Article

Automatic generation of XSS and SQL injection attacks with goal-directed model checking

Authors:

Michael Martin,

Monica S. LamAuthors Info & Claims

SS'08: Proceedings of the 17th conference on Security symposium

Pages 31 - 43

Published: 28 July 2008 Publication History

Abstract

Cross-site scripting (XSS) and SQL injection errors are two prominent examples of taint-based vulnerabilities that have been responsible for a large number of security breaches in recent years. This paper presents QED, a goal-directed model-checking system that automatically generates attacks exploiting taint-based vulnerabilities in large Java web applications. This is the first time where model checking has been used successfully on real-life Java programs to create attack sequences that consist of multiple HTTP requests.

QED accepts any Java web application that is written to the standard servlet specification. The analyst specifies the vulnerability of interest in a specification that looks like a Java code fragment, along with a range of values for form parameters. QED then generates a goal-directed analysis from the specification to perform session-aware tests, optimizes to eliminate inputs that are not of interest, and feeds the remainder to a model checker. The checker will systematically explore the remaining state space and report example attacks if the vulnerability specification is matched.

QED provides better results than traditional analyses because it does not generate any false positive warnings. It proves the existence of errors by providing an example attack and a program trace showing how the code is compromised. Past experience suggests this is important because it makes it easy for the application maintainer to recognize the errors and to make the necessary fixes. In addition, for a class of applications, QED can guarantee that it has found all the potential bugs in the program. We have run QED over 3 Java web applications totaling 130,000 lines of code. We found 10 SQL injections and 13 cross-site scripting errors.

References

[1]

PACHE SOF TWARE FOUNDATION. Apache Struts. http:// struts.apache.org, 2002.

[2]

BAUER, C., AND KING, G. Hibernate in Action. Manning Publications, New York, NY, 2004.

Digital Library

[3]

BENEDIKT, M., FRIERE, J., AND GODEFROID, P. VeriWeb: Automatically Testing Dynamic Web Sites. In Proceedings of the Alternate Track of the 11th International World Wide Web Conference (WWW'02) (2002).

[4]

BERNERS -LEE, T., FIELDING, R., AND MASINTER, L. RFC 2396 - Uniform Resource Identifiers (URI): Generic Syntax. http://www.ietf.org/rfc/rfc2396.txt, 1998.

[5]

BOYAPATI, C., KHURSHID, S., AND MARINOV, D. Korat: Automated Testing Based on Java Predicates. In ISSTA '02: Proceedings of the 2002 ACM SIGSOFT International Symposium on Software Testing and Analysis (2002), pp. 123-133.

Digital Library

[6]

CADAR, C., GANESH, V., PAWLOWSKI, P. M., DILL, D. L., AND ENGLER, D. R. EXE: Automatically Generating Inputs of Death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS) (2006).

Digital Library

[7]

CENZIC. Hailstorm. http://www.cenzic.com/.

[8]

CORBETT, J. C., DWYER, M. B., HATCLIFF, J., LAUBACH, S., PASAREANU, C. S., ROBBY, AND ZHENG, H. Bandera: Extracting Finite-State Models from Java Source Code. In ICSE '00: Proceedings of the 22nd International Conference on Software Engineering (2000), pp. 439-448.

Digital Library

[9]

CORE SECURITY. Core impact overview. http://www. coresecurity.com/?module=ContentMod&action= item&id=32.

[10]

GODEFROID, P., KLARLUND, N., AND SEN, K. DART: Directed Automated Random Testing. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI) (2005), pp. 213-223.

Digital Library

[11]

HALLEM, S., CHELF, B., XIE, Y., AND ENGLER, D. A System and Language for Building System-Specific, Static Analyses. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (PLDI) (2002), pp. 69-82.

Digital Library

[12]

HOGLUND, G., AND MCGRAW, G. Exploiting Software: How to Break Code. Addison-Wesley Publishing, 2004.

Digital Library

[13]

HOLMES, J. Struts: The Complete Reference. McGraw-Hill/Osborne, Emeryville, CA, 2004.

Digital Library

[14]

HOLZMANN, G. J. The Model Checker SPIN. Software Engineering 23, 5 (1997), 279-295.

Digital Library

[15]

HOVEMEYER, D., AND PUGH, W. Finding Bugs is Easy. In Proceedings of the Onward! Track of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA) (2004), pp. 132-136.

Digital Library

[16]

HUANG, Y.-W., YU, F., HANG, C., TSAI, C.-H., LEE, D.- T., AND KUO, S.-Y. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 13th Conference on the World Wide Web (2004), pp. 40-52.

Digital Library

[17]

HUANG, Y.-W., YU, F., HANG, C., TSAI, C.-H., LEE, D.-T., AND KUO, S.-Y. Verifying Web Applications Using Bounded Model Checking. In Proceedings of the 2004 International Conference on Dependable Systems and Networks (DSN2004) (2004), pp. 199-208.

Digital Library

[18]

JIM, T., SWAMY, N., AND HICKS, M. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In Proceedings of the 16th International World Wide Web Conference (WWW'07) (2007), pp. 601-610.

Digital Library

[19]

LAM, M. S., WHALEY, J., LIVSHITS, V. B., MARTIN, M. C., AVOTS, D., CARBIN, M., AND UNKEL, C. Context-Sensitive Program Analysis as Database Queries. In PODS '05: Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems (New York, NY, USA, 2005), ACM Press, pp. 1-12.

Digital Library

[20]

LIVSHI TS, V. B., AND LAM, M. S. Finding Security Errors in Java Programs with Static Analysis. In Proceedings of the 14th Usenix Security Symposium (Aug. 2005), pp. 271-286.

[21]

LIVSHI TS, V. B., WHALEY, J., AND LAM, M. S. Reflection Analysis for Java. In APLAS'05 - the Third Asian Symposium on Programming Languages and Systems (2005), pp. 139-160.

Digital Library

[22]

MARTIN, M. C., LIVSHITS, B., AND LAM, M. S. Finding Application Errors and Security Flaws using PQL: a Program Query Language. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA) (2005), pp. 365-383.

Digital Library

[23]

MUSUVATHI, M., PARK, D. Y. W., CHOU, A., ENGLER, D. R., AND DILL, D. L. CMC: A Pragmatic Approach to Model Checking Real Code. In Proceedings of the Conference on Operating System Design and Implementation (OSDI) (2002), pp. 75-88.

Digital Library

[24]

NGUYEN-TUONG, A., GUARNIERI, S., GREENE, D., SHIRLEY, J., AND EVANS, D. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the 20th IFIP International Information Security Conference (SEC) (2005), pp. 295-308.

[25]

REIMER, D., SCHONBERG, E., SRINIVAS, K., SRINIVASAN, H., ALPERN, B., JOHNSON, R. D., KERSHENBAUM, A., AND KOVED, L. SABER: Smart Analysis Based Error Reduction. In Proceedings of International Symposium on Software Testing and Analysis (2004), pp. 243-251.

Digital Library

[26]

SU, Z., AND WASSERMANN, G. The Essence of Command Injection Attacks in Web Applications. In POPL '06: Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (2006), pp. 372-382.

Digital Library

[27]

SUN MICROSYSTEMS. JSR-000154 Java Servlet 2.5 Specification. http://jcp.org/aboutJava/ communityprocess/mrel/jsr154/index.html, 2004.

[28]

SUN MICROSYSTEMS. JSR-000245 JavaServer Pages 2.1. http://jcp.org/aboutJava/communityprocess/ final/jsr245/index.html, 2006.

[29]

VISSER, W., HAVELUND, K., BRAT, G., PARK, S.-J., AND LERDA, F. Model Checking Programs. Automated Software Engineering 10, 2 (2003), 203-232.

Digital Library

[30]

VISSER, W., PASAREANU, C. S., AND KHURSID, S. Test Input Generation with Java PathFinder. In ISSTA '04: Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis (2004), pp. 97-107.

Digital Library

[31]

WASSERMAN, G., AND SU, Z. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI) (2007), pp. 32-41.

Digital Library

[32]

WHALEY, J., AND LAM, M. S. Cloning-Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation (PLDI) (2004).

Digital Library

[33]

YANG, J., SAR, C., TWOHEY, P., CADAR, C., AND ENGLER, D. Automatically Generating Malicious Disks using Symbolic Execution. In Proceedings of the IEEE Symposium on Security and Privacy (S&P) (2006), pp. 234-248.

Digital Library

[34]

YANG, J., TWOHEY, P., ENGLER, D., AND MUSUVATHI, M. Using Model Checking to Find Serious File System Errors. In Proceedings of the Conference on Operating System Design and Implementation (OSDI) (2004), pp. 273-288.

Digital Library

Cited By

Yu XJin GChaudron MCrnkovic IChechik MHarman M(2018)Dataflow tunnelingProceedings of the 40th International Conference on Software Engineering10.1145/3180155.3180171(586-597)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3180155.3180171
Pan XCao YLiu SZhou YChen YZhou TWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)CSPAutoGenProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978384(653-665)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978384
Alhuzali AEshete BGjomemo RVenkatakrishnan VWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)ChainsawProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978380(641-652)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978380
Show More Cited By

Index Terms

Recommendations

Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09: Proceedings of the 31st International Conference on Software Engineering

We present a technique for finding security vulnerabilities in Web applications. SQL Injection (SQLI) and cross-site scripting (XSS) attacks are widespread forms of attack in which the attacker crafts the input to the application to access or modify ...
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Black-box adversarial attacks on XSS attack detection model
Abstract
Cross-site scripting (XSS) has been extensively studied, although mitigating such attacks in web applications remains challenging. While there is an increasing number of XSS attack detection approaches designed based on machine learning and deep ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SS'08: Proceedings of the 17th conference on Security symposium

July 2008

410 pages

Program Chair:
Paul Van Oorschot
Carleton University

Publisher

USENIX Association

United States

Publication History

Published: 28 July 2008

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yu XJin GChaudron MCrnkovic IChechik MHarman M(2018)Dataflow tunnelingProceedings of the 40th International Conference on Software Engineering10.1145/3180155.3180171(586-597)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3180155.3180171
Pan XCao YLiu SZhou YChen YZhou TWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)CSPAutoGenProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978384(653-665)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978384
Alhuzali AEshete BGjomemo RVenkatakrishnan VWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)ChainsawProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978380(641-652)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978380
Ying MLi S(2016)CSP adoptionSecurity and Communication Networks10.1002/sec.16499:17(4557-4573)Online publication date: 25-Nov-2016
https://dl.acm.org/doi/10.1002/sec.1649
Cui BHou TLong BXu L(2015)Bidirectional Analysis Method of Static XSS Defect Detection Technique Based On Database Query LanguageTransactions on Computational Collective Intelligence XIX - Volume 938010.1007/978-3-662-49017-4_3(32-44)Online publication date: 1-Sep-2015
https://dl.acm.org/doi/10.1007/978-3-662-49017-4_3
Mehta PSharda JDas M(2015)SQLshieldProceedings of the 11th International Conference on Information Systems Security - Volume 947810.1007/978-3-319-26961-0_12(192-206)Online publication date: 16-Dec-2015
https://dl.acm.org/doi/10.1007/978-3-319-26961-0_12
Thomé JGorla AZeller AMcMinn PHarman M(2014)Search-based security testing of web applicationsProceedings of the 7th International Workshop on Search-Based Software Testing10.1145/2593833.2593835(5-14)Online publication date: 2-Jun-2014
https://dl.acm.org/doi/10.1145/2593833.2593835
Li XXue Y(2014)A survey on server-side approaches to securing web applicationsACM Computing Surveys10.1145/254131546:4(1-29)Online publication date: 1-Mar-2014
https://dl.acm.org/doi/10.1145/2541315
Møller ASchwarz M(2014)Automated Detection of Client-State Manipulation VulnerabilitiesACM Transactions on Software Engineering and Methodology10.1145/253192123:4(1-30)Online publication date: 5-Sep-2014
https://dl.acm.org/doi/10.1145/2531921
Shar LTan HBriand LNotkin DCheng BPohl K(2013)Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysisProceedings of the 2013 International Conference on Software Engineering10.5555/2486788.2486873(642-651)Online publication date: 18-May-2013
https://dl.acm.org/doi/10.5555/2486788.2486873
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents