Article

The essence of command injection attacks in web applications

Authors:
Zhendong Su

University of California, Davis, CA

University of California, Davis, CA
View Profile

,
Gary Wassermann

University of California, Davis, CA

University of California, Davis, CA
View Profile

POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesJanuary 2006Pages 372–382https://doi.org/10.1145/1111037.1111070

Published:11 January 2006Publication History

POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Pages 372–382

ABSTRACT

Web applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by dynamically constructing query strings within a general-purpose programming language, such as Java. This low-level interaction is ad hoc because it does not take into account the structure of the output language. Accordingly, user inputs are treated as isolated lexical entities which, if not properly sanitized, can cause the web application to generate unintended output. This is called a command injection attack, which poses a serious threat to web application security. This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques. Our key observation is that, for an attack to succeed, the input that gets propagated into the database query or the output document must change the intended syntactic structure of the query or document. Our definition and algorithm are general and apply to many forms of command injection attacks. We validate our approach with SqlCheckS, an implementation for the setting of SQL command injection attacks. We evaluated SqlCheckS on real-world web applications with systematically compiled real-world attack data as input. SqlCheckS produced no false positives or false negatives, incurred low runtime overhead, and applied straightforwardly to web applications written in different languages.

References

A. Aho, R. Sethi, and J. Ullman. Compilers, Principles, Techniques and Tools. Addison-Wesley, 1986. Google ScholarDigital Library
C. Anley. Advanced SQL Injection in SQL Server Applications. An NGSSoftware Insight Security Research (NISR) publication, 2002. http://www.nextgenss.com/papers/advanced_sql_injection.pdf.Google Scholar
G. Bierman, E. Meijer, and W. Schulte. The essence of data access in Cω. In The 19th European Conference on Object-Oriented Programming (ECOOP), 2005. To appear. Google ScholarDigital Library
S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (ACNS), LNCS, volume 2, 2004.Google ScholarCross Ref
C. Brabrand, A. Møller, M. Ricky, and M. I. Schwartzbach. Powerforms: Declarative client-side form field validation. World Wide Web, 3(4), 2000. Google ScholarDigital Library
G. T. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the International Workshop on Software Engineering and Middleware (SEM) at Joint FSE and ESEC, Sept. 2005. Google ScholarDigital Library
W. R. Cook and S. Rai. Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In Proceedings of the 27th International Conference on Software Engineering (ICSE), 2005. Google ScholarDigital Library
D. Dean and D. Wagner. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 2001. IEEE Computer Society, Technical Committee on Security and Privacy, IEEE Computer Society Press. Google ScholarDigital Library
R. DeLine and M. Fähndrich. The Fugue protocol checker: Is your software baroque? Technical Report MSR-TR-2004-07, Microsoft Research, Jan. 2004. http://research.microsoft.com/~maf/Papers/tr-2004-07.pdf.Google Scholar
J. Foster, M. Fähndrich, and A. Aiken. A theory of type qualifiers. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 192--203, Atlanta, Georgia, May 1--4, 1999. Google ScholarDigital Library
M. Furr and J. S. Foster. Checking type safety of foreign function calls. In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation, pages 62--72, 2005. Google ScholarDigital Library
C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 25th International Conference on Software Engineering (ICSE), pages 645--654, May 2004. Google ScholarDigital Library
W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Nov. 2005. Google ScholarDigital Library
Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In World Wide Web, 2003. Google ScholarDigital Library
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In World Wide Web, pages 40--52, 2004. Google ScholarDigital Library
J. B. Kam and J. D. Ullman. Global data flow analysis and iterative algorithms. Journal of the ACM, 23(1):158--171, 1976. Google ScholarDigital Library
Kavado, Inc. InterDo Vers. 3.0, 2003.Google Scholar
G. A. Kildall. A unified approach to global program optimization. In Proceedings of the 1st Annual Symposium on Principles of Programming Languages (POPL), pages 194--206, Oct. 1973. Google ScholarDigital Library
A. Klein. Blind XPath Injection. Whitepaper from Watchfire, 2005.Google Scholar
E. Kohlbecker, D. P. Friedman, M. Felleisen, and B. Duba. Hygienic macro expansion. In Conference on LISP and Functional Programming, 1986. Google ScholarDigital Library
L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In Proceedings of the 17th Annual Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pages 359--372, Nov. 2002. Google ScholarDigital Library
M. S. Lam, J. Whaley, V. B. Livshits, M. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Proceedings of the ACM Conference on Principles of Database Systems (PODS), June 2005. Google ScholarDigital Library
R. Lemos. Flawed USC admissions site allowed access to applicant data, July 2005. http://www.securityfocus.com/news/11239.Google Scholar
V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Usenix Security Symposium, Aug. 2005. To appear. Google ScholarDigital Library
K. J. L. Mark Grechanik, William R. Cook. Static checking of object-oriented polylingual systems. http://www.cs.utexas.edu/users/wcook/Drafts/FOREL.pdf, Mar. 2005.Google Scholar
M. Martin, V. B. Livshits, and M. S. Lam. Finding application errors using PQL: a program query language. In 20th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, oct 2005. To appear. Google ScholarDigital Library
R. A. McClure and I. H. Krüger. SQL DOM: compile time checking of dynamic SQL statements. In Proceedings of the 27th International Conference on Software Engineering, pages 88--96, 2005. Google ScholarDigital Library
S. McPeak. Elsa: An Elkhound-based C++ Parser, May 2005. http://www.cs.berkeley.edu/~smcpeak/elkhound/.Google Scholar
E. Meijer, W. Schulte, and G. Bierman. Unifying tables, objects and documents, 2003.Google Scholar
G. Naumovich and P. Centonze. Static analysis of role-based access control in J2EE applications. SIGSOFT Software Engineering Notes, 29(5):1--10, 2004. Google ScholarDigital Library
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC'05), 2005.Google ScholarCross Ref
T. Pietraszek and C. V. Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005. Google ScholarDigital Library
Sanctum Inc. Web Application Security Testing-Appscan 3.5. http://www.sanctuminc.com.Google Scholar
Sanctum Inc. AppShield 4.0 Whitepaper., 2002. http://www.sanctuminc.com.Google Scholar
D. Scott and R. Sharp. Abstracting application-level web security. In World Wide Web, 2002. Google ScholarDigital Library
D. Scott and R. Sharp. Specifying and enforcing application-level web security policies. IEEE Transactions on Knowledge and Data Engineering, 15(4):771--783, 2003. Google ScholarDigital Library
Security Focus. http://www.securityfocus.com.Google Scholar
SPI Dynamics. Web Application Security Assessment. SPI Dynamics Whitepaper, 2003.Google Scholar
W. Taha and T. Sheard. Multi-stage programming with explicit annotations. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation (PEPM), 1997. Google ScholarDigital Library
L. Wall, T. Christiansen, and R. L. Schwartz. Programming Perl (3rd Edition). O'Reilly, 2000. Google ScholarDigital Library
G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, 2004.Google Scholar
D. Weise and R. Crew. Programmable syntax macros. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 156--165, 1993. Google ScholarDigital Library
J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 131--144, June 2004. Google ScholarDigital Library

Index Terms

Recommendations

The essence of command injection attacks in web applications
Proceedings of the 2006 POPL Conference

Web applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by ...
Read More
Hacking the DBMS to Prevent Injection Attacks
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

After more than a decade of research, web application security continues to be a challenge and the backend database the most appetizing target. The paper proposes preventing injection attacks against the database management system (DBMS) behind web ...
Read More
Defending against injection attacks through context-sensitive string evaluation
RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Injection vulnerabilities pose a major threat to application-level security. Some of the more common types are SQL injection, cross-site scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, that is, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2006
432 pages
ISBN:1595930272
DOI:10.1145/1111037
General Chair:
Greg Morrisett
Harvard University, USA
,
Program Chair:
Simon Peyton Jones
Microsoft Research, UK
ACM SIGPLAN Notices Volume 41, Issue 1
Proceedings of the 2006 POPL Conference
January 2006
421 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1111320
Issue’s Table of Contents
Copyright © 2006 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 11 January 2006
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
command injection attacks
grammars
parsing
runtime verification
web applications
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate824of4,130submissions,20%
Upcoming Conference
POPL '25

Sponsor:

sigplan

The 52nd Annual ACM SIGPLAN Symposium on Principles of Programming Languages

January 19 - 25, 2025

Denver , CO , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 333
  Total Citations
  View Citations
- 4,572
  Total Downloads
- Downloads (Last 12 months)168
- Downloads (Last 6 weeks)25
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

The essence of command injection attacks in web applications

POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages

ABSTRACT

References

Cited By

Index Terms

Recommendations

The essence of command injection attacks in web applications

Hacking the DBMS to Prevent Injection Attacks

Defending against injection attacks through context-sensitive string evaluation