research-article

Runtime Input Validation for Java Web Applications using Static Bytecode Instrumentation

Authors:

Sangchul HanAuthors Info & Claims

RACS '16: Proceedings of the International Conference on Research in Adaptive and Convergent Systems

Pages 148 - 152

https://doi.org/10.1145/2987386.2987432

Published: 11 October 2016 Publication History

Abstract

As web applications is becoming more prominent due to the ubiquity of web services, web applications have become main targets for attackers. In order to steal or leak sensitive user data managed by web applications, attackers exploit a wide range of input validation vulnerabilities such as SQL injection, path traversal (or directory traversal), cross-site scripting (XSS), etc. This paper propose a technique that can verify input values of Java-based web applications using static bytecode instrumentation and runtime input validation. The technique searches for target methods or object constructors in compiled Java class files, and statically inserts bytecode modules. At runtime, the instrumented bytecode modules validate input values of the targets, and take countermeasure against malicious inputs. The proposed technique can mitigate the input validation vulnerabilities in Java-based web applications without source codes. To evaluate the effectiveness of the proposed technique, experiments are carried out with an insecure web application maintained by OWASP WebGoat Project. The experimental results show that the proposed technique successfully mitigates input validation vulnerabilities such as SQL injection and path traversal.

References

[1]

ASM. OW2 Consortium. http://asm.ow2.org/

[2]

Binder, W., Hulaas, J., and Moret, P. 2007. Advanced Java bytecode instrumentation. In Proceedings of the 5th international symposium on Principles and practice of programming in Java. ACM. 2007. 135--144.

Digital Library

[3]

Dhamankar, R., Dausin, M., Eisenbarth, M., and King, J. 2009. The top cyber security risks (2009). http://www.sans.org/top-cyber-security-risks/

[4]

EDB Report. Penta Security. https://www.pentasecurity.com/wp/?page_id=185

[5]

Geimer, M., Shende, S. S., Malony, A. D., and Wolf, F. 2009. A generic and configurable source-code instrumentation component. In Proceedings of the International Conference on Computational Science. ICCS'09. Springer Berlin Heidelberg, 2009. 696--705.

Digital Library

[6]

Gupta, S., Pratap, P., Saran, H., and Arun-Kumar, S. 2006. Dynamic code instrumentation to detect and recover from return address corruption. In Proceedings of the 2006 international workshop on Dynamic systems analysis. ACM. 65--72.

Digital Library

[7]

Gwak, H.-G. 2011. Reusability Enhancing Model of Java Application using Aspect-Oriented Programming. Master's Thesis. Soongsil Universiry. 12.2011.

[8]

Marek, L., Villazón, A., Zheng, Y., Ansaloni, D., Binder, W., and Qi, Z. 2012. DiSL: a domain-specific language for bytecode instrumentation. In Proceedings of the 11th annual international conference on Aspect-oriented Software Development. ACM. 239--250.

Digital Library

[9]

Martin, B., Brown, M., Paller, A., and Kirby, D. 2011. CWE/SANS top 25 most dangerous software errors (2011). http://cwe.mitre.org/top25/

[10]

MITRE. Common Weakness Enumeration (CWE). https://cwe.mitre.org

[11]

Scholte, T., Balzarotti, D., and Kirda, E. Quo vadis? a study of the evolution of input validation vulnerabilities in web applications. Financial Cryptography and Data Security. Springer Berlin Heidelberg. 2011. 284--298.

Digital Library

[12]

Scholte, T., Balzarotti, D., and Kirda, E. Have things changed now? An empirical study on input validation vulnerabilities in web applications. 2012. Computers & Security. 31, 3 (2012), 344--356.

Digital Library

[13]

Scholte, T., Robertson, W., Balzarotti, D., and Kirda, E. 2012. Preventing input validation vulnerabilities in web applications through automated type analysis. In Proceedings of the 36th Annual Computer Software and Applications Conference. COMPSAC'12.

Digital Library

[14]

Source code instrumentation overview. IBM Knowledge Center.

[15]

The Open Web Application Security Project (OWASP). https://www.owasp.org.

[16]

The Structure of the Java Virtual Machine. https://docs.oracle.com/javase/specs/jvms/se7/html/jvms-2.html#jvms-2.6

[17]

Venners, B. The Java Virtual Machine: The Java Stack. http://www.artima.com/insidejvm/ed2/jvm8.html

Cited By

Noman HAbu-Sharkh O(2023)Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical ImplementationsSensors10.3390/s2313606723:13(6067)Online publication date: 30-Jun-2023
https://doi.org/10.3390/s23136067
Mateo Tudela FBermejo Higuera JBermejo Higuera JSicilia Montalvo JArgyros M(2020)On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web ApplicationsApplied Sciences10.3390/app1024911910:24(9119)Online publication date: 20-Dec-2020
https://doi.org/10.3390/app10249119
Arumugam CDwarakanathan VGnanamary SNeyveli VRamesh RKandhavel YBalakrishnan S(2019)Prediction of SQL Injection Attacks in Web ApplicationsComputational Science and Its Applications – ICCSA 201910.1007/978-3-030-24305-0_37(496-505)Online publication date: 29-Jun-2019
https://doi.org/10.1007/978-3-030-24305-0_37

Recommendations

An empirical analysis of input validation mechanisms in web applications and languages
SAC '12: Proceedings of the 27th Annual ACM Symposium on Applied Computing

Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and attacks such as XSS and SQL injection are still common. In this paper, we present an ...
Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis
COMPSAC '12: Proceedings of the 2012 IEEE 36th Annual Computer Software and Applications Conference

Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and criticial vulnerabilities such as cross-site scripting and SQL injection are still ...
Mitigating Injection and Phishing Attacks through Input Validation and Phishing Detection Techniques
ITCC '24: Proceeding of the 2024 6th International Conference on Information Technology and Computer Communications

This case study addresses security attacks associated with SQL Injection, Cross-Site Scripting (XSS), and Email Phishing attacks on online platforms. The study focuses on a small beverage commercial web portal and fake Facebook pages as case examples. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

RACS '16: Proceedings of the International Conference on Research in Adaptive and Convergent Systems

October 2016

266 pages

ISBN:9781450344555

DOI:10.1145/2987386

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing
ACCT: Association of Convergent Computing Technology

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

RACS '16

Sponsor:

SIGAPP
ACCT

RACS '16: International Conference on Research in Adaptive and Convergent Systems

October 11 - 14, 2016

Odense, Denmark

Acceptance Rates

RACS '16 Paper Acceptance Rate 40 of 161 submissions, 25%;

Overall Acceptance Rate 393 of 1,581 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
214
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Noman HAbu-Sharkh O(2023)Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical ImplementationsSensors10.3390/s2313606723:13(6067)Online publication date: 30-Jun-2023
https://doi.org/10.3390/s23136067
Mateo Tudela FBermejo Higuera JBermejo Higuera JSicilia Montalvo JArgyros M(2020)On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web ApplicationsApplied Sciences10.3390/app1024911910:24(9119)Online publication date: 20-Dec-2020
https://doi.org/10.3390/app10249119
Arumugam CDwarakanathan VGnanamary SNeyveli VRamesh RKandhavel YBalakrishnan S(2019)Prediction of SQL Injection Attacks in Web ApplicationsComputational Science and Its Applications – ICCSA 201910.1007/978-3-030-24305-0_37(496-505)Online publication date: 29-Jun-2019
https://doi.org/10.1007/978-3-030-24305-0_37

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten