PRACTICAL ELIMINATION OF EXTERNAL INTERACTION VULNERABILITIES IN WEB APPLICATIONS

Authors

  • JAMES MILLER University of Alberta, Canada
  • TOAN HUYNH University of Alberta, Canada

Keywords:

Security analysis, web applications, web security, case study

Abstract

External Interaction Vulnerabilities (EIVs) are currently the most common vulnerability for web applications. These vulnerabilities allow attackers to use vulnerable web applications as a vessel to transmit malicious code to external systems that interact with the web applications. The malicious code will modify the semantic content of the information sent to the external application. Current vulnerability detection approaches are black-box oriented and do not take advantage of the data flow information which is available in the source code. In this paper, we introduce a white-box approach called EIV analysis to eliminate web applications’ vulnerabilities. This strategy allows investigators to accurately identify all inputs entering the web application and model the input as it reaches external systems acting as data sinks. The strategy is partially automated resulting in substantial effort savings when compared with common industrial approaches; while also providing superior performance in terms vulnerability detection. A case study using a commercial, currently deployed, mission-critical web application is presented to demonstrate the validity of these claims.

 

Downloads

Download data is not yet available.

References

Achour, M., Betz, F., Dovgal, A., Lopes, N., Olson, P., Richter, G., Seguy, D., Vrana, J., PHP

manual, http://www.php.net/manual/en/, 2007.

Acunetix Ltd., Acunetix Web Vulnerability Scanner, http://www.acunetix.com/, Last accessed

Feb. 7, 2006.

Alonso, G., Casati, F., Kuno, H., and Machiraju, V., Web Services: Concepts, Architectures,

and Applications. Springer Verlag, 2003.

Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishman, V., CANDID: Preventing SQL

Injection Attacks Using Dynamic Candidate Evaluations, CCS 2007.

Balzarotti, D., Cova, M., Felmetsger, V.V., Vigna, G., Multi-Module Vulnerability Analysis

of Web-based Applications. Proc. 14th ACM Conference on Computer and Communication

Security, pp. 25-35, 2007.

Beizer B. Black-Box Testing: Techniques for Functional Testing of Software and Systems.

Wiley: New York, 1995.

Boehm, B., and Abts, C., COTS Integration: Plug and Pray?, IEEE Computer, 32 (1): pp. 135-

, January 1999.

Boyd, S. W., and Keromytis, A. D., SQLrand: Preventing SQL Injection Attacks, In Proc. of

the 2nd Applied Cryptography and Network Security Conf. (ACNS ’04), pages 292–302, Jun.

Buehrer, G. T., Weide, B. W., and Sivilotti, P. A. G., Using Parse Tree Validation to Prevent

SQL Injection Attacks, In Proc. of the 5th Intl. Workshop on Software Engineering and

Middleware (SEM ’05), pages 106–113, Sep. 2005.

Chaudhri, A., Zicari, R., & Rashid, A., XML Data Management: Native XML and XML

Enabled DataBase Systems, USA: Addison-Wesley, 2003.

Cruwys, D., C Sharp/VB - Automated WebSpider/WebRobot,

http://www.codeproject.com/csharp/DavWebSpider.asp, March 2004.

Curbera, F., Duftler, M., Khalaf, R., Nagy, W., Mukhi, N., Weerawarana, S., Unraveling the

Web Services Web: An Introduction to SOAP, WSDL, and UDDI, IEEE Internet Computing,

v.6 n.2, p.86-93, March 2002.

Denning, D.E., Denning, P.J., Certification of programs for secure information flow. Comm.

Of the ACM, 1977.

Dhamija, R., Tygar, J. D., Hearst, M., Why phishing works, Proceedings of the SIGCHI

conference on Human Factors in computing systems, Montréal, Québec, Canada, April 22-27,

Doar, M.B., Practical Development Environments, O'Reilly Media, 2005.

Eaton, C., Memon, A. M., An Empirical Approach to Testing Web Applications Across

Diverse Client Platform Configurations, International Journal on Web Engineering and

Technology (IJWET), Special Issue on Empirical Studies in Web Engineering, 2007.

Fielding, R., Gettys, J., Mogul, J., Frystyk, H., and Berners- Lee. T., Hypertext Transfer

Protocol-HTTP/1.1, RFC 2068 (http://www.ietf.org/rfc/rfc2068), Jan 1997.

Flanagan, D., JavaScript (2nd ed.): the definitive guide, O'Reilly & Associates, Inc.,

Sebastopol, CA, 1997.

Frankl, P.G., Weyuker, E.J., "An applicable family of data flow testing criteria," IEEE

Transactions on Software Engineering, vol.14, no.10pp.1483-1498, Oct 1988.

Granger, S., Social Engineering Fundamentals, Part I: Hacker Tactics, Security Focus,

http://www.securityfocus.com/infocus/1527, 2003.

Halfond, W. G., and Orso, A,. AMNESIA: Analysis and Monitoring for NEutralizing SQLInjection

Attacks, In Proceedings of 20th ACM International Conference on Automated

Software Engineering (ASE), Nov 2005.

Halfond, W. G., Orso, A., and Manolios, P., Using positive tainting and syntax-aware

evaluation to counter SQL injection attacks, In Proceedings of the 14th ACM SIGSOFT

international Symposium on Foundations of Software Engineering, pp. 175-185, 2006.

Harrold, M., J., and Rothermel, G., Performing data flow testing on classes, In Proceedings of

the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering (New Orleans,

Louisiana, United States, December 06 - 09, 1994), SIGSOFT '94, ACM Press, New York,

NY, pp. 154-163, 1994.

Heydon, A., Najork, M., Mercator: A scalable, extensible Web crawler. World Wide Web,

(4):219–229, December 1999.

Howard, M., and LeBlanc, D. Writing Secure Code, Second Edition, Microsoft Press, 2003.

Howden, W. E., “Methodology for the generation of program test data,” IEEE Trans. Comput.,

vol. C-24, no. 5, pp. 554-559, May 1975.

Huang, Y. W., Yu, F., Hang, C., Tsai, C. H., Lee, D. T., and Kuo, S. Y., Securing web

application code by static analysis and runtime protection, in WWW '04: Proceedings of the

th International Conference on World Wide Web. New York, NY, USA: ACM Press, pp.

-52, 2004.

Hurst, A., Analysis of Perl’s taint mode, http://hurstdog.org/papers/hurst04taint.pdf, 2004.

Huynh, T., Miller, J., An empirical investigation into the causes of open source web

applications vulnerabilities, Submitted for publication, 2008.

IEEE, IEEE Standard for Software Maintenance (IEEE Std 1219–1998), Institute for

Electrical and Electronic Engineers: New York NY, 1998.

Johnson, R., and Wagner, D., Finding user/kernel pointer bugs with type inference. In

Proceedings of the 2004 Usenix Security Conference, pages 119–-134, 2004.

Jovanovic, N., Kruegel, C., and Kirda, E., Pixy: A Static Analysis Tool for Detecting Web

Application Vulnerabilities, In 2006 IEEE Symposium on Security and Privacy, May 2006.

Kals, S., Kirda, E., Kruegel, C., and Jovanovic, N., SecuBat: A Web Vulnerability Scanner,

The 15th International World Wide Web Conference (WWW 2006), Edinburgh, Scotland,

May 2006.

Kiezun, A., Guo, P.J., Jayaraman, K., Ernst, M.D., Automatic Creation of SQL Injection and

Cross-Site Scripting Attacks, MIT Technical Report, MIT-CSAIL-TR-2008-054, 2008.

Kristol, D.M., and Montulli, L., HTTP State Management Mechanism, RFC 2965

(http://tools.ietf.org/html/rfc2965), October 2000.

Laski, J. W., Korel, B., Data flow oriented program testing strategy, IEEE Transactions on

Software Engineering. Vol. SE-9, no. 3, pp. 347-354. 1983.

Lin, J.-C., Chen, J.-M., "An Automatic Revised Tool for Anti-Malicious Injection," Sixth

IEEE International Conference on Computer and Information Technology (CIT'06), pp. 164-

, 2006.

Lipner, S.B., "Security and Source Code Access: Issues and Realities," 2000 IEEE

Symposium on Security and Privacy (S&P 2000), pp. 124-125, 2000.

Liu, C. H., Kung, D., Hsia, P., and Hsu, C. T., Structure testing of web applications. In

Proceedings of the 11th Annual International Symposium on Software Reliability Engineering,

pages 84–96, San Jose CA, October 2000.

Livshits V. B., and Lam., M. S., Finding Security Vulnerabilities in Java Applications with

Static Analysis, In Proceedings of the 14th Usenix Security Symposium, Aug. 2005.

Martin, M., Livshits, B., and Lam, M. S., Finding Application Errors and Security Flaws

Using PQL: a Program Query Language. In OOPSLA ’05: Proc. of the 20th Annual ACM

SIGPLAN Conference on Object Oriented Programming Systems Languages and

Applications, pages 365–383, Oct. 2005.

Martin, M., Lam, M., Automatic Generation of XSS and SQL Injection Attacks with Goal-

Directed Model Checking, Security 08.

McGraw, G., “Software Security,” IEEE Security & Privacy, vol. 2, no. 2, pp. 80–83, 2004.

Miller, R.C., and Bharat, K. SPHINX: A framework for creating personal, site-specific Web

crawlers. In Proceedings of the Seventh International World Wide Web Conference, pages

--130, April 1998.

Moody, K., and Palomino, M., SharpSpider: Spidering the Web through Web Services, First

Latin American Web Congress (LA-WEB 2003), 2003.

Musciano, C., Kennedy, B., HTML and XHTML: The Definitive Guide, O'Reilly &

Associates, Inc., Sebastopol, CA, 2002.

Myers, G. J., The Art of Software Testing. Wiley, 1979.

Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., and Evans, D., Automatically

Hardening Web Applications Using Precise Tainting, In Proceedings of the 20th IFIP

International Information Security Conference, 2005.

Ntafos, S. C., “Required element testing,” IEEE Trans. Software Eng.,vol. SE-10, no. 6, pp.

-803, Nov. 1984.

Offut, J., Wu, Y., Du, X., & Huang, H., Bypass testing of Web applications. In Proceedings of

The Fifteenth IEEE International Symposium on Software Reliability Engineering, Saint-

Malo, Bretagne, France, pp.187-197 2004.

Ollman, G., The phishing guide - understanding and preventing phishing attacks, White Paper,

Next Generation Security Software Ltd., 2004.

OWASP, Cross site scripting, http://www.owasp.org/index.php/Cross_Site_Scripting,

Accessed January 22, 2007.

Pietraszek, T., and Berghe, C. V., Defending Against Injection Attacks through Context-

Sensitive String Evaluation, In Proceedings of Recent Advances in Intrusion Detection

(RAID2005), 2005.

Raghavan, S. and Garcia-Molina, H., Crawling the hidden web, In Proc. of 27th Int. Conf. on

Very Large Databases, Sept. 2001.

Rapps, S., and Weyuker, E., J., Selecting software test data using data flow information. IEEE

Trans. Softw. Eng. 11, 4 (Apr. 1985), 367-375. 1985.

Scott, D., and Sharp, R., Abstracting Application-level Web Security, In Proc. of the 11th Intl.

Conference on the World Wide Web (WWW 2002), pages 396-407, May 2002.

Shankar, U., Talwar, K., Foster, J. S., and Wagner, D., Detecting format string vulnerabilities

with type qualifiers. In 10th USENIX Security Symposium, D.C., pages 201-220, 2001.

Shiflett, C., PHP Security, O’Reilly Open Source Convention, Portland, Oregon, USA, 26 Jul

Su, Z., and Wassermann, G., The Essence of Command Injection Attacks in Web

Applications, In The 33rd Annual Symposium on Principles of Programming Languages,

pages 372–382, Jan. 2006.

Symantec, Symantec Internet Security Threat Report,

http://www.symantec.com/enterprise/threatreport/index.jsp, March 2006.

Tappenden, A.; Beatty, P.; Miller, J.; Geras, A.; Smith, M., "Agile security testing of Webbased

systems via HTTPUnit," Agile Conference, 2005. Proceedings, vol., no.pp. 29- 38, 24-

July 2005.

Thompson, H.H., “Why Security Testing Is Hard,” IEEE Security & Privacy, vol. 1, no. 4, pp.

–86, 2003.

Vaswani, V., MySQL: The Complete Reference, McGraw-Hill/Osborne, 2004.

Wheeler, D., A., Secure Programming for Linux and Unix HOWTO,

http://dwheeler.com/secure-programs, 2003.

Whittaker, J., and Thompson, H., How to Break Software Security, Addison-Wesley, 2003.

Widenius, M., Axmark, D., and MySQL AB, MySQL Reference Manual, Sebastopol, Calif.:

O’Reilly, 2002.

Wiegers, K., Software Requirements, Microsoft Press, Redmond, 1999.

Williams, H. E., and Lane, D., Web Database Applications with PHP & MySql, O'Reilly,

Woodward, M. R., Hedley., D., and Hennel, M. A., “Experience with path analysis and testing

of programs,” IEEE Trans. Software Eng., vol. SE-6, no. 3, pp. 278-286, May 1980.

Xie, Y., Aiken, A., Static Detection of Security Vulnerabilities in Scripting Languages,

Security 2006.

Xu, W., Bhatkar, S., and Sekar, R., Practical dynamic taint analysis for countering input

validation attacks on web applications., Technical Report SECLAB-05-04, Department of

Computer Science, Stony Brook University, May 2005.

Zhang, X., Edwards, A., and Jaeger, T., Using CQual for static analysis of authorization hook

placement. In the Proceedings of the 11th USENIX Security Symposium, pp. 33-48, 2002.

Downloads

Published

2010-02-25

How to Cite

MILLER, J. ., & HUYNH, T. . (2010). PRACTICAL ELIMINATION OF EXTERNAL INTERACTION VULNERABILITIES IN WEB APPLICATIONS. Journal of Web Engineering, 9(1), 1–24. Retrieved from https://journals.riverpublishers.com/index.php/JWE/article/view/4025

Issue

Section

Articles