Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Eliminating SQL Injection and Cross Site Scripting Using Aspect Oriented Programming

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7781))

Included in the following conference series:

Abstract

Security vulnerabilities in the web applications that we use to shop, bank, and socialize online expose us to exploits that cost billions of dollars each year. This paper describes the design and implementation of AspectShield, a system designed to mitigate the most common web application vulnerabilities without requiring costly and potentially dangerous modifications to the source code of vulnerable web applications.

AspectShield uses Aspect Oriented Programming (AOP) techniques to mitigate XSS and SQL Injection vulnerabilities in Java web applications. AOP is a programming paradigm designed to address cross-cutting concerns like logging that affect many modules of a program. AspectShield uses the Fortify Source Code Analyzer to identify vulnerabilities, then generates aspects that weave in code that mitigates Cross-Site Scripting and SQL Injection vulnerabilities. At runtime, the application executes the protective aspect code to mitigate security issues when a block of vulnerable code is executed.

AspectShield was tested with three enterprise scale Java web applications. It successfully mitigated SQL Injection and Cross-Site Scripting vulnerabilities without significantly affecting performance. The use of AspectShield in these enterprise level applications shows that AOP can effectively mitigate the two top vulnerabilities of web applications in a cost and time effective manner.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Webroot. State of Internet Security – Protecting Enterprise Systems [Whitepaper]. Webroot Software Inc., USA (2007)

    Google Scholar 

  2. Electronista. LulzSec hacks Sony Pictures, reveals 1m passwords unguarded. Electronista Media Inc. (June 2, 2011)

    Google Scholar 

  3. Measuring Website Security: Windows of Exposure. WhiteHat Website Security Statistic Report (March 14, 2011)

    Google Scholar 

  4. Shanmughaneethi, V., Yagna Pravin, R., Emilin Shyni, C., Swamynathan, S.: SQLIVD - AOP: Preventing SQL Injection

    Google Scholar 

  5. OWASP (Open Source Web Application Security Project). OWASP Top 10 – 2010 Edition. OWASP Foundation (2010)

    Google Scholar 

  6. Fortify Source Code Analyzer – Capabilities. HP Fortify. Web (2011)

    Google Scholar 

  7. Laddad, R.: AOP @ Work: AOP Myths & Realities. IBM Developer Works (February 14, 2006)

    Google Scholar 

  8. ESAPI Interface Encoder. The Open Web Application Security Project. Web (2011)

    Google Scholar 

  9. ESAPI Validator Library. The Open Web Application Security Project. Web (2011)

    Google Scholar 

  10. Li, S.: AOP: Patching in the 21st Century. Developer Fusion. Web (July 23, 2010)

    Google Scholar 

  11. Bostrom, G.: Database Encryption as an Aspect. In: Proceedings of AOSD 2004 Workshop on AOSD Technology for Application level Security (March 2004)

    Google Scholar 

  12. Laney, R., van der Linden, J., Thomas, P.: Evolution of Aspects for Legacy System Security Concerns. In: Proceedings of AOSD 2004 Workshop on AOSD Technology for Application level Security (March 2004)

    Google Scholar 

  13. Huang, M., Wang, C., Zhang, L.: Toward a Reusable and Generic Security Aspect Library. In: Proceedings of AOSD 2004 Workshop on AOSD Technology for Application level Security (March 2004)

    Google Scholar 

  14. Hermosillo, G., Gomez, R., Seinturier, L., Duchien, L.: Using Aspect Programming to Secure Web Applications. Journal of Software 2(6) (December 2007)

    Google Scholar 

  15. Clarke, J.: SQL Injection Attacks and Defense, 1st edn. Syngress (May 13, 2009) (March 1, 2011)

    Google Scholar 

  16. Mece, E., Kodra, L.: Towards full protection of Web Applications based on Aspect Oriented Programming. GJCST, 33–37 (2012)

    Google Scholar 

  17. Arthur, C.: Twitter users including Sarah Brown hit by malicious hacker attack. Guardian News (September 21, 2010)

    Google Scholar 

  18. Win, B., Shah, V., Joosen, W., Bodkin, R. (eds.): AOSDSEC: AOSD Technology for Application-Level Security (March 2004)

    Google Scholar 

  19. Bodkin, R.: Enterprise Security Aspects. In: Win, B., Shah, V., Joosen, W., Bodkin, R. (eds.) AOSDSEC: AOSD Technology for Application-Level Security (March 2004)

    Google Scholar 

  20. Fortify. Leading Bank Turns Security into a Differentiator with Fortify SCA. Fortify Software Inc. (2008)

    Google Scholar 

  21. Feathers, M.: Working Effectively with Legacy Code. Prentice Hall (2004)

    Google Scholar 

  22. Higgins, K.J.: The Cost of Fixing an Application Vulnerability. Security Dark Reading (May 11, 2009), http://www.darkreading.com/security/news/

  23. Zhu, Z.J., Zulkernine, M.: A model-based aspect-oriented framework for building intrusion-aware software systems. Information and Software Technology 51(5), 865–875 (2009)

    Article  Google Scholar 

  24. Serme, G., De Oliveira, A.S., Guarnieri, M., El Khoury, P.: Towards Assisted Remediation of Security Vulnerabilities. In: 6th International Conference on Emerging Security Information, Systems and Technologies (August 2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Northern Kentucky University, Highland Heights, KY, USA

    Bojan Simic & James Walden

Authors
  1. Bojan Simic
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. James Walden
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, TU Dortmund und Fraunhofer ISST, Otto-Hahn-Straße 14, 44221, Dortmund, Germany

    Jan Jürjens

  2. One Microsoft Way, Microsoft Research, 98052-6399, Redmond, WA, USA

    Benjamin Livshits

  3. Department of Computer Science, Katholieke Universiteit Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Riccardo Scandariato

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Simic, B., Walden, J. (2013). Eliminating SQL Injection and Cross Site Scripting Using Aspect Oriented Programming. In: Jürjens, J., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2013. Lecture Notes in Computer Science, vol 7781. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36563-8_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-36563-8_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-36562-1

  • Online ISBN: 978-3-642-36563-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation