Automated Code Injection Prevention for Web Applications

  • Zhengqin Luo
  • Tamara Rezk
  • Manuel Serrano
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6993)


We propose a new technique based on multitier compilation for preventing code injection in web applications. It consists in adding an extra stage to the client code generator which compares the dynamically generated code with the specification obtained from the syntax of the source program. No intervention from the programmer is needed. No plugin or modification of the web browser is required. The soundness and validity of the approach are proved formally by showing that the client compiler can be fully abstract. The practical interest of the approach is proved by showing the actual implementation in the Hop environment.


Injection Attack Client Code USENIX Security Symposium Security Enforcement Code Injection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Plotkin, G.D.: A model of cooperative threads. In: Shao, Z., Pierce, B.C. (eds.) POPL, pp. 29–40. ACM, New York (2009)Google Scholar
  2. 2.
    Athanasopoulos, E., et al.: xJS: Practical XSS Prevention for Web Application Development. In: Proceedings USENIX Conference on Web Application Development (WebApps 2010), Boston, USA (June 2010)Google Scholar
  3. 3.
    Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing static and dynamic analysis to validate sanitization in web applications. In: IEEE Symposium on Security and Privacy, pp. 387–401 (2008)Google Scholar
  4. 4.
    Berry, G., Boudol, G.: The chemical abstract machine. In: Proceedings of the ACM International Conference on Principle of Programming Languages (POPL), pp. 81–94. ACM Press, New York (1990)Google Scholar
  5. 5.
    Boudol, G., Luo, Z., Rezk, T., Serrano, M.: Towards reasoning for web applications: an operational semantics for hop. In: APLWACA 2010, pp. 3–14 (2010)Google Scholar
  6. 6.
    Cenzic Inc. Web application security trends report Q1-Q2, 2009 (2010),
  7. 7.
    Chlipala, A.: Ur: Statically-Typed Metaprogramming with Type-Level Record Computation. In: PLDI (2010)Google Scholar
  8. 8.
    Chong, S., Liu, J., Myers, A., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Building secure web applications with automatic partitioning. Communications of the ACM 52(2), 79–87 (2009)CrossRefGoogle Scholar
  9. 9.
    Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web application via automatic partitioning. In: SOSP, pp. 31–44 (2007)Google Scholar
  10. 10.
    Cooper, E., Lindley, S., Wadler, P., Yallop, J.: Links: Web programming without tiers. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2006. LNCS, vol. 4709, pp. 266–296. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Corcoran, B.J., Swamy, N., Hicks, M.W.: Cross-tier, label-based security enforcement for web applications. In: SIGMOD Conference, pp. 269–282 (2009)Google Scholar
  12. 12.
    Gardner, P., Smith, G., Wheelhouse, M., Zarfaty, U.: DOM: Towards a formal specification. In: Proceedings of the ACM SGIPLAN workshop on Programming Language Technologies for XML (PLAN-X), California, USA. ACM Press, New York (January 2008)Google Scholar
  13. 13.
    Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: WWW, pp. 40–52 (2004)Google Scholar
  14. 14.
    Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW, pp. 601–610 (2007)Google Scholar
  15. 15.
    Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: PLAS 2006: Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security, pp. 27–36. ACM, New York (2006)CrossRefGoogle Scholar
  16. 16.
    Jovanovic, N., Krügel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: IEEE Symposium on Security and Privacy, pp. 258–263 (2006)Google Scholar
  17. 17.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: ACM Conference on Computer and Communications Security, pp. 272–280 (2003)Google Scholar
  18. 18.
    Kelsey, R., Clinger, W.D., Rees, J.: Revised5 report on the algorithmic language scheme. SIGPLAN Notices 33(9), 26–76 (1998)CrossRefGoogle Scholar
  19. 19.
    Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC 2006: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330–337. ACM, New York (2006)Google Scholar
  20. 20.
    Li, P., Mao, Y., Zdancewic, S.: Information integrity policies. In: Proceedings of the Workshop on Formal Aspects in Security & Trust (FAST) (September 2003)Google Scholar
  21. 21.
    Livshits, V.B., Erlingsson, Ú.: Using web application construction frameworks to protect against code injection attacks. In: PLAS, pp. 95–104 (2007)Google Scholar
  22. 22.
    Louw, M.T., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In: IEEE Symposium on Security and Privacy, pp. 331–346 (2009)Google Scholar
  23. 23.
    Minamide, Y.: Static approximation of dynamically generated web pages. In: WWW, pp. 432–441 (2005)Google Scholar
  24. 24.
    Mosberger, D., Jin, T.: httperf: A tool for Measuring Web Server Performance. In: First Workshop on Internet Server Performance, pp. 59–67. Association for Computing Machinery (ACM), New York (1998)Google Scholar
  25. 25.
    The Perl Programming Language,
  26. 26.
    Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: Browsershield: Vulnerability-driven filtering of dynamic html. ACM Trans. Web 1(3), 11 (2007)CrossRefGoogle Scholar
  27. 27.
    Robertson, W.K., Vigna, G.: Static enforcement of web application integrity through strong typing. In: USENIX Security Symposium, pp. 283–298 (2009)Google Scholar
  28. 28.
    Serrano, M.: HOP, a fast server for the diffuse web. In: Field, J., Vasconcelos, V.T. (eds.) COORDINATION 2009. LNCS, vol. 5521, pp. 1–26. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  29. 29.
    Serrano, M., Gallesio, E., Loitsch, F.: HOP, a language for programming the web 2.0. In: Proceedings of the First Dynamic Languages Symposium, DLS, Portland, Oregon, USA (October 2006)Google Scholar
  30. 30.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL, pp. 372–382 (2006)Google Scholar
  31. 31.
    The MITRE Corporation. 2010 CWE/SANS top 25 most dangerous programming errorsGoogle Scholar
  32. 32.
    Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: PLDI, pp. 32–41 (2007)Google Scholar
  33. 33.
    Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE, pp. 171–180 (2008)Google Scholar
  34. 34.
    Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX Security Symposium, pp. 179–192 (2006)Google Scholar
  35. 35.
    Xu, W., Bhatkar, E., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: In 15th USENIX Security Symposium, pp. 121–136 (2006)Google Scholar
  36. 36.
    Yu, D., Chander, A., Islam, N., Serikov, I.: Javascript instrumentation for browser security. In: POPL, pp. 237–249 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Zhengqin Luo
    • 1
  • Tamara Rezk
    • 1
  • Manuel Serrano
    • 1
  1. 1.INRIA Sophia AntipolisFrance

Personalised recommendations