ABSTRACT
Web applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by dynamically constructing query strings within a general-purpose programming language, such as Java. This low-level interaction is ad hoc because it does not take into account the structure of the output language. Accordingly, user inputs are treated as isolated lexical entities which, if not properly sanitized, can cause the web application to generate unintended output. This is called a command injection attack, which poses a serious threat to web application security. This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques. Our key observation is that, for an attack to succeed, the input that gets propagated into the database query or the output document must change the intended syntactic structure of the query or document. Our definition and algorithm are general and apply to many forms of command injection attacks. We validate our approach with SqlCheckS, an implementation for the setting of SQL command injection attacks. We evaluated SqlCheckS on real-world web applications with systematically compiled real-world attack data as input. SqlCheckS produced no false positives or false negatives, incurred low runtime overhead, and applied straightforwardly to web applications written in different languages.
- A. Aho, R. Sethi, and J. Ullman. Compilers, Principles, Techniques and Tools. Addison-Wesley, 1986. Google ScholarDigital Library
- C. Anley. Advanced SQL Injection in SQL Server Applications. An NGSSoftware Insight Security Research (NISR) publication, 2002. http://www.nextgenss.com/papers/advanced_sql_injection.pdf.Google Scholar
- G. Bierman, E. Meijer, and W. Schulte. The essence of data access in Cω. In The 19th European Conference on Object-Oriented Programming (ECOOP), 2005. To appear. Google ScholarDigital Library
- S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (ACNS), LNCS, volume 2, 2004.Google ScholarCross Ref
- C. Brabrand, A. Møller, M. Ricky, and M. I. Schwartzbach. Powerforms: Declarative client-side form field validation. World Wide Web, 3(4), 2000. Google ScholarDigital Library
- G. T. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the International Workshop on Software Engineering and Middleware (SEM) at Joint FSE and ESEC, Sept. 2005. Google ScholarDigital Library
- W. R. Cook and S. Rai. Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In Proceedings of the 27th International Conference on Software Engineering (ICSE), 2005. Google ScholarDigital Library
- D. Dean and D. Wagner. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 2001. IEEE Computer Society, Technical Committee on Security and Privacy, IEEE Computer Society Press. Google ScholarDigital Library
- R. DeLine and M. Fähndrich. The Fugue protocol checker: Is your software baroque? Technical Report MSR-TR-2004-07, Microsoft Research, Jan. 2004. http://research.microsoft.com/~maf/Papers/tr-2004-07.pdf.Google Scholar
- J. Foster, M. Fähndrich, and A. Aiken. A theory of type qualifiers. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 192--203, Atlanta, Georgia, May 1--4, 1999. Google ScholarDigital Library
- M. Furr and J. S. Foster. Checking type safety of foreign function calls. In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation, pages 62--72, 2005. Google ScholarDigital Library
- C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 25th International Conference on Software Engineering (ICSE), pages 645--654, May 2004. Google ScholarDigital Library
- W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Nov. 2005. Google ScholarDigital Library
- Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In World Wide Web, 2003. Google ScholarDigital Library
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In World Wide Web, pages 40--52, 2004. Google ScholarDigital Library
- J. B. Kam and J. D. Ullman. Global data flow analysis and iterative algorithms. Journal of the ACM, 23(1):158--171, 1976. Google ScholarDigital Library
- Kavado, Inc. InterDo Vers. 3.0, 2003.Google Scholar
- G. A. Kildall. A unified approach to global program optimization. In Proceedings of the 1st Annual Symposium on Principles of Programming Languages (POPL), pages 194--206, Oct. 1973. Google ScholarDigital Library
- A. Klein. Blind XPath Injection. Whitepaper from Watchfire, 2005.Google Scholar
- E. Kohlbecker, D. P. Friedman, M. Felleisen, and B. Duba. Hygienic macro expansion. In Conference on LISP and Functional Programming, 1986. Google ScholarDigital Library
- L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In Proceedings of the 17th Annual Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pages 359--372, Nov. 2002. Google ScholarDigital Library
- M. S. Lam, J. Whaley, V. B. Livshits, M. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Proceedings of the ACM Conference on Principles of Database Systems (PODS), June 2005. Google ScholarDigital Library
- R. Lemos. Flawed USC admissions site allowed access to applicant data, July 2005. http://www.securityfocus.com/news/11239.Google Scholar
- V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Usenix Security Symposium, Aug. 2005. To appear. Google ScholarDigital Library
- K. J. L. Mark Grechanik, William R. Cook. Static checking of object-oriented polylingual systems. http://www.cs.utexas.edu/users/wcook/Drafts/FOREL.pdf, Mar. 2005.Google Scholar
- M. Martin, V. B. Livshits, and M. S. Lam. Finding application errors using PQL: a program query language. In 20th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, oct 2005. To appear. Google ScholarDigital Library
- R. A. McClure and I. H. Krüger. SQL DOM: compile time checking of dynamic SQL statements. In Proceedings of the 27th International Conference on Software Engineering, pages 88--96, 2005. Google ScholarDigital Library
- S. McPeak. Elsa: An Elkhound-based C++ Parser, May 2005. http://www.cs.berkeley.edu/~smcpeak/elkhound/.Google Scholar
- E. Meijer, W. Schulte, and G. Bierman. Unifying tables, objects and documents, 2003.Google Scholar
- G. Naumovich and P. Centonze. Static analysis of role-based access control in J2EE applications. SIGSOFT Software Engineering Notes, 29(5):1--10, 2004. Google ScholarDigital Library
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC'05), 2005.Google ScholarCross Ref
- T. Pietraszek and C. V. Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005. Google ScholarDigital Library
- Sanctum Inc. Web Application Security Testing-Appscan 3.5. http://www.sanctuminc.com.Google Scholar
- Sanctum Inc. AppShield 4.0 Whitepaper., 2002. http://www.sanctuminc.com.Google Scholar
- D. Scott and R. Sharp. Abstracting application-level web security. In World Wide Web, 2002. Google ScholarDigital Library
- D. Scott and R. Sharp. Specifying and enforcing application-level web security policies. IEEE Transactions on Knowledge and Data Engineering, 15(4):771--783, 2003. Google ScholarDigital Library
- Security Focus. http://www.securityfocus.com.Google Scholar
- SPI Dynamics. Web Application Security Assessment. SPI Dynamics Whitepaper, 2003.Google Scholar
- W. Taha and T. Sheard. Multi-stage programming with explicit annotations. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation (PEPM), 1997. Google ScholarDigital Library
- L. Wall, T. Christiansen, and R. L. Schwartz. Programming Perl (3rd Edition). O'Reilly, 2000. Google ScholarDigital Library
- G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, 2004.Google Scholar
- D. Weise and R. Crew. Programmable syntax macros. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 156--165, 1993. Google ScholarDigital Library
- J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 131--144, June 2004. Google ScholarDigital Library
Index Terms
- The essence of command injection attacks in web applications
Recommendations
The essence of command injection attacks in web applications
Proceedings of the 2006 POPL ConferenceWeb applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by ...
Hacking the DBMS to Prevent Injection Attacks
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and PrivacyAfter more than a decade of research, web application security continues to be a challenge and the backend database the most appetizing target. The paper proposes preventing injection attacks against the database management system (DBMS) behind web ...
Defending against injection attacks through context-sensitive string evaluation
RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion DetectionInjection vulnerabilities pose a major threat to application-level security. Some of the more common types are SQL injection, cross-site scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, that is, ...
Comments