Advertisement

RDFa Ontology-Based Architecture for String-Based Web Attacks: Testing and Evaluation

  • Shadi AljawarnehEmail author
  • Faisal Alkhateeb
Chapter
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 60)

Abstract

String input is an issue for web application security. The problem is that developers often trust string input without checking for validity. Typically, a little attention is paid to it in a web development project, because overenthusiastic validation can tend to break the security upon web applications. In this chapter, security vulnerabilities such as SQL injection has been described and then the merits of a number of common data validation techniques have been discussed. From this analysis, a new data validation service (NDVS) which is based upon semantic web technologies, has been implemented to prevent the web security vulnerabilities and then to secure a web system even if the validation modules are bypassed. Such semantic architecture comprises of the following components: RDFa annotation for elements of web pages, interceptor, RDF extractor, RDF parser, and data validator. We carried out two experiments to address the security and the performance objectives. The results have shown that the developed service can provide a high coverage of detection and recovery and a low level of overhead times.

Keywords

String web application security data validation security vulnerabilities SQL injection semantic web technologies 

References

  1. 1.
    Aljawarneh, S., Alkhateeb, F.: Design and implementation of new data validation service (NDVS) using semantic web technologies in web applications. In: Proceedings of the World Congress on Engineering 2009: WCE’09, vol. I, pp. 179–184. London, UK, International Association of Engineering (2009)Google Scholar
  2. 2.
    Aljawarneh, S., Alkhateeb, F.: A semantic web technology-based architecture for new server-side data validation in web applications. In: Aldawood, A. (ed.) ICIT’9, Amman, Jordan Alzaytoona Univeristy (2009)Google Scholar
  3. 3.
    Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing static and dynamic analysis to validate sanitization in web applications. In: SP’08: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pp. 387–401. Washington, DC, IEEE Computer Society (2008)Google Scholar
  4. 4.
    Cardone, R., Soroker, D., Tiwari, A.: Using XForms to simplify web programming. In: WWW’05: Proceedings of the 14th international conference on World Wide Web, pp. 215–224. New York, NY, ACM (2005)Google Scholar
  5. 5.
    Corsaire: A modular approach to data validation in web applications. White paper (2006)Google Scholar
  6. 6.
    Glisson, W.B., Welland, R.: Web development evolution: The assimilation of web engineering security. In: LA-WEB ’05: Proceedings of the Third Latin American Web Congress, p. 49. Washington, DC, IEEE Computer Society (2005)Google Scholar
  7. 7.
    Hassinen, M., Mussalo, P.: Client controlled security for web applications. In: Wener, B. (ed.) The IEEE Conference on Local Computer Networks 30th Anniversary, pp. 810–816. Australia, IEEE Computer Society Press (2005)CrossRefGoogle Scholar
  8. 8.
    Huang, Y.-W., Huang, S.-K., Lin, T.-P., Tsai, C.-H.: Web application security assessment by fault injection and behavior monitoring. In: WWW ’03: Proceedings of the 12th international conference on World Wide Web, pp. 148–159. New York, NY, ACM (2003)Google Scholar
  9. 9.
    IBM: IBM Internet Security Systems X-Force Threat Insight Quarterly. http://www-935.ibm.com/services/us/iss/pdf/xftiq_09q1.pdf. Accessed 8 Oct 2009
  10. 10.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP ’06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 258–263. Washington, DC, IEEE Computer Society (2006)Google Scholar
  11. 11.
    Kienle, H.M., Müller, H.A.: Leveraging program analysis for web site reverse engineering. In: WSE ’01: Proceedings of the 3rd International Workshop on Web Site Evolution (WSE’01), p. 117. Washington, DC, IEEE Computer Society (2001)Google Scholar
  12. 12.
    MOCEAN, L.: Internet data validation, economy informatics. Revistaie.ase.ro/content/EN7/Mocean.pdf (2007)Google Scholar
  13. 13.
    Scott, D., Sharp, R.: Specifying and enforcing application-level Web security policies. IEEE. Knowl. Data Eng. 15(4), 771–783 (2003)CrossRefGoogle Scholar
  14. 14.
    Berners-Lee, T., Fielding, R., Masinter, L.: Uniform resource identifiers (URI): Generic syntax. RFC 2396, IETF. http://www.ietf.org/rfc/rfc2396.txt (1998)
  15. 15.
    Thompson, H.H., Whittaker, J.A.: String-based attacks demystified. In: Doctor DOBBS J. 29, 61–63 (2004). ISSN: CMP MEDIA LLC Country of publication USA. 1044-789X.Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2010

Authors and Affiliations

  1. 1.Department of Software Engineering, Faculty of Science and ITAl-Isra Private UniversityAmmanJordan
  2. 2.IT FacultyYarmouk UniversityIrbidJordan

Personalised recommendations