove the consistency and completeness of the grammar.

• We identify three new categories of attacks namely, alternate encoding, evaluation function and XQuery comment injection attack that are specific to XQuery, but not listed in OWASP.¹

• We evaluate the effectiveness of the proposed approach using web applications that are customized to use native XML database for storing data.

The remainder of this paper is organized as follows. Section 2 provides a background on XQuery injection vulnerabilities. Section 3 presents the related work. The proposed approach and implementation details are described in Section 4. Section 5 discusses the new category of attacks identified with examples. Section 6 provides information on the experimental setup and discusses the results. The paper is concluded in the last section.