Skip to main content
SpringerLink
Log in

Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended for interacting with the applications. Even though precautionary measures such as user-input sanitization is employed at the client side of the application, the attackers can disable the JavaScript at client side and still inject attacks through HTTP parameters. The injected parameters result in attacks due to improper server-side validation of user input. The injected parameters may either contain malicious SQL/XML commands leading to SQL/XPath/XQuery injection or be invalid input that intend to violate the expected behavior of the web application. The former is known as an injection attack, while the latter is called a parameter tampering attack. While SQL injection has been intensively examined by the research community, limited work has been done so far for identifying XML injection and parameter tampering vulnerabilities. Database-driven web applications today rely on XML databases, as XML has gained rapid acceptance due to the fact that it favors integration of data with other applications and handles diverse information. Hence, this work proposes a black-box fuzzing approach to detect XQuery injection and parameter tampering vulnerabilities in web applications driven by native XML databases. A prototype XiParam is developed and tested on vulnerable applications developed with a native XML database, BaseX, as the backend. The experimental evaluation clearly demonstrates that the prototype is effective against detection of both XQuery injection and parameter tampering vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. https://cwe.mitre.org/data/definitions/472.html

References

  1. Symantec Corporation: Symantec internet security threat report: vol. 19. Symantec Corporation. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us (2014)

  2. Foundation, O.: Top 10 2013-top 10. https://www.owasp.org/index.php/Top_10_2013-Top_10 (2013)

  3. CWE/SANS top 25 most dangerous software errors. http://www.sans.org/top25-software-errors/ (2011)

  4. Gordeychik, S.: Web application security statistics. The Web Application Security Consortium. http://projects.webappsec.org/w/page/13246989/WebApplicationSecurityStatistics (2008)

  5. Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: Notamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pp. 607–618. ACM, New York (2010)

  6. Bisht, P., Hinrichs, T., Skrupsky, N., Venkatakrishnan, V.N.: Waptec: Whitebox analysis of web applications for parameter tampering exploit construction. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 575–586. ACM, New York (2011)

  7. Skrupsky, N., Bisht, P., Hinrichs, T., Venkatakrishnan, V.N., Zuck, L.: Tamperproof: A server-agnostic defense for parameter tampering attacks on web applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY ’13, pp. 129–140. ACM, New York (2013)

  8. Chaudhri, A., Zicari, R., Rashid, A.: XML Data Management: Native XML and XML Enabled DataBase Systems. Addison-Wesley Longman Publishing Co. Inc, Boston (2003)

    Google Scholar 

  9. Liu, Z.H., Murthy, R.: A decade of XML data management: An industrial experience report from oracle. In: IEEE 25th International Conference on Data Engineering, 2009. ICDE ’09, pp. 1351–1362 (2009). doi:10.1109/ICDE.2009.18

  10. Pavlovic-Lazetic, G.: Native XML databases vs. relational databases in dealing with XML documents. Kragujevac J. Math. 30, 181–199 (2007)

    MATH  Google Scholar 

  11. Staken, K.: Introduction to native XML databases. http://www.xml.com/pub/a/2001/10/31/nativexmldb.html (2001)

  12. Foundation, O.: Testing for XML injection. https://www.owasp.org/index.php/Testing_for_XML_Injection_OTG-INPVAL-008 (2014)

  13. Palsetia, N., Deepa, G., Khan, F.A., Thilagam, P.S., Pais, A.R.: Securing native XML database-driven web applications from XQuery injection vulnerabilities. J. Syst. Softw.122, 93–109 (2016). doi:10.1016/j.jss.2016.08.094. http://www.sciencedirect.com/science/article/pii/S0164121216301571

  14. Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, pp. 65–81 (2006)

  15. WASC: XQuery injection. http://projects.webappsec.org/w/page/13247006/XQueryInjection (2009)

  16. Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, pp. 40–52. ACM (2004)

  17. Halfond, W.G., Orso, A.: Amnesia: analysis and monitoring for neutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM (2005)

  18. Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, pp. 106–113. ACM (2005)

  19. Huang, Y.W., Tsai, C.H., Lin, T.P., Huang, S.K., Lee, D., Kuo, S.Y.: A testing framework for web application security assessment. Comput. Netw. 48(5), 739–761 (2005). Web Security

    Article  Google Scholar 

  20. Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’06, pp. 372–382. ACM, New York (2006)

  21. Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. USENIX Secur. 6, 179–192 (2006)

    Google Scholar 

  22. Kosuga, Y., Kernel, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: Syntactic and semantic analysis for automated testing against SQL injection. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 107–117. IEEE (2007)

  23. Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’07, pp. 32–41. ACM, New York (2007)

  24. Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: SQLProb: A proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC ’09, pp. 2054–2061. ACM, New York (2009)

  25. Bisht, P., Madhusudan, P., Venkatakrishnan, V.: Candid: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(2), 14 (2010)

  26. Jang, Y.S., Choi, J.Y.: Detecting SQL injection attacks using query result size. Comput. Secur. 44, 104–118 (2014)

    Article  Google Scholar 

  27. Shahriar, H., Zulkernine, M.: Taxonomy and classification of automatic monitoring of program security vulnerability exploitations. J. Syst. Softw. 84(2), 250–269 (2011)

    Article  Google Scholar 

  28. Shahriar, H., Zulkernine, M.: Mitigating program security vulnerabilities: Approaches and challenges. ACM Comput. Surv. 44(3), 11:1–11:46 (2012)

    Article  Google Scholar 

  29. Li, X., Xue, Y.: A survey on server-side approaches to securing web applications. ACM Comput. Surv. 46(4), 54:1–54:29 (2014)

    Article  MATH  Google Scholar 

  30. Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160–180 (2016). doi:10.1016/j.infsof.2016.02.005. http://www.sciencedirect.com/science/article/pii/S0950584916300234

  31. Chandrashekhar, R., Mardithaya, M., Thilagam, P.S., Saha, D.: SQL injection attack mechanisms and prevention techniques. In: Advanced Computing, Networking and Security, pp. 524–533. Springer, Berlin (2012)

  32. Bravenboer, M., Dolstra, E., Visser, E.: Preventing injection attacks with syntax embeddings. In: Proceedings of the 6th International Conference on Generative Programming and Component Engineering, pp. 3–12. ACM (2007)

  33. OWASP: XPath injection. https://www.owasp.org/index.php/XPATH_Injection (2015)

  34. Truelove, J., Svoboda, D.: Ids09-j. prevent XPath injection. https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250 (2011)

  35. Mitropoulos, D., Karakoidas, V., Spinellis, D.: Fortifying applications against XPath injection attacks. In: Proceedings of the 4th Mediterranean Conference on Information Systems (MCIS’09), Athens, Greece, pp. 1169–1179 (2009)

  36. Mitropoulos, D., Karakoidas, V., Louridas, P., Spinellis, D.: Countering code injection attacks: a unified approach. Inf. Manag. Comput. Secur. 19(3), 177–194 (2011)

    Article  Google Scholar 

  37. Rosa, T.M., Santin, A.O., Malucelli, A.: Mitigating XML injection 0-day attacks through strategy-based detection systems. IEEE Secur. Priv. 11(4), 46–53 (2013). doi:10.1109/MSP.2012.83

  38. Antunes, N., Vieira, M.: Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In: IEEE International Conference on Services Computing (SCC), pp. 104–111. IEEE (2011)

  39. Laranjeiro, N., Vieira, M., Madeira, H.: Protecting database centric web services against SQL/XPath injection attacks. In: Database and Expert Systems Applications, pp. 271–278. Springer, Berlin (2009)

  40. Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective detection of SQL/XPath injection vulnerabilities in web services. In: IEEE International Conference on Services Computing, pp. 260–267. IEEE (2009). doi:10.1109/SCC.2009.23

  41. Asmawi, A., Affendey, L.S., Udzir, N.I., Mahmod, R.: Model-based system architecture for preventing XPath injection in database-centric web services environment. In: 7th International Computing and Convergence Technology (ICCCT), pp. 621–625. IEEE (2012)

  42. Forbes, T.: Exploiting XPath injection vulnerabilities with xcat. http://tomforb.es/exploiting-xpath-injection-vulnerabilities-with-xcat-1 (2014)

  43. WebCruiser: Webcruiser-web vulnerability scanner. http://www.ehacking.net/2011/07/webcruiser-web-vulnerability-scanner.html (2011)

  44. XMLMao: XMLMao. https://www.soldierx.com/tools/XMLmao (2012)

  45. Acunetix: Acunetix. http://www.acunetix.com/ (2014)

  46. Laskos, T.: Web application vulnerability scanning framework. http://www.arachni-scanner.com/

  47. Wapiti: The web-application vulnerability scanner. http://wapiti.sourceforge.net/ (2013)

  48. Riancho, A.: w3af. http://w3af.sourceforge.net (2011)

  49. van der Loo, F.: Comparison of penetration testing tools for web applications. Ph.D. thesis, Master thesis, Radboud University Nijmegen, 2011. http://www.ru.nl/publish/pages/578936/frank_van_der_loo_scriptie.pdf (2011)

  50. Mouelhi, T., Le Traon, Y., Abgrall, E., Baudry, B., Gombault, S.: Tailored shielding and bypass testing of web applications. In: 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation (ICST), pp. 210–219 (2011)

  51. Alkhalaf, M., Choudhary, S.R., Fazzini, M., Bultan, T., Orso, A., Kruegel, C.: Viewpoints: Differential string analysis for discovering client- and server-side input validation inconsistencies. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pp. 56–66. ACM, New York (2012)

  52. Balduzzi, M., Gimenez, C.T., Balzarotti, D., Kirda, E.: Automated discovery of parameter pollution vulnerabilities in web applications. In: Proceedings of the 18th Network and Distributed System Security Symposium, NDSS’11. San Diego (2011)

  53. Redis: Redis. http://redis.io/

  54. WebSPHINX: WebSPHINX: A personal, customizable web crawler. http://www.cs.cmu.edu/~rcm/websphinx/ (2002)

  55. JSpider: Jspider. http://j-spider.sourceforge.net/ (2013)

  56. Django: Django-the web framework for perfectionists with deadlines. https://www.djangoproject.com/

  57. PostgreSQL: PostgreSQL-the world’s most advanced open source database. http://www.postgresql.org/

  58. BaseX: Basex-the XML database. http://basex.org/

Download references

Acknowledgements

This work was supported by the Ministry of Communications and Information Technology, Government of India and is part of the R&D project entitled “Development of Tool for detection of XML-based injection vulnerabilities in web applications,” 2014–2016.

Author information

Authors and Affiliations

  1. National Institute of Technology Karnataka, Mangaluru, India

    G. Deepa, P. Santhi Thilagam, Furqan Ahmed Khan, Amit Praseed, Alwyn R. Pais & Nushafreen Palsetia

Authors
  1. G. Deepa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. P. Santhi Thilagam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Furqan Ahmed Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Amit Praseed
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alwyn R. Pais
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Nushafreen Palsetia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to G. Deepa.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Deepa, G., Thilagam, P.S., Khan, F.A. et al. Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications. Int. J. Inf. Secur. 17, 105–120 (2018). https://doi.org/10.1007/s10207-016-0359-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-016-0359-4

Keywords

Search

Navigation