Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis

Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis

Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and critical vulnerabilities such as cross-site scripting and SQL injection are still common. As a consequence, much effort in the past de...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Scholte, T., Robertson, W., Balzarotti, D., Kirda, E.
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Context
cross-site scripting
HTML
input validation
Robustness
Runtime
Security
sql injection
Vectors
web application
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 243
container_issue
container_start_page 233
container_title
container_volume
creator Scholte, T.
Robertson, W.
Balzarotti, D.
Kirda, E.
description Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and critical vulnerabilities such as cross-site scripting and SQL injection are still common. As a consequence, much effort in the past decade has been spent on mitigating web application vulnerabilities. Current techniques focus mainly on sanitization: either on automated sanitization, the detection of missing sanitizers, the correctness of sanitizers, or the correct placement of sanitizers. However, these techniques are either not able to prevent new forms of input validation vulnerabilities such as HTTP Parameter Pollution, come with large runtime overhead, lack precision, or require significant modifications to the client and/or server infrastructure. In this paper, we present IPAAS, a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. IPAAS automatically and transparently augments otherwise insecure web application development environments with input validators that result in significant and tangible security improvements for real systems. We implemented IPAAS for PHP and evaluated it on five real-world web applications with known cross-site scripting and SQL injection vulnerabilities. Our evaluation demonstrates that IPAAS would have prevented 83% of SQL injection vulnerabilities and 65% of cross-site scripting vulnerabilities while incurring no developer burden.
doi_str_mv 10.1109/COMPSAC.2012.34
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_6340148</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>6340148</ieee_id><sourcerecordid>6340148</sourcerecordid><originalsourceid>FETCH-LOGICAL-i105t-708d837b01f8a77c8ba749a96aa408237614ff1e1c698801dca34db145aab96b3</originalsourceid><addsrcrecordid>eNotjF1LwzAYRiMqOOauvfAmf6Az75Lm47IUdYPJBs55Od606RbpstKkwv69Mn1uDgcODyEPwKYAzDyVq7f1e1FOZwxmUy6uyMQozZQ0uVBcquuLg5CKgzFM3JARU5xlHHJ1RyYxfrHfaVBG5iOyW_fu24Xkw54uQjckusXW15j8KdDt0AbXo_WtT95F6gP9dJYWXdf66pJEmg79adgfaDGk0xGTq-nm3DlaBGzP0cd7cttgG93kn2Py8fK8KefZcvW6KItl5oHlKVNM15ory6DRqFSlLSph0EhEwfSMKwmiacBBJY3WDOoKuagtiBzRGmn5mDz-_Xrn3K7r_RH7805ywUBo_gNtZliv</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Scholte, T. ; Robertson, W. ; Balzarotti, D. ; Kirda, E.</creator><creatorcontrib>Scholte, T. ; Robertson, W. ; Balzarotti, D. ; Kirda, E.</creatorcontrib><description>Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and critical vulnerabilities such as cross-site scripting and SQL injection are still common. As a consequence, much effort in the past decade has been spent on mitigating web application vulnerabilities. Current techniques focus mainly on sanitization: either on automated sanitization, the detection of missing sanitizers, the correctness of sanitizers, or the correct placement of sanitizers. However, these techniques are either not able to prevent new forms of input validation vulnerabilities such as HTTP Parameter Pollution, come with large runtime overhead, lack precision, or require significant modifications to the client and/or server infrastructure. In this paper, we present IPAAS, a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. IPAAS automatically and transparently augments otherwise insecure web application development environments with input validators that result in significant and tangible security improvements for real systems. We implemented IPAAS for PHP and evaluated it on five real-world web applications with known cross-site scripting and SQL injection vulnerabilities. Our evaluation demonstrates that IPAAS would have prevented 83% of SQL injection vulnerabilities and 65% of cross-site scripting vulnerabilities while incurring no developer burden.</description><identifier>ISSN: 0730-3157</identifier><identifier>ISBN: 9781467319904</identifier><identifier>ISBN: 1467319902</identifier><identifier>EISBN: 9780769547367</identifier><identifier>EISBN: 0769547362</identifier><identifier>DOI: 10.1109/COMPSAC.2012.34</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>Context ; cross-site scripting ; HTML ; input validation ; Robustness ; Runtime ; Security ; sql injection ; Vectors ; web application</subject><ispartof>2012 IEEE 36th Annual Computer Software and Applications Conference, 2012, p.233-243</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/6340148$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,2056,27924,54919</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/6340148$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Scholte, T.</creatorcontrib><creatorcontrib>Robertson, W.</creatorcontrib><creatorcontrib>Balzarotti, D.</creatorcontrib><creatorcontrib>Kirda, E.</creatorcontrib><title>Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis</title><title>2012 IEEE 36th Annual Computer Software and Applications Conference</title><addtitle>CMPSAC</addtitle><description>Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and critical vulnerabilities such as cross-site scripting and SQL injection are still common. As a consequence, much effort in the past decade has been spent on mitigating web application vulnerabilities. Current techniques focus mainly on sanitization: either on automated sanitization, the detection of missing sanitizers, the correctness of sanitizers, or the correct placement of sanitizers. However, these techniques are either not able to prevent new forms of input validation vulnerabilities such as HTTP Parameter Pollution, come with large runtime overhead, lack precision, or require significant modifications to the client and/or server infrastructure. In this paper, we present IPAAS, a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. IPAAS automatically and transparently augments otherwise insecure web application development environments with input validators that result in significant and tangible security improvements for real systems. We implemented IPAAS for PHP and evaluated it on five real-world web applications with known cross-site scripting and SQL injection vulnerabilities. Our evaluation demonstrates that IPAAS would have prevented 83% of SQL injection vulnerabilities and 65% of cross-site scripting vulnerabilities while incurring no developer burden.</description><subject>Context</subject><subject>cross-site scripting</subject><subject>HTML</subject><subject>input validation</subject><subject>Robustness</subject><subject>Runtime</subject><subject>Security</subject><subject>sql injection</subject><subject>Vectors</subject><subject>web application</subject><issn>0730-3157</issn><isbn>9781467319904</isbn><isbn>1467319902</isbn><isbn>9780769547367</isbn><isbn>0769547362</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2012</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotjF1LwzAYRiMqOOauvfAmf6Az75Lm47IUdYPJBs55Od606RbpstKkwv69Mn1uDgcODyEPwKYAzDyVq7f1e1FOZwxmUy6uyMQozZQ0uVBcquuLg5CKgzFM3JARU5xlHHJ1RyYxfrHfaVBG5iOyW_fu24Xkw54uQjckusXW15j8KdDt0AbXo_WtT95F6gP9dJYWXdf66pJEmg79adgfaDGk0xGTq-nm3DlaBGzP0cd7cttgG93kn2Py8fK8KefZcvW6KItl5oHlKVNM15ory6DRqFSlLSph0EhEwfSMKwmiacBBJY3WDOoKuagtiBzRGmn5mDz-_Xrn3K7r_RH7805ywUBo_gNtZliv</recordid><startdate>201207</startdate><enddate>201207</enddate><creator>Scholte, T.</creator><creator>Robertson, W.</creator><creator>Balzarotti, D.</creator><creator>Kirda, E.</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>201207</creationdate><title>Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis</title><author>Scholte, T. ; Robertson, W. ; Balzarotti, D. ; Kirda, E.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i105t-708d837b01f8a77c8ba749a96aa408237614ff1e1c698801dca34db145aab96b3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2012</creationdate><topic>Context</topic><topic>cross-site scripting</topic><topic>HTML</topic><topic>input validation</topic><topic>Robustness</topic><topic>Runtime</topic><topic>Security</topic><topic>sql injection</topic><topic>Vectors</topic><topic>web application</topic><toplevel>online_resources</toplevel><creatorcontrib>Scholte, T.</creatorcontrib><creatorcontrib>Robertson, W.</creatorcontrib><creatorcontrib>Balzarotti, D.</creatorcontrib><creatorcontrib>Kirda, E.</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Scholte, T.</au><au>Robertson, W.</au><au>Balzarotti, D.</au><au>Kirda, E.</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis</atitle><btitle>2012 IEEE 36th Annual Computer Software and Applications Conference</btitle><stitle>CMPSAC</stitle><date>2012-07</date><risdate>2012</risdate><spage>233</spage><epage>243</epage><pages>233-243</pages><issn>0730-3157</issn><isbn>9781467319904</isbn><isbn>1467319902</isbn><eisbn>9780769547367</eisbn><eisbn>0769547362</eisbn><coden>IEEPAD</coden><abstract>Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and critical vulnerabilities such as cross-site scripting and SQL injection are still common. As a consequence, much effort in the past decade has been spent on mitigating web application vulnerabilities. Current techniques focus mainly on sanitization: either on automated sanitization, the detection of missing sanitizers, the correctness of sanitizers, or the correct placement of sanitizers. However, these techniques are either not able to prevent new forms of input validation vulnerabilities such as HTTP Parameter Pollution, come with large runtime overhead, lack precision, or require significant modifications to the client and/or server infrastructure. In this paper, we present IPAAS, a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. IPAAS automatically and transparently augments otherwise insecure web application development environments with input validators that result in significant and tangible security improvements for real systems. We implemented IPAAS for PHP and evaluated it on five real-world web applications with known cross-site scripting and SQL injection vulnerabilities. Our evaluation demonstrates that IPAAS would have prevented 83% of SQL injection vulnerabilities and 65% of cross-site scripting vulnerabilities while incurring no developer burden.</abstract><pub>IEEE</pub><doi>10.1109/COMPSAC.2012.34</doi><tpages>11</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 0730-3157
ispartof 2012 IEEE 36th Annual Computer Software and Applications Conference, 2012, p.233-243
issn 0730-3157
language eng
recordid cdi_ieee_primary_6340148
source IEEE Electronic Library (IEL) Conference Proceedings
subjects Context
cross-site scripting
HTML
input validation
Robustness
Runtime
Security
sql injection
Vectors
web application
title Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-11T17%3A27%3A36IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Preventing%20Input%20Validation%20Vulnerabilities%20in%20Web%20Applications%20through%20Automated%20Type%20Analysis&rft.btitle=2012%20IEEE%2036th%20Annual%20Computer%20Software%20and%20Applications%20Conference&rft.au=Scholte,%20T.&rft.date=2012-07&rft.spage=233&rft.epage=243&rft.pages=233-243&rft.issn=0730-3157&rft.isbn=9781467319904&rft.isbn_list=1467319902&rft.coden=IEEPAD&rft_id=info:doi/10.1109/COMPSAC.2012.34&rft_dat=%3Cieee_6IE%3E6340148%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9780769547367&rft.eisbn_list=0769547362&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=6340148&rfr_iscdi=true