ABSTRACT
Although there is a large body of research on detection and prevention of such memory corruption attacks as buffer overflow, integer overflow, and format string attacks, the web application security problem receives relatively less attention from the research community by comparison. The majority of web application security problems originate from the fact that web applications fail to perform sanity checks on inputs from the network that are eventually used as operands of security-sensitive operations. Therefore, a promising approach to this problem is to apply proper checks on tainted portions of the operands used in security-sensitive operations, where a byte is tainted if it is data/control dependent on some network packet(s). This paper presents the design, implementation and evaluation of a dynamic checking compiler called WASC, which automatically adds checks into web applications used in three-tier internet services to protect them from the most common two types of web application attacks: SQL- and script-injection attack. In addition to including a taint analysis infrastructure for multi-process and multi-language applications, WASC features the use of SQL and HTML parsers to defeat evasion techniques that exploit interpretation differences between attack detection engines and target applications. Experiments with a fully operational WASC prototype show that it can indeed stop all SQL/script injection attacks that we have tested. Moreover, the end-to-end latency penalty associated with the checks inserted by WASC is less than 30% for the test web applications used in our performance study.
- Imperva: Buffer overflow attack. http://www.imperva.com/application_defense_center/glossary/buffer_overflow.htmlGoogle Scholar
- Ahmad, D.: The rising threat of vulnerabilities due to integer errors. IEEE Security & Privacy Magazine (2003) 77--82 Google Scholar
- Newsham, T.: Format strings attacks. http://www.securityfocus.com/guest/3342 (September 2000)Google Scholar
- Anley, C.: Advanced sql injection. An NGSSoftware Insight Security Research (NISR) Publication (June)Google Scholar
- Rafail, J.: Cross-site scripting vulnerabilities. CERT Advisory ArchievesGoogle Scholar
- chung Lam, L., cker Chiueh, T.: A general dynamic information flow tracking framework for security applications. In: Proceedings of 22st Annual Computer Security Applications Conference (ACSAC 2006). (December 2006) Google Scholar
- chung Lam, L., cker Chiueh, T.: Web application firewall. http://www.cgisecurity.com/questions/webappfirewall.shtmlGoogle Scholar
- Breach Sec.: Open-source web application firewall. http://www.modsecurity.orgGoogle Scholar
- Cirt.Net: Nikto web server scanner. http://www.cirt.net/code/nikto.shtmlGoogle Scholar
- SecuriTeam: Whisker: a next-generation cgi scanner. http://www.securiteam.com/tools/3R5QHQAPPY.htmlGoogle Scholar
- Tenable: The nessus vulnerability scanner. http://www.nessus.org/Google Scholar
- Bellamy, W.: Hypertext transfer protocol (http) header exploitation. http://www.cgisecurity.com/lib/bill/ William_Bellamy_GCIH.html (September)Google Scholar
- Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. 15th USENIX Security Symposium (August 2006) Google Scholar
- Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise taintingGoogle Scholar
- Pietraszek, T., Berghe, C. V.: Defending against injection attacks through context-sensitive string evaluation. In: Recent Advances in Intrusion Detection 2005 (RAID). (2005) Google Scholar
- Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Proceedings of POPL'06. (January 11--13 2006) Google Scholar
- Yumerefendi, A., Mickle, B., Cox, L. P.: Tightlip: Keeping applications from spilling the beans. Duke University Techinical Report CS-2006-07 (April 2006)Google Scholar
- Suh, G. E., Lee, J. W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems. (October 2004) 85--96 Google Scholar
- Crandall, J. R., Chong, F. T.: Minos: Control data attack prevention orthogonal to memory model. In: 37th Annual International Symposium on Microarchitecture. (December 2004) 221--232 Google Scholar
- Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005). (February 2005)Google Scholar
- Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazieres, D., Kaashoek, F., Morris, R.: Labels and event processes in the asbestos operating system. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles. (October 2005) 17--30 Google Scholar
- Smirnov, A., cker Chiueh, T.: A portable implementation framework for intrusion-resilient database management systems. In: DSN. (2004) 443--452 Google Scholar
- Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: 20th IFIP International Information Security Conference. (May 2005)Google Scholar
- Zucker, J.: Sql::statement - sql parsing and processing engine. http://cpan.uwinnipeg.ca/htdocs/SQL-Statement/SQL/Statement.htmlGoogle Scholar
- Microsoft Corp.: Reusing mshtml. MSDN Library, Microsoft CorporationGoogle Scholar
- W3C: Document object model (dom) level 1 specification. W3C Recommendation, Technical Report REC-DOM-Level-1-19981001 (1998)Google Scholar
- US-CERT: National vulnerability database: A comprehensive cyber vulnerability resource. http://nvd.nist.gov/nvd.cfm?startrow=21Google Scholar
- Rsnake: XSS (cross site scripting) cheat sheet. http://ha.ckers.org/xss.htmlGoogle Scholar
- Dynamic multi-process information flow tracking for web application security
Recommendations
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Static analysis for detecting taint-style vulnerabilities in web applications
The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Securing web applications with static and dynamic information flow tracking
PEPM '08: Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulationSQL injection and cross-site scripting are two of the most common security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a ...
Comments