PRACTICAL ELIMINATION OF EXTERNAL INTERACTION VULNERABILITIES IN WEB APPLICATIONS
Keywords:
Security analysis, web applications, web security, case studyAbstract
External Interaction Vulnerabilities (EIVs) are currently the most common vulnerability for web applications. These vulnerabilities allow attackers to use vulnerable web applications as a vessel to transmit malicious code to external systems that interact with the web applications. The malicious code will modify the semantic content of the information sent to the external application. Current vulnerability detection approaches are black-box oriented and do not take advantage of the data flow information which is available in the source code. In this paper, we introduce a white-box approach called EIV analysis to eliminate web applications’ vulnerabilities. This strategy allows investigators to accurately identify all inputs entering the web application and model the input as it reaches external systems acting as data sinks. The strategy is partially automated resulting in substantial effort savings when compared with common industrial approaches; while also providing superior performance in terms vulnerability detection. A case study using a commercial, currently deployed, mission-critical web application is presented to demonstrate the validity of these claims.
Downloads
References
Achour, M., Betz, F., Dovgal, A., Lopes, N., Olson, P., Richter, G., Seguy, D., Vrana, J., PHP
manual, http://www.php.net/manual/en/, 2007.
Acunetix Ltd., Acunetix Web Vulnerability Scanner, http://www.acunetix.com/, Last accessed
Feb. 7, 2006.
Alonso, G., Casati, F., Kuno, H., and Machiraju, V., Web Services: Concepts, Architectures,
and Applications. Springer Verlag, 2003.
Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishman, V., CANDID: Preventing SQL
Injection Attacks Using Dynamic Candidate Evaluations, CCS 2007.
Balzarotti, D., Cova, M., Felmetsger, V.V., Vigna, G., Multi-Module Vulnerability Analysis
of Web-based Applications. Proc. 14th ACM Conference on Computer and Communication
Security, pp. 25-35, 2007.
Beizer B. Black-Box Testing: Techniques for Functional Testing of Software and Systems.
Wiley: New York, 1995.
Boehm, B., and Abts, C., COTS Integration: Plug and Pray?, IEEE Computer, 32 (1): pp. 135-
, January 1999.
Boyd, S. W., and Keromytis, A. D., SQLrand: Preventing SQL Injection Attacks, In Proc. of
the 2nd Applied Cryptography and Network Security Conf. (ACNS ’04), pages 292–302, Jun.
Buehrer, G. T., Weide, B. W., and Sivilotti, P. A. G., Using Parse Tree Validation to Prevent
SQL Injection Attacks, In Proc. of the 5th Intl. Workshop on Software Engineering and
Middleware (SEM ’05), pages 106–113, Sep. 2005.
Chaudhri, A., Zicari, R., & Rashid, A., XML Data Management: Native XML and XML
Enabled DataBase Systems, USA: Addison-Wesley, 2003.
Cruwys, D., C Sharp/VB - Automated WebSpider/WebRobot,
http://www.codeproject.com/csharp/DavWebSpider.asp, March 2004.
Curbera, F., Duftler, M., Khalaf, R., Nagy, W., Mukhi, N., Weerawarana, S., Unraveling the
Web Services Web: An Introduction to SOAP, WSDL, and UDDI, IEEE Internet Computing,
v.6 n.2, p.86-93, March 2002.
Denning, D.E., Denning, P.J., Certification of programs for secure information flow. Comm.
Of the ACM, 1977.
Dhamija, R., Tygar, J. D., Hearst, M., Why phishing works, Proceedings of the SIGCHI
conference on Human Factors in computing systems, Montréal, Québec, Canada, April 22-27,
Doar, M.B., Practical Development Environments, O'Reilly Media, 2005.
Eaton, C., Memon, A. M., An Empirical Approach to Testing Web Applications Across
Diverse Client Platform Configurations, International Journal on Web Engineering and
Technology (IJWET), Special Issue on Empirical Studies in Web Engineering, 2007.
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., and Berners- Lee. T., Hypertext Transfer
Protocol-HTTP/1.1, RFC 2068 (http://www.ietf.org/rfc/rfc2068), Jan 1997.
Flanagan, D., JavaScript (2nd ed.): the definitive guide, O'Reilly & Associates, Inc.,
Sebastopol, CA, 1997.
Frankl, P.G., Weyuker, E.J., "An applicable family of data flow testing criteria," IEEE
Transactions on Software Engineering, vol.14, no.10pp.1483-1498, Oct 1988.
Granger, S., Social Engineering Fundamentals, Part I: Hacker Tactics, Security Focus,
http://www.securityfocus.com/infocus/1527, 2003.
Halfond, W. G., and Orso, A,. AMNESIA: Analysis and Monitoring for NEutralizing SQLInjection
Attacks, In Proceedings of 20th ACM International Conference on Automated
Software Engineering (ASE), Nov 2005.
Halfond, W. G., Orso, A., and Manolios, P., Using positive tainting and syntax-aware
evaluation to counter SQL injection attacks, In Proceedings of the 14th ACM SIGSOFT
international Symposium on Foundations of Software Engineering, pp. 175-185, 2006.
Harrold, M., J., and Rothermel, G., Performing data flow testing on classes, In Proceedings of
the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering (New Orleans,
Louisiana, United States, December 06 - 09, 1994), SIGSOFT '94, ACM Press, New York,
NY, pp. 154-163, 1994.
Heydon, A., Najork, M., Mercator: A scalable, extensible Web crawler. World Wide Web,
(4):219–229, December 1999.
Howard, M., and LeBlanc, D. Writing Secure Code, Second Edition, Microsoft Press, 2003.
Howden, W. E., “Methodology for the generation of program test data,” IEEE Trans. Comput.,
vol. C-24, no. 5, pp. 554-559, May 1975.
Huang, Y. W., Yu, F., Hang, C., Tsai, C. H., Lee, D. T., and Kuo, S. Y., Securing web
application code by static analysis and runtime protection, in WWW '04: Proceedings of the
th International Conference on World Wide Web. New York, NY, USA: ACM Press, pp.
-52, 2004.
Hurst, A., Analysis of Perl’s taint mode, http://hurstdog.org/papers/hurst04taint.pdf, 2004.
Huynh, T., Miller, J., An empirical investigation into the causes of open source web
applications vulnerabilities, Submitted for publication, 2008.
IEEE, IEEE Standard for Software Maintenance (IEEE Std 1219–1998), Institute for
Electrical and Electronic Engineers: New York NY, 1998.
Johnson, R., and Wagner, D., Finding user/kernel pointer bugs with type inference. In
Proceedings of the 2004 Usenix Security Conference, pages 119–-134, 2004.
Jovanovic, N., Kruegel, C., and Kirda, E., Pixy: A Static Analysis Tool for Detecting Web
Application Vulnerabilities, In 2006 IEEE Symposium on Security and Privacy, May 2006.
Kals, S., Kirda, E., Kruegel, C., and Jovanovic, N., SecuBat: A Web Vulnerability Scanner,
The 15th International World Wide Web Conference (WWW 2006), Edinburgh, Scotland,
May 2006.
Kiezun, A., Guo, P.J., Jayaraman, K., Ernst, M.D., Automatic Creation of SQL Injection and
Cross-Site Scripting Attacks, MIT Technical Report, MIT-CSAIL-TR-2008-054, 2008.
Kristol, D.M., and Montulli, L., HTTP State Management Mechanism, RFC 2965
(http://tools.ietf.org/html/rfc2965), October 2000.
Laski, J. W., Korel, B., Data flow oriented program testing strategy, IEEE Transactions on
Software Engineering. Vol. SE-9, no. 3, pp. 347-354. 1983.
Lin, J.-C., Chen, J.-M., "An Automatic Revised Tool for Anti-Malicious Injection," Sixth
IEEE International Conference on Computer and Information Technology (CIT'06), pp. 164-
, 2006.
Lipner, S.B., "Security and Source Code Access: Issues and Realities," 2000 IEEE
Symposium on Security and Privacy (S&P 2000), pp. 124-125, 2000.
Liu, C. H., Kung, D., Hsia, P., and Hsu, C. T., Structure testing of web applications. In
Proceedings of the 11th Annual International Symposium on Software Reliability Engineering,
pages 84–96, San Jose CA, October 2000.
Livshits V. B., and Lam., M. S., Finding Security Vulnerabilities in Java Applications with
Static Analysis, In Proceedings of the 14th Usenix Security Symposium, Aug. 2005.
Martin, M., Livshits, B., and Lam, M. S., Finding Application Errors and Security Flaws
Using PQL: a Program Query Language. In OOPSLA ’05: Proc. of the 20th Annual ACM
SIGPLAN Conference on Object Oriented Programming Systems Languages and
Applications, pages 365–383, Oct. 2005.
Martin, M., Lam, M., Automatic Generation of XSS and SQL Injection Attacks with Goal-
Directed Model Checking, Security 08.
McGraw, G., “Software Security,” IEEE Security & Privacy, vol. 2, no. 2, pp. 80–83, 2004.
Miller, R.C., and Bharat, K. SPHINX: A framework for creating personal, site-specific Web
crawlers. In Proceedings of the Seventh International World Wide Web Conference, pages
--130, April 1998.
Moody, K., and Palomino, M., SharpSpider: Spidering the Web through Web Services, First
Latin American Web Congress (LA-WEB 2003), 2003.
Musciano, C., Kennedy, B., HTML and XHTML: The Definitive Guide, O'Reilly &
Associates, Inc., Sebastopol, CA, 2002.
Myers, G. J., The Art of Software Testing. Wiley, 1979.
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., and Evans, D., Automatically
Hardening Web Applications Using Precise Tainting, In Proceedings of the 20th IFIP
International Information Security Conference, 2005.
Ntafos, S. C., “Required element testing,” IEEE Trans. Software Eng.,vol. SE-10, no. 6, pp.
-803, Nov. 1984.
Offut, J., Wu, Y., Du, X., & Huang, H., Bypass testing of Web applications. In Proceedings of
The Fifteenth IEEE International Symposium on Software Reliability Engineering, Saint-
Malo, Bretagne, France, pp.187-197 2004.
Ollman, G., The phishing guide - understanding and preventing phishing attacks, White Paper,
Next Generation Security Software Ltd., 2004.
OWASP, Cross site scripting, http://www.owasp.org/index.php/Cross_Site_Scripting,
Accessed January 22, 2007.
Pietraszek, T., and Berghe, C. V., Defending Against Injection Attacks through Context-
Sensitive String Evaluation, In Proceedings of Recent Advances in Intrusion Detection
(RAID2005), 2005.
Raghavan, S. and Garcia-Molina, H., Crawling the hidden web, In Proc. of 27th Int. Conf. on
Very Large Databases, Sept. 2001.
Rapps, S., and Weyuker, E., J., Selecting software test data using data flow information. IEEE
Trans. Softw. Eng. 11, 4 (Apr. 1985), 367-375. 1985.
Scott, D., and Sharp, R., Abstracting Application-level Web Security, In Proc. of the 11th Intl.
Conference on the World Wide Web (WWW 2002), pages 396-407, May 2002.
Shankar, U., Talwar, K., Foster, J. S., and Wagner, D., Detecting format string vulnerabilities
with type qualifiers. In 10th USENIX Security Symposium, D.C., pages 201-220, 2001.
Shiflett, C., PHP Security, O’Reilly Open Source Convention, Portland, Oregon, USA, 26 Jul
Su, Z., and Wassermann, G., The Essence of Command Injection Attacks in Web
Applications, In The 33rd Annual Symposium on Principles of Programming Languages,
pages 372–382, Jan. 2006.
Symantec, Symantec Internet Security Threat Report,
http://www.symantec.com/enterprise/threatreport/index.jsp, March 2006.
Tappenden, A.; Beatty, P.; Miller, J.; Geras, A.; Smith, M., "Agile security testing of Webbased
systems via HTTPUnit," Agile Conference, 2005. Proceedings, vol., no.pp. 29- 38, 24-
July 2005.
Thompson, H.H., “Why Security Testing Is Hard,” IEEE Security & Privacy, vol. 1, no. 4, pp.
–86, 2003.
Vaswani, V., MySQL: The Complete Reference, McGraw-Hill/Osborne, 2004.
Wheeler, D., A., Secure Programming for Linux and Unix HOWTO,
http://dwheeler.com/secure-programs, 2003.
Whittaker, J., and Thompson, H., How to Break Software Security, Addison-Wesley, 2003.
Widenius, M., Axmark, D., and MySQL AB, MySQL Reference Manual, Sebastopol, Calif.:
O’Reilly, 2002.
Wiegers, K., Software Requirements, Microsoft Press, Redmond, 1999.
Williams, H. E., and Lane, D., Web Database Applications with PHP & MySql, O'Reilly,
Woodward, M. R., Hedley., D., and Hennel, M. A., “Experience with path analysis and testing
of programs,” IEEE Trans. Software Eng., vol. SE-6, no. 3, pp. 278-286, May 1980.
Xie, Y., Aiken, A., Static Detection of Security Vulnerabilities in Scripting Languages,
Security 2006.
Xu, W., Bhatkar, S., and Sekar, R., Practical dynamic taint analysis for countering input
validation attacks on web applications., Technical Report SECLAB-05-04, Department of
Computer Science, Stony Brook University, May 2005.
Zhang, X., Edwards, A., and Jaeger, T., Using CQual for static analysis of authorization hook
placement. In the Proceedings of the 11th USENIX Security Symposium, pp. 33-48, 2002.
