International Journal of Information Security

, Volume 17, Issue 1, pp 105–120 | Cite as

Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications

  • G. Deepa
  • P. Santhi Thilagam
  • Furqan Ahmed Khan
  • Amit Praseed
  • Alwyn R. Pais
  • Nushafreen Palsetia
Regular Contribution
  • 926 Downloads

Abstract

As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended for interacting with the applications. Even though precautionary measures such as user-input sanitization is employed at the client side of the application, the attackers can disable the JavaScript at client side and still inject attacks through HTTP parameters. The injected parameters result in attacks due to improper server-side validation of user input. The injected parameters may either contain malicious SQL/XML commands leading to SQL/XPath/XQuery injection or be invalid input that intend to violate the expected behavior of the web application. The former is known as an injection attack, while the latter is called a parameter tampering attack. While SQL injection has been intensively examined by the research community, limited work has been done so far for identifying XML injection and parameter tampering vulnerabilities. Database-driven web applications today rely on XML databases, as XML has gained rapid acceptance due to the fact that it favors integration of data with other applications and handles diverse information. Hence, this work proposes a black-box fuzzing approach to detect XQuery injection and parameter tampering vulnerabilities in web applications driven by native XML databases. A prototype XiParam is developed and tested on vulnerable applications developed with a native XML database, BaseX, as the backend. The experimental evaluation clearly demonstrates that the prototype is effective against detection of both XQuery injection and parameter tampering vulnerabilities.

Keywords

Web application security Vulnerability scanner Injection attacks Fuzz testing Logic vulnerabilities XML injection 

Notes

Acknowledgements

This work was supported by the Ministry of Communications and Information Technology, Government of India and is part of the R&D project entitled “Development of Tool for detection of XML-based injection vulnerabilities in web applications,” 2014–2016.

Compliance with ethical standards

Conflict of interest

The authors declare that they have no conflict of interest.

References

  1. 1.
    Symantec Corporation: Symantec internet security threat report: vol. 19. Symantec Corporation. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us (2014)
  2. 2.
    Foundation, O.: Top 10 2013-top 10. https://www.owasp.org/index.php/Top_10_2013-Top_10 (2013)
  3. 3.
    CWE/SANS top 25 most dangerous software errors. http://www.sans.org/top25-software-errors/ (2011)
  4. 4.
    Gordeychik, S.: Web application security statistics. The Web Application Security Consortium. http://projects.webappsec.org/w/page/13246989/WebApplicationSecurityStatistics (2008)
  5. 5.
    Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: Notamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pp. 607–618. ACM, New York (2010)Google Scholar
  6. 6.
    Bisht, P., Hinrichs, T., Skrupsky, N., Venkatakrishnan, V.N.: Waptec: Whitebox analysis of web applications for parameter tampering exploit construction. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 575–586. ACM, New York (2011)Google Scholar
  7. 7.
    Skrupsky, N., Bisht, P., Hinrichs, T., Venkatakrishnan, V.N., Zuck, L.: Tamperproof: A server-agnostic defense for parameter tampering attacks on web applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY ’13, pp. 129–140. ACM, New York (2013)Google Scholar
  8. 8.
    Chaudhri, A., Zicari, R., Rashid, A.: XML Data Management: Native XML and XML Enabled DataBase Systems. Addison-Wesley Longman Publishing Co. Inc, Boston (2003)Google Scholar
  9. 9.
    Liu, Z.H., Murthy, R.: A decade of XML data management: An industrial experience report from oracle. In: IEEE 25th International Conference on Data Engineering, 2009. ICDE ’09, pp. 1351–1362 (2009). doi: 10.1109/ICDE.2009.18
  10. 10.
    Pavlovic-Lazetic, G.: Native XML databases vs. relational databases in dealing with XML documents. Kragujevac J. Math. 30, 181–199 (2007)MATHGoogle Scholar
  11. 11.
    Staken, K.: Introduction to native XML databases. http://www.xml.com/pub/a/2001/10/31/nativexmldb.html (2001)
  12. 12.
    Foundation, O.: Testing for XML injection. https://www.owasp.org/index.php/Testing_for_XML_Injection_OTG-INPVAL-008 (2014)
  13. 13.
    Palsetia, N., Deepa, G., Khan, F.A., Thilagam, P.S., Pais, A.R.: Securing native XML database-driven web applications from XQuery injection vulnerabilities. J. Syst. Softw.122, 93–109 (2016). doi: 10.1016/j.jss.2016.08.094. http://www.sciencedirect.com/science/article/pii/S0164121216301571
  14. 14.
    Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, pp. 65–81 (2006)Google Scholar
  15. 15.
  16. 16.
    Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, pp. 40–52. ACM (2004)Google Scholar
  17. 17.
    Halfond, W.G., Orso, A.: Amnesia: analysis and monitoring for neutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM (2005)Google Scholar
  18. 18.
    Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, pp. 106–113. ACM (2005)Google Scholar
  19. 19.
    Huang, Y.W., Tsai, C.H., Lin, T.P., Huang, S.K., Lee, D., Kuo, S.Y.: A testing framework for web application security assessment. Comput. Netw. 48(5), 739–761 (2005). Web SecurityCrossRefGoogle Scholar
  20. 20.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’06, pp. 372–382. ACM, New York (2006)Google Scholar
  21. 21.
    Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. USENIX Secur. 6, 179–192 (2006)Google Scholar
  22. 22.
    Kosuga, Y., Kernel, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: Syntactic and semantic analysis for automated testing against SQL injection. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 107–117. IEEE (2007)Google Scholar
  23. 23.
    Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’07, pp. 32–41. ACM, New York (2007)Google Scholar
  24. 24.
    Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: SQLProb: A proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC ’09, pp. 2054–2061. ACM, New York (2009)Google Scholar
  25. 25.
    Bisht, P., Madhusudan, P., Venkatakrishnan, V.: Candid: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(2), 14 (2010)Google Scholar
  26. 26.
    Jang, Y.S., Choi, J.Y.: Detecting SQL injection attacks using query result size. Comput. Secur. 44, 104–118 (2014)CrossRefGoogle Scholar
  27. 27.
    Shahriar, H., Zulkernine, M.: Taxonomy and classification of automatic monitoring of program security vulnerability exploitations. J. Syst. Softw. 84(2), 250–269 (2011)CrossRefGoogle Scholar
  28. 28.
    Shahriar, H., Zulkernine, M.: Mitigating program security vulnerabilities: Approaches and challenges. ACM Comput. Surv. 44(3), 11:1–11:46 (2012)CrossRefGoogle Scholar
  29. 29.
    Li, X., Xue, Y.: A survey on server-side approaches to securing web applications. ACM Comput. Surv. 46(4), 54:1–54:29 (2014)CrossRefMATHGoogle Scholar
  30. 30.
    Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160–180 (2016). doi: 10.1016/j.infsof.2016.02.005. http://www.sciencedirect.com/science/article/pii/S0950584916300234
  31. 31.
    Chandrashekhar, R., Mardithaya, M., Thilagam, P.S., Saha, D.: SQL injection attack mechanisms and prevention techniques. In: Advanced Computing, Networking and Security, pp. 524–533. Springer, Berlin (2012)Google Scholar
  32. 32.
    Bravenboer, M., Dolstra, E., Visser, E.: Preventing injection attacks with syntax embeddings. In: Proceedings of the 6th International Conference on Generative Programming and Component Engineering, pp. 3–12. ACM (2007)Google Scholar
  33. 33.
  34. 34.
    Truelove, J., Svoboda, D.: Ids09-j. prevent XPath injection. https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250 (2011)
  35. 35.
    Mitropoulos, D., Karakoidas, V., Spinellis, D.: Fortifying applications against XPath injection attacks. In: Proceedings of the 4th Mediterranean Conference on Information Systems (MCIS’09), Athens, Greece, pp. 1169–1179 (2009)Google Scholar
  36. 36.
    Mitropoulos, D., Karakoidas, V., Louridas, P., Spinellis, D.: Countering code injection attacks: a unified approach. Inf. Manag. Comput. Secur. 19(3), 177–194 (2011)CrossRefGoogle Scholar
  37. 37.
    Rosa, T.M., Santin, A.O., Malucelli, A.: Mitigating XML injection 0-day attacks through strategy-based detection systems. IEEE Secur. Priv. 11(4), 46–53 (2013). doi: 10.1109/MSP.2012.83
  38. 38.
    Antunes, N., Vieira, M.: Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In: IEEE International Conference on Services Computing (SCC), pp. 104–111. IEEE (2011)Google Scholar
  39. 39.
    Laranjeiro, N., Vieira, M., Madeira, H.: Protecting database centric web services against SQL/XPath injection attacks. In: Database and Expert Systems Applications, pp. 271–278. Springer, Berlin (2009)Google Scholar
  40. 40.
    Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective detection of SQL/XPath injection vulnerabilities in web services. In: IEEE International Conference on Services Computing, pp. 260–267. IEEE (2009). doi: 10.1109/SCC.2009.23
  41. 41.
    Asmawi, A., Affendey, L.S., Udzir, N.I., Mahmod, R.: Model-based system architecture for preventing XPath injection in database-centric web services environment. In: 7th International Computing and Convergence Technology (ICCCT), pp. 621–625. IEEE (2012)Google Scholar
  42. 42.
    Forbes, T.: Exploiting XPath injection vulnerabilities with xcat. http://tomforb.es/exploiting-xpath-injection-vulnerabilities-with-xcat-1 (2014)
  43. 43.
    WebCruiser: Webcruiser-web vulnerability scanner. http://www.ehacking.net/2011/07/webcruiser-web-vulnerability-scanner.html (2011)
  44. 44.
  45. 45.
    Acunetix: Acunetix. http://www.acunetix.com/ (2014)
  46. 46.
    Laskos, T.: Web application vulnerability scanning framework. http://www.arachni-scanner.com/
  47. 47.
    Wapiti: The web-application vulnerability scanner. http://wapiti.sourceforge.net/ (2013)
  48. 48.
    Riancho, A.: w3af. http://w3af.sourceforge.net (2011)
  49. 49.
    van der Loo, F.: Comparison of penetration testing tools for web applications. Ph.D. thesis, Master thesis, Radboud University Nijmegen, 2011. http://www.ru.nl/publish/pages/578936/frank_van_der_loo_scriptie.pdf (2011)
  50. 50.
    Mouelhi, T., Le Traon, Y., Abgrall, E., Baudry, B., Gombault, S.: Tailored shielding and bypass testing of web applications. In: 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation (ICST), pp. 210–219 (2011)Google Scholar
  51. 51.
    Alkhalaf, M., Choudhary, S.R., Fazzini, M., Bultan, T., Orso, A., Kruegel, C.: Viewpoints: Differential string analysis for discovering client- and server-side input validation inconsistencies. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pp. 56–66. ACM, New York (2012)Google Scholar
  52. 52.
    Balduzzi, M., Gimenez, C.T., Balzarotti, D., Kirda, E.: Automated discovery of parameter pollution vulnerabilities in web applications. In: Proceedings of the 18th Network and Distributed System Security Symposium, NDSS’11. San Diego (2011)Google Scholar
  53. 53.
    Redis: Redis. http://redis.io/
  54. 54.
    WebSPHINX: WebSPHINX: A personal, customizable web crawler. http://www.cs.cmu.edu/~rcm/websphinx/ (2002)
  55. 55.
    JSpider: Jspider. http://j-spider.sourceforge.net/ (2013)
  56. 56.
    Django: Django-the web framework for perfectionists with deadlines. https://www.djangoproject.com/
  57. 57.
    PostgreSQL: PostgreSQL-the world’s most advanced open source database. http://www.postgresql.org/
  58. 58.
    BaseX: Basex-the XML database. http://basex.org/

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  • G. Deepa
    • 1
  • P. Santhi Thilagam
    • 1
  • Furqan Ahmed Khan
    • 1
  • Amit Praseed
    • 1
  • Alwyn R. Pais
    • 1
  • Nushafreen Palsetia
    • 1
  1. 1.National Institute of Technology KarnatakaMangaluruIndia

Personalised recommendations