research-article

SENTINEL: securing database from logic flaws in web applications

Authors:

Yuan XueAuthors Info & Claims

CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

Pages 25 - 36

https://doi.org/10.1145/2133601.2133605

Published: 07 February 2012 Publication History

Abstract

Logic flaws within web applications allow the attackers to disclose or tamper sensitive information stored in back-end databases, since the web application usually acts as the single trusted user that interacts with the database. In this paper, we model the web application as an extended finite state machine and present a black-box approach for deriving the application specification and detecting malicious SQL queries that violate the specification. Several challenges arise, such as how to extract persistent state information in the database and infer data constraints. We systematically extract a set of invariants from observed SQL queries and responses, as well as session variables, as the application specification. Any suspicious SQL queries that violate corresponding invariants are identified as potential attacks. We implement a prototype detection system SENTINEL (SEcuriNg daTabase from logIc flaws iN wEb appLication) and evaluate it using a set of real-world web applications. The experiment results demonstrate the effectiveness of our approach and show that acceptable performance overhead is incurred by our implementation.

References

[1]

AT&T website breach. http://www.acunetix.com/blog/web-security-zone/articles/analysis-php-attack-apple-information-disclosure/.

[2]

D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of web-based applications. In CCS'07: Proceedings of the 14th ACM conference on Computer and communications security, pages 25--35, 2007.

Digital Library

[3]

S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: preventing SQL injection attacks using dynamic candidate evaluations. In CCS'07: Proceedings of the 14th ACM conference on Computer and communications security, pages 12--24, 2007.

Digital Library

[4]

P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications. In CCS'10: Proceedings of the 17th ACM conference on Computer and communications security, pages 607--618, 2010.

Digital Library

[5]

P. Bisht, T. Hinrichs, N. Skrupsky, and V. Venkatakrishnan. WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction. In CCS'11: Proceedings of the 18th ACM conference on Computer and communications security, pages 575--586, 2011.

Digital Library

[6]

Y. Chen and B. Malin. Detection of anomalous insiders in collaborative environments via relational analysis of access logs. In CODASPY'11: Proceedings of the first ACM conference on Data and application security and privacy, pages 63--74, 2011.

Digital Library

[7]

C. Y. Chung, M. Gertz, and K. Levitt. DEMIDS: A Misuse Detection System for Database Systems. In Proceedings of the Integrity and Internal Control in Information System, pages 159--178, 1999.

Digital Library

[8]

Confused Deputy Problem. http://en.wikipedia.org/wiki/confused\_deputy\_problem.

[9]

Connection Pooling. http://en.wikipedia.org/wiki/connection\_pool.

[10]

M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In RAID'07: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection, pages 63--86, 2007.

Digital Library

[11]

A. Doupe, M. Cova, and G. Vigna. Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners. In DIMVA'10: Proceedings of the 7th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, pages 111--131, 2010.

Digital Library

[12]

M. Ernst, J. Cockrell, W. Griswold, and D. Notkin. Dynamically Discovering Likely Program Invariants to Support Program Evolution. IEEE Transactions on Software Engineering, 27:99--123, 2001.

Digital Library

[13]

Extended Finite State Machine. http://en.wikipedia.org/wiki/extended\_finite-state\_machine.

[14]

V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In USENIX'10: Proceedings of the 19th conference on USENIX Security Symposium, pages 143--160, 2010.

Digital Library

[15]

A. Felt, M. Finifter, J. Weinberger, and D. Wagner. Diesel: Applying Privilege Separation to Database Access. In ASIACCS'11: Proceedings of 6th ACM Symposium on Information, Computer and Communications Security, pages 416--422, 2011.

Digital Library

[16]

W. Halfond and A. Orso. AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In ASE'05: Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174--183, 2005.

Digital Library

[17]

A. Kamra, E. Terzi, and E. Bertino. Detecting anomalous access patterns in relational databases. The VLDB Journal, 17:1063--1077, 2008.

Digital Library

[18]

S. Y. Lee, W. L. Low, and P. Y. Wong. Learning Fingerprints for a Database Intrusion Detection System. In ESORICS'02: Proceedings of 7th European Symposium on Research in Computer Security, pages 264--280, 2002.

Digital Library

[19]

X. Li and Y. Xue. BLOCK: A Black-box Approach for Detection of State Violation Attacks Towards Web Applications. In ACSAC'11: Proceedings of 27th Annual Computer Security Applications Conference, pages 247--256, 2011.

Digital Library

[20]

D. Lorenzoli, L. Mariani, and M. Pezzè. Automatic generation of software behavioral models. In ICSE'08: Proceedings of the 30th international conference on Software engineering, pages 501--510, 2008.

Digital Library

[21]

OpenInvoice 0.9 beta. http://sourceforge.net/projects/openinv/.

[22]

OpenIT. http://sourceforge.net/projects/openit/.

[23]

Prepared Statement. http://php.net/manual/en/pdo.prepared-statements.php.

[24]

A. Roichman and E. Gudes. Fine-grained access control to web databases. In SACMAT'07: Proceedings of the 12th ACM symposium on Access control models and technologies, pages 31--40, 2007.

Digital Library

[25]

A. Roichman and E. Gudes. DIWeDa - Detecting Intrusions in Web Databases. In Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security, pages 313--329, 2008.

[26]

SeleniumHQ: Web Application Testing System. http://seleniumhq.org/.

[27]

F. Sun, L. Xu, and Z. Su. Static Detection of Access Control Vulnerabilities in Web Applications. In USENIX'11: Proceedings of the 20th USENIX Security Symposium, pages 11--11, 2011.

Digital Library

[28]

F. Valeur, D. Mutz, and G. Vigna. A Learning-Based Approach to the Detection of SQL Attacks. In DIMVA'05: Proceedings of the 2nd Conference on Detection of Intrusions and Malware and Vulnerability Assessment, pages 123--140, 2005.

Digital Library

[29]

Wackopicko. https://github.com/adamdoupe/wackopicko.

[30]

Web Application Security Statistics. http://projects.webappsec.org/w/page/13246989/web\\applicationsecuritystatistics.

Cited By

Trickel EPagani FZhu CDresel LVigna GKruegel CWang RBao TShoshitaishvili YDoupé A(2023)Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179317(2658-2675)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179317
Eriksson BPellegrino GSabelfeld A(2021)Black Widow: Blackbox Data-driven Web Scanning2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00022(1125-1142)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00022
Beba SKarlsen MLi JZhang B(2021)Critical Understanding of Security Vulnerability Detection Plugin Evaluation Reports2021 28th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC53868.2021.00035(275-284)Online publication date: Dec-2021
https://doi.org/10.1109/APSEC53868.2021.00035
Show More Cited By

Index Terms

SENTINEL: securing database from logic flaws in web applications

Recommendations

BLOCK: a black-box approach for detection of state violation attacks towards web applications
ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference

State violation attacks towards web applications exploit logic flaws and allow restrictive functions and sensitive information to be accessed at inappropriate states. Since application logic flaws are specific to the intended functionality of a ...
Lom: Discovering logic flaws within MongoDB-based web applications

Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language (SQL) statement ...
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

February 2012

338 pages

ISBN:9781450310918

DOI:10.1145/2133601

General Chair:
Elisa Bertino
Purdue University, USA
,
Program Chair:
Ravi Sandhu
University of Texas at San Antonio, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 February 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY'12

Sponsor:

SIGSAC

CODASPY'12: Second ACM Conference on Data and Application Security and Privacy

February 7 - 9, 2012

Texas, San Antonio, USA

Acceptance Rates

CODASPY '12 Paper Acceptance Rate 21 of 113 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

28
Total Citations
View Citations
485
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)1

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Trickel EPagani FZhu CDresel LVigna GKruegel CWang RBao TShoshitaishvili YDoupé A(2023)Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179317(2658-2675)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179317
Eriksson BPellegrino GSabelfeld A(2021)Black Widow: Blackbox Data-driven Web Scanning2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00022(1125-1142)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00022
Beba SKarlsen MLi JZhang B(2021)Critical Understanding of Security Vulnerability Detection Plugin Evaluation Reports2021 28th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC53868.2021.00035(275-284)Online publication date: Dec-2021
https://doi.org/10.1109/APSEC53868.2021.00035
Alidoosti MNowroozi ANickabadi A(2019)Evaluating the web‐application resiliency to business‐layer DoS attacksETRI Journal10.4218/etrij.2019-016442:3(433-445)Online publication date: 15-Dec-2019
https://doi.org/10.4218/etrij.2019-0164
Jacobson ISpence IKerr B(2016)Use-Case 2.0Queue10.1145/2898442.291215114:1(94-123)Online publication date: 28-Jan-2016
https://dl.acm.org/doi/10.1145/2898442.2912151
Burns BGrant BOppenheimer DBrewer EWilkes J(2016)Borg, Omega, and KubernetesQueue10.1145/2898442.289844414:1(70-93)Online publication date: 1-Jan-2016
https://dl.acm.org/doi/10.1145/2898442.2898444
Wen SXue YXu JYang HLi XSong WSi G(2016)Toward Exploiting Access Control Vulnerabilities within MongoDB Backend Web Applications2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2016.207(143-153)Online publication date: Jun-2016
https://doi.org/10.1109/COMPSAC.2016.207
Muthukumaran DO'Keeffe DPriebe CEyers DShand BPietzuch PRay ILi NKruegel C(2015)FlowWatcherProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security10.1145/2810103.2813639(603-615)Online publication date: 12-Oct-2015
https://dl.acm.org/doi/10.1145/2810103.2813639
Li XSi XXue YBertino ESandhu RPark J(2014)Automated black-box detection of access control vulnerabilities in web applicationsProceedings of the 4th ACM conference on Data and application security and privacy10.1145/2557547.2557552(49-60)Online publication date: 3-Mar-2014
https://dl.acm.org/doi/10.1145/2557547.2557552
Li XXue Y(2014)A survey on server-side approaches to securing web applicationsACM Computing Surveys10.1145/254131546:4(1-29)Online publication date: 1-Mar-2014
https://dl.acm.org/doi/10.1145/2541315
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten