Abstract
We propose a new technique based on multitier compilation for preventing code injection in web applications. It consists in adding an extra stage to the client code generator which compares the dynamically generated code with the specification obtained from the syntax of the source program. No intervention from the programmer is needed. No plugin or modification of the web browser is required. The soundness and validity of the approach are proved formally by showing that the client compiler can be fully abstract. The practical interest of the approach is proved by showing the actual implementation in the Hop environment.
Chapter PDF
References
Abadi, M., Plotkin, G.D.: A model of cooperative threads. In: Shao, Z., Pierce, B.C. (eds.) POPL, pp. 29–40. ACM, New York (2009)
Athanasopoulos, E., et al.: xJS: Practical XSS Prevention for Web Application Development. In: Proceedings USENIX Conference on Web Application Development (WebApps 2010), Boston, USA (June 2010)
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing static and dynamic analysis to validate sanitization in web applications. In: IEEE Symposium on Security and Privacy, pp. 387–401 (2008)
Berry, G., Boudol, G.: The chemical abstract machine. In: Proceedings of the ACM International Conference on Principle of Programming Languages (POPL), pp. 81–94. ACM Press, New York (1990)
Boudol, G., Luo, Z., Rezk, T., Serrano, M.: Towards reasoning for web applications: an operational semantics for hop. In: APLWACA 2010, pp. 3–14 (2010)
Cenzic Inc. Web application security trends report Q1-Q2, 2009 (2010), http://www.cenzic.com/
Chlipala, A.: Ur: Statically-Typed Metaprogramming with Type-Level Record Computation. In: PLDI (2010)
Chong, S., Liu, J., Myers, A., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Building secure web applications with automatic partitioning. Communications of the ACM 52(2), 79–87 (2009)
Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web application via automatic partitioning. In: SOSP, pp. 31–44 (2007)
Cooper, E., Lindley, S., Wadler, P., Yallop, J.: Links: Web programming without tiers. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2006. LNCS, vol. 4709, pp. 266–296. Springer, Heidelberg (2007)
Corcoran, B.J., Swamy, N., Hicks, M.W.: Cross-tier, label-based security enforcement for web applications. In: SIGMOD Conference, pp. 269–282 (2009)
Gardner, P., Smith, G., Wheelhouse, M., Zarfaty, U.: DOM: Towards a formal specification. In: Proceedings of the ACM SGIPLAN workshop on Programming Language Technologies for XML (PLAN-X), California, USA. ACM Press, New York (January 2008)
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: WWW, pp. 40–52 (2004)
Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW, pp. 601–610 (2007)
Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: PLAS 2006: Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security, pp. 27–36. ACM, New York (2006)
Jovanovic, N., Krügel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: IEEE Symposium on Security and Privacy, pp. 258–263 (2006)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: ACM Conference on Computer and Communications Security, pp. 272–280 (2003)
Kelsey, R., Clinger, W.D., Rees, J.: Revised5 report on the algorithmic language scheme. SIGPLAN Notices 33(9), 26–76 (1998)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC 2006: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330–337. ACM, New York (2006)
Li, P., Mao, Y., Zdancewic, S.: Information integrity policies. In: Proceedings of the Workshop on Formal Aspects in Security & Trust (FAST) (September 2003)
Livshits, V.B., Erlingsson, Ú.: Using web application construction frameworks to protect against code injection attacks. In: PLAS, pp. 95–104 (2007)
Louw, M.T., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In: IEEE Symposium on Security and Privacy, pp. 331–346 (2009)
Minamide, Y.: Static approximation of dynamically generated web pages. In: WWW, pp. 432–441 (2005)
Mosberger, D., Jin, T.: httperf: A tool for Measuring Web Server Performance. In: First Workshop on Internet Server Performance, pp. 59–67. Association for Computing Machinery (ACM), New York (1998)
The Perl Programming Language, http://www.perl.org
Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: Browsershield: Vulnerability-driven filtering of dynamic html. ACM Trans. Web 1(3), 11 (2007)
Robertson, W.K., Vigna, G.: Static enforcement of web application integrity through strong typing. In: USENIX Security Symposium, pp. 283–298 (2009)
Serrano, M.: HOP, a fast server for the diffuse web. In: Field, J., Vasconcelos, V.T. (eds.) COORDINATION 2009. LNCS, vol. 5521, pp. 1–26. Springer, Heidelberg (2009)
Serrano, M., Gallesio, E., Loitsch, F.: HOP, a language for programming the web 2.0. In: Proceedings of the First Dynamic Languages Symposium, DLS, Portland, Oregon, USA (October 2006)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL, pp. 372–382 (2006)
The MITRE Corporation. 2010 CWE/SANS top 25 most dangerous programming errors
Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: PLDI, pp. 32–41 (2007)
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE, pp. 171–180 (2008)
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX Security Symposium, pp. 179–192 (2006)
Xu, W., Bhatkar, E., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: In 15th USENIX Security Symposium, pp. 121–136 (2006)
Yu, D., Chander, A., Islam, N., Serikov, I.: Javascript instrumentation for browser security. In: POPL, pp. 237–249 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Luo, Z., Rezk, T., Serrano, M. (2012). Automated Code Injection Prevention for Web Applications. In: Mödersheim, S., Palamidessi, C. (eds) Theory of Security and Applications. TOSCA 2011. Lecture Notes in Computer Science, vol 6993. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27375-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-27375-9_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27374-2
Online ISBN: 978-3-642-27375-9
eBook Packages: Computer ScienceComputer Science (R0)