The essence of command injection attacks in web applications
作者: Zhendong Su , Gary Wassermann
关键词:
摘要: Web applications typically interact with a back-end database to retrieve persistent data and then present the user as dynamically generated output, such HTML web pages. However, this interaction is commonly done through low-level API by constructing query strings within general-purpose programming language, Java. This ad hoc because it does not take into account structure of output language. Accordingly, inputs are treated isolated lexical entities which, if properly sanitized, can cause application generate unintended output. called command injection attack, which poses serious threat security. paper presents first formal definition attacks in context applications, gives sound complete algorithm for preventing them based on context-free grammars compiler parsing techniques. Our key observation that, an attack succeed, input that gets propagated or document must change intended syntactic document. general apply many forms attacks. We validate our approach SqlCheckS, implementation setting SQL evaluated SqlCheckS real-world systematically compiled input. produced no false positives negatives, incurred low runtime overhead, applied straightforwardly written different languages.
acm.org
core.ac.uk
ucdavis.edu 
sci-hub.se 参考文章(35)
Chris Anley, Advanced SQL Injection In SQL Server Applications ,(2002)
Gavin M. Bierman, Wolfram Schulte, Erik Meijer, The Essence of Data Access in C omega . european conference on object-oriented programming. ,vol. 3586, pp. 287- 311 ,(2005)
Wolfram Schulte, Unifying Tables, Objects and Documents ,(2003)
Ravi Sethi, Jeffrey D. Ullman, Alfred V. Aho, Compilers: Principles, Techniques, and Tools ,(1986)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans, Automatically Hardening Web Applications Using Precise Tainting information security conference. pp. 295- 307 ,(2004) , 10.1007/0-387-25660-1_20
Claus Brabrand, Anders Møller, Mikkel Ricky, Michael I. Schwartzbach, PowerForms: Declarative client-side form field validation World Wide Web. ,vol. 3, pp. 205- 214 ,(2000) , 10.1023/A:1018772405468
Stephen W. Boyd, Angelos D. Keromytis, SQLrand: Preventing SQL Injection Attacks applied cryptography and network security. pp. 292- 302 ,(2004) , 10.1007/978-3-540-24852-1_21
Jeffrey S. Foster, Manuel Fähndrich, Alexander Aiken, A theory of type qualifiers Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation - PLDI '99. ,vol. 34, pp. 192- 203 ,(1999) , 10.1145/301618.301665
Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo, Securing web application code by static analysis and runtime protection Proceedings of the 13th conference on World Wide Web - WWW '04. pp. 40- 52 ,(2004) , 10.1145/988672.988679