Cited By
View all- Zhang BLi JRen JHuang G(2021)Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A ReviewACM Computing Surveys10.1145/347455354:9(1-35)Online publication date: 8-Oct-2021
Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications
Authors: 
G. Deepa, P. Santhi Thilagam, Furqan Ahmed Khan, Amit Praseed, Alwyn R. Pais, Nushafreen PalsetiaAuthors Info & Claims
Pages 105 - 120
Abstract
As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended for interacting with the applications. Even though precautionary measures such as user-input sanitization is employed at the client side of the application, the attackers can disable the JavaScript at client side and still inject attacks through HTTP parameters. The injected parameters result in attacks due to improper server-side validation of user input. The injected parameters may either contain malicious SQL/XML commands leading to SQL/XPath/XQuery injection or be invalid input that intend to violate the expected behavior of the web application. The former is known as an injection attack, while the latter is called a parameter tampering attack. While SQL injection has been intensively examined by the research community, limited work has been done so far for identifying XML injection and parameter tampering vulnerabilities. Database-driven web applications today rely on XML databases, as XML has gained rapid acceptance due to the fact that it favors integration of data with other applications and handles diverse information. Hence, this work proposes a black-box fuzzing approach to detect XQuery injection and parameter tampering vulnerabilities in web applications driven by native XML databases. A prototype XiParam is developed and tested on vulnerable applications developed with a native XML database, BaseX, as the backend. The experimental evaluation clearly demonstrates that the prototype is effective against detection of both XQuery injection and parameter tampering vulnerabilities.
References
[1]
Symantec Corporation: Symantec internet security threat report: vol. 19. Symantec Corporation. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us (2014)
[2]
Foundation, O.: Top 10 2013-top 10. https://www.owasp.org/index.php/Top_10_2013-Top_10 (2013)
[3]
CWE/SANS top 25 most dangerous software errors. http://www.sans.org/top25-software-errors/ (2011)
[4]
Gordeychik, S.: Web application security statistics. The Web Application Security Consortium. http://projects.webappsec.org/w/page/13246989/WebApplicationSecurityStatistics (2008)
[5]
Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: Notamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pp. 607---618. ACM, New York (2010)
[6]
Bisht, P., Hinrichs, T., Skrupsky, N., Venkatakrishnan, V.N.: Waptec: Whitebox analysis of web applications for parameter tampering exploit construction. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, pp. 575---586. ACM, New York (2011)
[7]
Skrupsky, N., Bisht, P., Hinrichs, T., Venkatakrishnan, V.N., Zuck, L.: Tamperproof: A server-agnostic defense for parameter tampering attacks on web applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY '13, pp. 129---140. ACM, New York (2013)
[8]
Chaudhri, A., Zicari, R., Rashid, A.: XML Data Management: Native XML and XML Enabled DataBase Systems. Addison-Wesley Longman Publishing Co. Inc, Boston (2003)
[9]
Liu, Z.H., Murthy, R.: A decade of XML data management: An industrial experience report from oracle. In: IEEE 25th International Conference on Data Engineering, 2009. ICDE '09, pp. 1351---1362 (2009).
[10]
Pavlovic-Lazetic, G.: Native XML databases vs. relational databases in dealing with XML documents. Kragujevac J. Math. 30, 181---199 (2007)
[11]
Staken, K.: Introduction to native XML databases. http://www.xml.com/pub/a/2001/10/31/nativexmldb.html (2001)
[12]
Foundation, O.: Testing for XML injection. https://www.owasp.org/index.php/Testing_for_XML_Injection_OTG-INPVAL-008 (2014)
[13]
Palsetia, N., Deepa, G., Khan, F.A., Thilagam, P.S., Pais, A.R.: Securing native XML database-driven web applications from XQuery injection vulnerabilities. J. Syst. Softw.122, 93---109 (2016). http://www.sciencedirect.com/science/article/pii/S0164121216301571
[14]
Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, pp. 65---81 (2006)
[15]
WASC: XQuery injection. http://projects.webappsec.org/w/page/13247006/XQueryInjection (2009)
[16]
Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, pp. 40---52. ACM (2004)
[17]
Halfond, W.G., Orso, A.: Amnesia: analysis and monitoring for neutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174---183. ACM (2005)
[18]
Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, pp. 106---113. ACM (2005)
[19]
Huang, Y.W., Tsai, C.H., Lin, T.P., Huang, S.K., Lee, D., Kuo, S.Y.: A testing framework for web application security assessment. Comput. Netw. 48(5), 739---761 (2005). Web Security
[20]
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '06, pp. 372---382. ACM, New York (2006)
[21]
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. USENIX Secur. 6, 179---192 (2006)
[22]
Kosuga, Y., Kernel, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: Syntactic and semantic analysis for automated testing against SQL injection. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 107---117. IEEE (2007)
[23]
Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '07, pp. 32---41. ACM, New York (2007)
[24]
Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: SQLProb: A proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC '09, pp. 2054---2061. ACM, New York (2009)
[25]
Bisht, P., Madhusudan, P., Venkatakrishnan, V.: Candid: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(2), 14 (2010)
[26]
Jang, Y.S., Choi, J.Y.: Detecting SQL injection attacks using query result size. Comput. Secur. 44, 104---118 (2014)
[27]
Shahriar, H., Zulkernine, M.: Taxonomy and classification of automatic monitoring of program security vulnerability exploitations. J. Syst. Softw. 84(2), 250---269 (2011)
[28]
Shahriar, H., Zulkernine, M.: Mitigating program security vulnerabilities: Approaches and challenges. ACM Comput. Surv. 44(3), 11:1---11:46 (2012)
[29]
Li, X., Xue, Y.: A survey on server-side approaches to securing web applications. ACM Comput. Surv. 46(4), 54:1---54:29 (2014)
[30]
Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160---180 (2016). http://www.sciencedirect.com/science/article/pii/S0950584916300234
[31]
Chandrashekhar, R., Mardithaya, M., Thilagam, P.S., Saha, D.: SQL injection attack mechanisms and prevention techniques. In: Advanced Computing, Networking and Security, pp. 524---533. Springer, Berlin (2012)
[32]
Bravenboer, M., Dolstra, E., Visser, E.: Preventing injection attacks with syntax embeddings. In: Proceedings of the 6th International Conference on Generative Programming and Component Engineering, pp. 3---12. ACM (2007)
[33]
OWASP: XPath injection. https://www.owasp.org/index.php/XPATH_Injection (2015)
[34]
Truelove, J., Svoboda, D.: Ids09-j. prevent XPath injection. https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250 (2011)
[35]
Mitropoulos, D., Karakoidas, V., Spinellis, D.: Fortifying applications against XPath injection attacks. In: Proceedings of the 4th Mediterranean Conference on Information Systems (MCIS'09), Athens, Greece, pp. 1169---1179 (2009)
[36]
Mitropoulos, D., Karakoidas, V., Louridas, P., Spinellis, D.: Countering code injection attacks: a unified approach. Inf. Manag. Comput. Secur. 19(3), 177---194 (2011)
[37]
Rosa, T.M., Santin, A.O., Malucelli, A.: Mitigating XML injection 0-day attacks through strategy-based detection systems. IEEE Secur. Priv. 11(4), 46---53 (2013).
[38]
Antunes, N., Vieira, M.: Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In: IEEE International Conference on Services Computing (SCC), pp. 104---111. IEEE (2011)
[39]
Laranjeiro, N., Vieira, M., Madeira, H.: Protecting database centric web services against SQL/XPath injection attacks. In: Database and Expert Systems Applications, pp. 271---278. Springer, Berlin (2009)
[40]
Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective detection of SQL/XPath injection vulnerabilities in web services. In: IEEE International Conference on Services Computing, pp. 260---267. IEEE (2009).
[41]
Asmawi, A., Affendey, L.S., Udzir, N.I., Mahmod, R.: Model-based system architecture for preventing XPath injection in database-centric web services environment. In: 7th International Computing and Convergence Technology (ICCCT), pp. 621---625. IEEE (2012)
[42]
Forbes, T.: Exploiting XPath injection vulnerabilities with xcat. http://tomforb.es/exploiting-xpath-injection-vulnerabilities-with-xcat-1 (2014)
[43]
WebCruiser: Webcruiser-web vulnerability scanner. http://www.ehacking.net/2011/07/webcruiser-web-vulnerability-scanner.html (2011)
[44]
XMLMao: XMLMao. https://www.soldierx.com/tools/XMLmao (2012)
[45]
Acunetix: Acunetix. http://www.acunetix.com/ (2014)
[46]
Laskos, T.: Web application vulnerability scanning framework. http://www.arachni-scanner.com/
[47]
Wapiti: The web-application vulnerability scanner. http://wapiti.sourceforge.net/ (2013)
[48]
Riancho, A.: w3af. http://w3af.sourceforge.net (2011)
[49]
van der Loo, F.: Comparison of penetration testing tools for web applications. Ph.D. thesis, Master thesis, Radboud University Nijmegen, 2011. http://www.ru.nl/publish/pages/578936/frank_van_der_loo_scriptie.pdf (2011)
[50]
Mouelhi, T., Le Traon, Y., Abgrall, E., Baudry, B., Gombault, S.: Tailored shielding and bypass testing of web applications. In: 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation (ICST), pp. 210---219 (2011)
[51]
Alkhalaf, M., Choudhary, S.R., Fazzini, M., Bultan, T., Orso, A., Kruegel, C.: Viewpoints: Differential string analysis for discovering client- and server-side input validation inconsistencies. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pp. 56---66. ACM, New York (2012)
[52]
Balduzzi, M., Gimenez, C.T., Balzarotti, D., Kirda, E.: Automated discovery of parameter pollution vulnerabilities in web applications. In: Proceedings of the 18th Network and Distributed System Security Symposium, NDSS'11. San Diego (2011)
[53]
Redis: Redis. http://redis.io/
[54]
WebSPHINX: WebSPHINX: A personal, customizable web crawler. http://www.cs.cmu.edu/~rcm/websphinx/ (2002)
[55]
JSpider: Jspider. http://j-spider.sourceforge.net/ (2013)
[56]
Django: Django-the web framework for perfectionists with deadlines. https://www.djangoproject.com/
[57]
PostgreSQL: PostgreSQL-the world's most advanced open source database. http://www.postgresql.org/
[58]
BaseX: Basex-the XML database. http://basex.org/
Recommendations
Securing native XML database-driven web applications from XQuery injection vulnerabilities
Detects XQuery injection vulnerabilities in web applications using native XML DBs.Implements a prototype system "XQueryFuzzer" based on the proposed approach.Demonstrates the effectiveness of the prototype on benchmark web applications.Three types of ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Parameter manipulation attack prevention and detection by using web application deception proxy
IMCOM '17: Proceedings of the 11th International Conference on Ubiquitous Information Management and CommunicationThe attack abusing web application vulnerabilities are currently classified into traditional attack threats. However, security breaches by web application attacks are still reported via mass media. Although the vulnerabilities in popular products such ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © Copyright © 2018 Springer-Verlag GmbH Germany, part of Springer Nature.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 01 February 2018
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 13 Nov 2024
Other Metrics
Citations
Cited By
View all- Zhang BLi JRen JHuang G(2021)Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A ReviewACM Computing Surveys10.1145/347455354:9(1-35)Online publication date: 8-Oct-2021
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in