article

Sound and precise analysis of web applications for injection vulnerabilities

Authors:

Gary Wassermann,

Zhendong SuAuthors Info & Claims

ACM SIGPLAN Notices, Volume 42, Issue 6

Pages 32 - 41

https://doi.org/10.1145/1273442.1250739

Published: 10 June 2007 Publication History

Abstract

Web applications are popular targets of security attacks. One common type of such attacks is SQL injection, where an attacker exploits faulty application code to execute maliciously crafted database queries. Bothstatic and dynamic approaches have been proposed to detect or prevent SQL injections; while dynamic approaches provide protection for deployed software, static approaches can detect potential vulnerabilities before software deployment. Previous static approaches are mostly based on tainted information flow tracking and have at least some of the following limitations: (1) they do not model the precise semantics of input sanitization routines; (2) they require manually written specifications, either for each query or for bug patterns; or (3) they are not fully automated and may require user intervention at various points in the analysis. In this paper, we address these limitations by proposing a precise, sound, and fully automated analysis technique for SQL injection. Our technique avoids the need for specifications by consideringas attacks those queries for which user input changes the intended syntactic structure of the generated query. It checks conformance to this policy byconservatively characterizing the values a string variable may assume with a context free grammar, tracking the nonterminals that represent user-modifiable data, and modeling string operations precisely as language transducers. We have implemented the proposed technique for PHP, the most widely-used web scripting language. Our tool successfully discovered previously unknown and sometimes subtle vulnerabilities in real-world programs, has a low false positive rate, and scales to large programs (with approx. 100K loc).

References

[1]

S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (ACNS), LNCS, volume 2, 2004.

[2]

G. T. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the International Workshop on Software Engineering and Middleware (SEM) at Joint FSE and ESEC, Sept. 2005.

Digital Library

[3]

A. S. Christensen, A. Moller, and M. I. Schwartzbach. Precise analysis of string expressions. In Proceedings of the 10th International Static Analysis Symposium, SAS'03, volume 2694 of LNCS, pages 1--18. Springer-Verlag, June 2003. Available from http://www.brics.dk/JSA/.

Digital Library

[4]

J. Earley. An efficient context-free parsing algorithm. Communications of the Association for Compution Machinery, 13(2):94--102, 1970.

Digital Library

[5]

J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In PLDI '02: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, pages 1--12, New York, NY, USA, 2002. ACM Press.

Digital Library

[6]

C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 25th International Conference on Software Engineering (ICSE), pages 645--654, May 2004.

Digital Library

[7]

W. Halfond, A. Orso, and P. Manolios. Using Positive Tainting and Syntax--Aware Evaluation to Counter SQL Injection Attacks. In Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE 2006), Portland, Oregon, November 2006.

Digital Library

[8]

W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Nov. 2005.

Digital Library

[9]

K. J. Higgins. Cross-site scripting: Attackers' new favorite flaw, September 2006. http://www.darkreading.com/document.asp?doc_id=103774&WT.svl=news1_1.

[10]

H. Hosoya and B. C. Pierce. Xduce: A typed xml processing language (preliminary report). In Selected papers from the Third International Workshop WebDB 2000 on The World Wide Web and Databases, pages 226--244, London, UK, 2001. Springer--Verlag.

Digital Library

[11]

Y.-W. Huang, F. Yu, CHang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 40--52, New York, NY, USA, 2004. ACM Press.

Digital Library

[12]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006.

Digital Library

[13]

N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis for syntactic detection of web application vulnerabilities. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottowa, Canada, June 2006.

Digital Library

[14]

G. S. K. c, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proc. CCS'03, pages 272--280, 2003.

Digital Library

[15]

C. Kirkegaard and A. Moller. Static analysis for Java Servlets and JSP. In Proceedings of the 13th International Static Analysis.

Digital Library

[16]

M. S. Lam, J. Whaley, V. B. Livshits, M. C. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Proceedings of the Twenty-fourth ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems. ACM, June 2005.

Digital Library

[17]

V. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271--286, Aug. 2005.

Digital Library

[18]

M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: a program query language. In OOPSLA '05: Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming systems languages and applications, pages 365--383, 2005.

Digital Library

[19]

D. Melski and T. Reps. Interconvertbility of set constraints and context--free language reachability. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, pages 74--89, 1997.

Digital Library

[20]

Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW'05: Proceedings of the 14th International Conference on the World Wide Web, pages 432--441, 2005.

Digital Library

[21]

M. Mohri and M. Nederhof. Regular approximation of context-free grammars through transformation. Robustness in Language and Speech Technology, pages 153--163, 2001.

[22]

M. Mohri and R. Sproat. An efficient compiler for weighted rewrite rules. In Meeting of the Association for Computational Linguistics, pages 231--238, 1996.

Digital Library

[23]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC'05), 2005.

[24]

T. Pietraszek and C. V. Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.

Digital Library

[25]

Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pages 372--382, Charleston, SC, Jan. 2006. ACM Press New York, NY, USA.

Digital Library

[26]

M. Sutton. How prevalent are sql injection vulnerabilities?, September 2006. http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How-Prev% alent-Are-SQL-Injection-Vulnerabilities_3F00_.aspx.

[27]

N. Tabuchi, E. Sumii, and A. Yonezawa. Regular expression types for strings in a text processing language (extended abstract). In Proceedings of TIP'02 Workshop on Types in Programming, pages 1--18, July 2002.

[28]

P. Thiemann. Grammar-based analysis of string expressions. In 2005 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation (TLDI), pages 59--70, 2005.

Digital Library

[29]

L. Wall, T. Christiansen, and R. L. Schwartz. Programming Perl (3rd Edition). O'Reilly, 2000.

Digital Library

[30]

J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In PLDI '04: Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, pages 131--144, New York, NY, USA, 2004. ACM Press.

Digital Library

[31]

Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th USENIX Security Symposium, pages 179--192, July 2006.

Digital Library

[32]

W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, Aug. 2006.

Digital Library

Cited By

Huang JZhang JLiu JLi CDai R(2024)UQuery: Static Security Analysis of PHP-Based Web Programs Using Graph Models2024 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS62487.2024.10735619(1-9)Online publication date: 30-Sep-2024
https://doi.org/10.1109/CNS62487.2024.10735619
Yasmeen GAfaq S(2023)The Critical Analysis of E-Commerce Web Application VulnerabilitiesAdvances in Cyberology and the Advent of the Next-Gen Information Revolution10.4018/978-1-6684-8133-2.ch002(22-37)Online publication date: 16-Jun-2023
https://doi.org/10.4018/978-1-6684-8133-2.ch002
Aryaman Naik NVollala SAmin R(2023)Detecting and predicting countermeasures against clickjackingSecurity and Privacy10.1002/spy2.3026:5Online publication date: 5-Sep-2023
https://dl.acm.org/doi/10.1002/spy2.302
Show More Cited By

Index Terms

Sound and precise analysis of web applications for injection vulnerabilities
1. General and reference
  1. Cross-computing tools and techniques
    1. Validation
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Empirical software validation
      2. Process validation

Recommendations

Securing web applications with static and dynamic information flow tracking
PEPM '08: Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation

SQL injection and cross-site scripting are two of the most common security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a ...
Static detection of cross-site scripting vulnerabilities
ICSE '08: Proceedings of the 30th international conference on Software engineering

Web applications support many of our daily activities, but they often have security problems, and their accessibility makes them easy to exploit. In cross-site scripting (XSS), an attacker exploits the trust a web client (browser) has for a trusted ...
Sound and precise analysis of web applications for injection vulnerabilities
PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation

Web applications are popular targets of security attacks. One common type of such attacks is SQL injection, where an attacker exploits faulty application code to execute maliciously crafted database queries. Bothstatic and dynamic approaches have been ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 42, Issue 6

Proceedings of the 2007 PLDI conference

June 2007

491 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/1273442

Issue’s Table of Contents

PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2007
508 pages
ISBN:9781595936332
DOI:10.1145/1250734
General Chair:
Jeanne Ferrante
University of California, San Diego, USA
,
Program Chair:
Kathryn S. McKinley
University of Texas at Austin, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 June 2007

Published in SIGPLAN Volume 42, Issue 6

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

277
Total Citations
View Citations
2,678
Total Downloads

Downloads (Last 12 months)50
Downloads (Last 6 weeks)3

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Huang JZhang JLiu JLi CDai R(2024)UQuery: Static Security Analysis of PHP-Based Web Programs Using Graph Models2024 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS62487.2024.10735619(1-9)Online publication date: 30-Sep-2024
https://doi.org/10.1109/CNS62487.2024.10735619
Yasmeen GAfaq S(2023)The Critical Analysis of E-Commerce Web Application VulnerabilitiesAdvances in Cyberology and the Advent of the Next-Gen Information Revolution10.4018/978-1-6684-8133-2.ch002(22-37)Online publication date: 16-Jun-2023
https://doi.org/10.4018/978-1-6684-8133-2.ch002
Aryaman Naik NVollala SAmin R(2023)Detecting and predicting countermeasures against clickjackingSecurity and Privacy10.1002/spy2.3026:5Online publication date: 5-Sep-2023
https://dl.acm.org/doi/10.1002/spy2.302
Mahmoud DLenders VStojilović M(2022)Electrical-Level Attacks on CPUs, FPGAs, and GPUs: Survey and Implications in the Heterogeneous EraACM Computing Surveys10.1145/349833755:3(1-40)Online publication date: 3-Feb-2022
https://dl.acm.org/doi/10.1145/3498337
Su HXu LChao HLi FYuan ZZhou JHuo W(2022)A Sanitizer-centric Analysis to Detect Cross-Site Scripting in PHP Programs2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE55969.2022.00042(355-365)Online publication date: Oct-2022
https://doi.org/10.1109/ISSRE55969.2022.00042
Bin Tauqeer OJan SOmar Khadidos AOmar Khadidos AQudus Khan FKhattak S(2021)Analysis of Security Testing TechniquesIntelligent Automation & Soft Computing10.32604/iasc.2021.01726029:1(291-306)Online publication date: 2021
https://doi.org/10.32604/iasc.2021.017260
Mora FBerzish MKulczynski MNowotka DGanesh V(2021)Z3str4: A Multi-armed String SolverFormal Methods10.1007/978-3-030-90870-6_21(389-406)Online publication date: 10-Nov-2021
https://doi.org/10.1007/978-3-030-90870-6_21
Skalka CAmir-Mohammadian SClark S(2020)Maybe tainted data: Theory and a case studyJournal of Computer Security10.3233/JCS-191342(1-41)Online publication date: 1-Apr-2020
https://doi.org/10.3233/JCS-191342
Vecchio JKo SZiarek LLo DMariani LMesbah A(2020)Representing string computations as graphs for classifying malwareProceedings of the IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems10.1145/3387905.3388595(120-131)Online publication date: 13-Jul-2020
https://dl.acm.org/doi/10.1145/3387905.3388595
Lin PJinshuang WPing CLanjuan Y(2020)SQL Injection Attack and Detection Based on GreenSQL Pattern Input Whitelist2020 IEEE 3rd International Conference on Information Systems and Computer Aided Education (ICISCAE)10.1109/ICISCAE51034.2020.9236824(187-190)Online publication date: 27-Sep-2020
https://doi.org/10.1109/ICISCAE51034.2020.9236824
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents