The use of web applications has been increased by leaps and bounds over the past few years. Majority of these web applications were built without keeping security in mind. Most of these applications deal with sensitive financial and medical data, hence it is very important to protect these applications from hacker attacks [Lam, 2008]. According to a survey made by the Application Defense Center, 92% of the web applications from e-commerce, online banking, enterprise collaboration and supply chain management are susceptible to attacks [Lam, 2008]. The attacks in web applications occur because they mistakenly trust the data returned from a client [Scott, 2002].
SQL Injection and cross-site scripting attack are the two most common and dangerous web vulnerabilities that annoy the web applications. These vulnerabilities allow attackers to access web applications without permission, obtain sensitive information like credit card or social security numbers, and steal merchandise or transfer funds from commercial web sites. These vulnerabilities are caused because of improper input validation. In both SQL injection and cross-site scripting attacks, the attacker modifies the user data, inserts malicious code into the data and executes it. In SQL injection, the attacker executes malicious SQL statements by exploiting the inadequate validation of the input data provided by the user [Kieyzun, 2009]. In cross-site scripting attack, the attacker crafts the input provided by the user and injects malicious code into it which is then executed on the victim's client machine.
A lot of effort has been put to identify SQL injection and cross-site scripting vulnerabilities and prevent the damage caused by these attacks on the web applications. One such mechanism is to use high-level input validation in order to block malicious content from reaching the web applications [Huang, 2003]. Despite several efforts to improve security of the web applications, still large number of websites suffer from serious application-level security holes [Scott, 2002]. Hence, higher-level tools and techniques are required to address this issue.
The goal of this paper is to provide a detailed description on SQL injection and cross-site scripting attacks, how to exploit these attacks and discuss various high-level tools and techniques to detect these attacks.
Literature Review
Cross-site scripting attack is one of the most common but at the same time a very dangerous attack in which the attacker crafts the malicious code into the user input and gain access privileges to sensitive information. According to [Wurzinger, 2009] "XSS attacks leverage insufficient input/output validation in the attacked Web application to inject JavaScript code, which is then executed on the victim's machine." He developed a server-side solution called SWAP (Secure Web Application Proxy) to identify and protect web applications against the cross-site scripting attacks. Using SWAP, he was able to detect and prevent cross-site scripting attacks successfully.
SQL injection is a vulnerability in which the attacker sends SQL input that modifies the actual query or it completely executes a new query in the database. As a result of this, the attacker can gain access privileges to user data, manipulate the data and can even compromise other servers. According to [Kieyzun, 2004], "SQL injection vulnerability results from the application's use of user input in constructing database statements." The author created an automated tool Ardilla for detecting SQL injection and cross-site scripting attacks in PHP/MySQL applications. This tool was the first to precisely detect the second-order cross-site scripting attacks. With this tool, they were able to detect these two attacks with high accuracy [Kieyzun, 2004].
Another technique to detect and exploit the SQL injection and cross-site scripting attacks is proposed by Huang, Lin, and Tsai. As the number of attacks on the web applications are increasing very rapidly, it is necessary to detect and protect the web applications from these attacks. The authors used an interface that takes the form of a crawler to make dynamic analysis of web applications. Using this technique, they were able to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting [Huang, 2003].
We know that SQL injection and cross-site scripting are the two most common and dangerous vulnerabilities that plague web applications. According to [Lam, 2008], these vulnerabilities are caused by allowing invalidated input which will be used by the attacker to damage the application. The author used a high-level declarative language called PQL (Program Query Language) to detect these attacks and recover from these attacks. Using this language, they were able to detect large number of vulnerabilities very accurately and were able to recover from these attacks. They used algorithms and applied them to a large set of web-applications to detect the vulnerabilities.
In another paper "Abstracting Application-Level Web Security", the author explains that large number of interactions that is occurring between various components of websites make application-level security very complex. They found that the SQL injection, cross-site scripting and form modification are the major application-level attacks. "They used a system that consists of a specialized Security Policy Description Language (SPDL) in which the security policies are written" [Scott, 2002]. They used a security gateway which is placed between the server and the client which acts as an application-level firewall. Using this technique they were able to address the problem of application-level web security and presented a tool to develop secure web applications.
These various tools and techniques proposed by the authors can be used in order to detect web SQL injection and Cross-site scripting attacks in web applications and some of these techniques can also be used to heal the web applications. By properly utilizing these tools we can accurately determine the various web attacks. From my research, by properly validating the input, by disallowing special characters in the http forms and by using secured stored procedures we can prevent the SQL injection and Cross-site scripting attacks from damaging the web applications.
Annotated Bibliographies
1. Annotated Bibliography for the paper "SWAP: Mitigating XSS attacks using a reverse proxy"
References: [Wurzinger, 2009] Wurzinger, Peter, Christian Platzer, Engin Kirda, Christopher Kruegel, and Christian Ludl. "SWAP: Mitigating XSS Attacks Using a Reverse Proxy." IEEE Computer Society (2009): 33-39
Title: SWAP: Mitigating XSS attacks using a reverse proxy
Authors: Peter Wurzinger, Christian Platzer, Christian Ludl, Engin Kirda, and Christopher Kruegel
Published: IEEE Computer Society. Washington, DC, USA
Source: Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems. May2009
Research Objective: The usage of SWAP (Secure Web Application Proxy), a server-side solution in order to detect and prevent cross-site scripting attacks.
Research Methods: In this research paper, the authors use a novel approach to protect users against XSS attacks without making any modifications on the client-side. A Web browser is positioned on a reverse proxy before the server which receives the java script. By utilizing this Web browser, we can distinguish between the original and injected JavaScript code. Each requested page is loaded on the web browser which is attached to a reverse proxy and is verified for malicious content and if there is no malicious content on the page it is delivered to the client.
Conclusion of Research: The authors explain the importance of SWAP in detecting and defeating cross-site scripting attacks by developing a prototype and conducting experiments.
Limitation of Research: SWAP can only detect malicious java script injected into a web page. It cannot protect against other types of undesirable content.
Related to Paper: Important information about cross-site scripting attacks and their prevention is provided which can be useful in further research.
2. Annotated Bibliography for the paper "Automatic creation of SQL Injection and cross-site scripting attacks."
Reference: [Kieyzun, 2009] Kieyzun, Adam, Philip J. Guo, Karthick Jayaraman, and Michael D Ernst. Automatic creation of SQL Injection and cross-site scripting attacks. IEEE COMPUTER SOCIETY (2009):199-209.Web. <http://delivery.acm.org.libproxy2.usouthal.edu/10.1145/1560000/1555036/05070521.pdf?key1=1555036&key2=0295875721&coll=Portal&dl=ACM&CFID=90573955&CFTOKEN=39116473>.
Title: Automatic creation of SQL Injection and cross-site scripting attacks
Authors: Adam Kieyzun, Philip J. Guo, Karthick Jayaraman, Michael D Ernst
Published: IEEE COMPUTER SOCIETY (2009):199-209
Source: International Conference on Software Engineering. 2009
Reference Link: [Kieyzun, 2004].
Research Objective: To create inputs and expose the SQL injection and cross-side scripting vulnerabilities by using an automatic technique.
Research Method(s): SQL injection and cross-site scripting attacks are the most prevailing and dangerous security vulnerabilities. In this paper the authors created an automated tool named Ardilla to exploit these attacks. This tool is based on input generation, taints propagation, and input mutation to find variants of an execution that exploit vulnerability. The input generator record path constraints and iteratively generates new inputs which explores the control-flow paths. Ardilla then detects vulnerabilities using dynamic taint analysis. Ardilla treats data coming from user as unsafe and tracks the flow of the data through the database and marks it with a stored taint while retrieving it. Only data that was tainted upon storing is tainted upon retrieval. Because of this Ardilla detects second-order XSS attacks accurately. And finally to demonstrate vulnerability, Ardilla creates concrete attack vectors by systematically mutating inputs that propagate taints to sensitive sinks. Ardilla then checks whether the attack subverts the behavior of database and identify real vulnerabilities. These vulnerabilities identified can be fixed before the software reaches the user
Conclusion of Research: The authors were able to exploit the most damaging type of web application attack: stored XSS very accurately using the automated tool Ardilla. They used novel attack checkers to detect vulnerabilities with high accuracy and found 68 attack vectors in five programs, each exposing a different vulnerability.
Limitation of Research: Ardilla can create inputs only for one PHP script at a time and cannot simulate sessions. It can only generate attacks for a sensitive sink only if the input generator creates an input that reaches the sink. Ardilla input generation is poor on larger applications.
Related to Paper: This paper provides tool to exploit web application attacks which helps in further research on improving web security.
3. Annotated Bibliography for the paper "Web application security assessment by fault injection and behavior monitoring."
Reference: [Huang, 2003] Huang, Yao-Wen, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai. Web application security assessment by fault injection and behavior monitoring. ACM (2003): 148-159.Web. <http://delivery.acm.org.libproxy2.usouthal.edu/10.1145/780000/775174/p148-huang.pdf?key1=775174&key2=9015875721&coll=Portal&dl=ACM &CFID=90573955&CFTOKEN=39116473>.
Title: Web application security assessment by fault injection and behavior monitoring
Authors: Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, Chung-Hung Tsai
Published: ACM (2003): 148-159.
Source: International World Wide Web Conference. 2003.
Reference Link: [Huang, 2003].
Research Objective: To adopt software-engineering techniques to design a security assessment tool for Web applications.
Research Method(s): To analyze the web application security assessment mechanisms in order to identify poor coding practices, the authors used an interface that takes the form of a crawler to make dynamic analysis of web applications. They used this crawling mechanism and performed reverse engineering of a web application to identify all data entry points. They used a self-learning injection knowledge base and applied fault-injection techniques to detect SQL injection vulnerabilities. To interpret the injection replies, a novel reply analysis algorithm is used along with crawler. The crawler is equipped with the same capabilities of a web browser to make it vulnerable to malicious scripts. A secure execution environment (SEE) was built around the crawler to detect anomalies. To test the behavior of the page's dynamic components, all pages of a web application are loaded into the crawler and executed. Any abnormal behavior causes the SEE to halt the crawler and verify the information. In this way malicious scripts hidden inside web applications are detected.
Conclusion of Research: The authors designed a crawler interface that incorporates web browser functions and uses various mechanisms and detected known and unknown malicious scripts while self-protecting it.
Limitation of Research: This crawler mechanism was unable to detect exploits of Denial of Service and private information disclosure which requires more sophisticated mechanisms.
Related to Paper: The mechanism applied in this paper to test and analyze web applications can be helpful in improving the security attributes.
4. Annotated Bibliography for the paper "Securing web applications with static and dynamic information flow tracking."
Reference: [Lam, 2008] Lam, Monica S., Michael Martin, Benjamin Livshits, and John Whaley. Securing web applications with static and dynamic information flow tracking. ACM (2008): 3-12.Web. <http://delivery.acm.org.libproxy2.usouthal.edu/10.1145/1330000/1328410/p3-lam.pdf?key1=1328410&key2=9165875721&coll=Portal&dl=ACM& CFID=90573955&CFTOKEN=39116473>
Title: Securing web applications with static and dynamic information flow tracking
Authors: Monica S.Lam, Michael Martin, Benjamin Livshits, John Whaley
Published: ACM (2008):3-12.
Source: ACM/SIGPLAN Workshop Partial Evaluation and Semantics-Based Program Manipulation. 2008.
Reference Link: [Lam, 2008].
Research Objective: To describe a language PQL (Program Query Language) that allows users to declare information flow patterns concisely and declaratively.
Research Method(s): The authors describe a high-level declarative language called PQL (Program Query Language) that allows programmers to describe a class of information flow as a pattern that resembles Java code. They use a system that automatically detects the existence of information flow in a program matching a specified pattern both statically and dynamically, the programmer can then specify the corrective actions to take if such a pattern is detected dynamically. Thus, the program heals automatically rather than simply reporting an error and terminating the program. This auto-healing prevent users from mounting a denial-of-service attack by crashing the program.
Conclusion of Research: The authors used a language PQL that can automatically find a large number of security vulnerabilities in real-life web applications by describing information flow, context-sensitive pointer alias analysis, dynamic monitoring, and model checking
Limitation of Research: PQL doesn't handle PHP, i.e. it doesn't detect failures to validate input and output in PHP applications. The model checking when applied to real-life applications cannot analyze the large number of possible execution sequences for all possible inputs.
Related to Paper: The techniques described in this paper are useful in debugging and avoiding leakage of confidential data which can be useful in further research on web security.
5. Annotated Bibliography for the paper "Abstracting application-level web security."
Reference: [Scott, 2002] Scott, David, and Richard Sharp. Abstracting application-level web security. ACM (2002): 396-407.Web. <http://delivery.acm.org.libproxy2.usouthal.edu/10.1145/520000/511498/p396-scott.pdf?key1=511498&key2=8484875721&coll=Portal&dl=ACM& CFID=90573955&CFTOKEN=39116473>.
Title: Abstracting application-level web security
Authors: David Scott, Richard Sharp
Published: ACM (2002):396-407.
Source: International World Wide Web Conference. 2002.
Reference Link: [Scott, 2002].
Research Objective: To use a structuring technique that helps designers abstract security policies from large web applications.
Research Method(s): The authors present a structuring technique which helps designer's abstract security policies from large web applications. The author used a system that consist of a security policy description language (SPDL) which is used to specify a set of validation constraints and transformation rules. To automatically translate the SPDL into code, a policy compiler is used. A security gateway is positioned between the web server and the client machines. The generated code is dynamically loaded into the security gateway where it is executed to enforce the specified policy. The security gateway acts as an application firewall. It intercepts transforms and analyzes all the http messages, checks the http requests and rewrites http responses. The security gateway is integrated with the web server to achieve better performance or it could be executed as a separate process on the existing web-server.
Conclusion of Research: A method for abstracting security-critical code from large web applications is described and can be used in the development process of new web applications.
Limitation of Research: This paper doesn't address on how attacks are made through web scripting languages and how to insert validation code into them.
Related to Paper: This paper lays a stronger foundation for securing web applications and can be useful in developing secured web applications
