Article

The essence of command injection attacks in web applications

Authors:

Gary WassermannAuthors Info & Claims

POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Pages 372 - 382

https://doi.org/10.1145/1111037.1111070

Published: 11 January 2006 Publication History

Abstract

Web applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by dynamically constructing query strings within a general-purpose programming language, such as Java. This low-level interaction is ad hoc because it does not take into account the structure of the output language. Accordingly, user inputs are treated as isolated lexical entities which, if not properly sanitized, can cause the web application to generate unintended output. This is called a command injection attack, which poses a serious threat to web application security. This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques. Our key observation is that, for an attack to succeed, the input that gets propagated into the database query or the output document must change the intended syntactic structure of the query or document. Our definition and algorithm are general and apply to many forms of command injection attacks. We validate our approach with SqlCheckS, an implementation for the setting of SQL command injection attacks. We evaluated SqlCheckS on real-world web applications with systematically compiled real-world attack data as input. SqlCheckS produced no false positives or false negatives, incurred low runtime overhead, and applied straightforwardly to web applications written in different languages.

References

[1]

A. Aho, R. Sethi, and J. Ullman. Compilers, Principles, Techniques and Tools. Addison-Wesley, 1986.

Digital Library

[2]

C. Anley. Advanced SQL Injection in SQL Server Applications. An NGSSoftware Insight Security Research (NISR) publication, 2002. http://www.nextgenss.com/papers/advanced_sql_injection.pdf.

[3]

G. Bierman, E. Meijer, and W. Schulte. The essence of data access in Cω. In The 19th European Conference on Object-Oriented Programming (ECOOP), 2005. To appear.

Digital Library

[4]

S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (ACNS), LNCS, volume 2, 2004.

[5]

C. Brabrand, A. Møller, M. Ricky, and M. I. Schwartzbach. Powerforms: Declarative client-side form field validation. World Wide Web, 3(4), 2000.

Digital Library

[6]

G. T. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the International Workshop on Software Engineering and Middleware (SEM) at Joint FSE and ESEC, Sept. 2005.

Digital Library

[7]

W. R. Cook and S. Rai. Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In Proceedings of the 27th International Conference on Software Engineering (ICSE), 2005.

Digital Library

[8]

D. Dean and D. Wagner. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 2001. IEEE Computer Society, Technical Committee on Security and Privacy, IEEE Computer Society Press.

Digital Library

[9]

R. DeLine and M. Fähndrich. The Fugue protocol checker: Is your software baroque? Technical Report MSR-TR-2004-07, Microsoft Research, Jan. 2004. http://research.microsoft.com/~maf/Papers/tr-2004-07.pdf.

[10]

J. Foster, M. Fähndrich, and A. Aiken. A theory of type qualifiers. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 192--203, Atlanta, Georgia, May 1--4, 1999.

Digital Library

[11]

M. Furr and J. S. Foster. Checking type safety of foreign function calls. In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation, pages 62--72, 2005.

Digital Library

[12]

C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 25th International Conference on Software Engineering (ICSE), pages 645--654, May 2004.

Digital Library

[13]

W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Nov. 2005.

Digital Library

[14]

Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In World Wide Web, 2003.

Digital Library

[15]

Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In World Wide Web, pages 40--52, 2004.

Digital Library

[16]

J. B. Kam and J. D. Ullman. Global data flow analysis and iterative algorithms. Journal of the ACM, 23(1):158--171, 1976.

Digital Library

[17]

Kavado, Inc. InterDo Vers. 3.0, 2003.

[18]

G. A. Kildall. A unified approach to global program optimization. In Proceedings of the 1st Annual Symposium on Principles of Programming Languages (POPL), pages 194--206, Oct. 1973.

Digital Library

[19]

A. Klein. Blind XPath Injection. Whitepaper from Watchfire, 2005.

[20]

E. Kohlbecker, D. P. Friedman, M. Felleisen, and B. Duba. Hygienic macro expansion. In Conference on LISP and Functional Programming, 1986.

Digital Library

[21]

L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In Proceedings of the 17th Annual Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pages 359--372, Nov. 2002.

Digital Library

[22]

M. S. Lam, J. Whaley, V. B. Livshits, M. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Proceedings of the ACM Conference on Principles of Database Systems (PODS), June 2005.

Digital Library

[23]

R. Lemos. Flawed USC admissions site allowed access to applicant data, July 2005. http://www.securityfocus.com/news/11239.

[24]

V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Usenix Security Symposium, Aug. 2005. To appear.

Digital Library

[25]

K. J. L. Mark Grechanik, William R. Cook. Static checking of object-oriented polylingual systems. http://www.cs.utexas.edu/users/wcook/Drafts/FOREL.pdf, Mar. 2005.

[26]

M. Martin, V. B. Livshits, and M. S. Lam. Finding application errors using PQL: a program query language. In 20th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, oct 2005. To appear.

Digital Library

[27]

R. A. McClure and I. H. Krüger. SQL DOM: compile time checking of dynamic SQL statements. In Proceedings of the 27th International Conference on Software Engineering, pages 88--96, 2005.

Digital Library

[28]

S. McPeak. Elsa: An Elkhound-based C++ Parser, May 2005. http://www.cs.berkeley.edu/~smcpeak/elkhound/.

[29]

E. Meijer, W. Schulte, and G. Bierman. Unifying tables, objects and documents, 2003.

[30]

G. Naumovich and P. Centonze. Static analysis of role-based access control in J2EE applications. SIGSOFT Software Engineering Notes, 29(5):1--10, 2004.

Digital Library

[31]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC'05), 2005.

[32]

T. Pietraszek and C. V. Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.

Digital Library

[33]

Sanctum Inc. Web Application Security Testing-Appscan 3.5. http://www.sanctuminc.com.

[34]

Sanctum Inc. AppShield 4.0 Whitepaper., 2002. http://www.sanctuminc.com.

[35]

D. Scott and R. Sharp. Abstracting application-level web security. In World Wide Web, 2002.

Digital Library

[36]

D. Scott and R. Sharp. Specifying and enforcing application-level web security policies. IEEE Transactions on Knowledge and Data Engineering, 15(4):771--783, 2003.

Digital Library

[37]

Security Focus. http://www.securityfocus.com.

[38]

SPI Dynamics. Web Application Security Assessment. SPI Dynamics Whitepaper, 2003.

[39]

W. Taha and T. Sheard. Multi-stage programming with explicit annotations. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation (PEPM), 1997.

Digital Library

[40]

L. Wall, T. Christiansen, and R. L. Schwartz. Programming Perl (3rd Edition). O'Reilly, 2000.

Digital Library

[41]

G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, 2004.

[42]

D. Weise and R. Crew. Programmable syntax macros. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 156--165, 1993.

Digital Library

[43]

J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 131--144, June 2004.

Digital Library

Cited By

Wang PLiu S(2024)Toward Pointer-Analysis-Based Vulnerability Discovery in Human–Machine Pair ProgrammingInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402450001334:05(751-774)Online publication date: 22-Feb-2024
https://doi.org/10.1142/S0218194024500013
Mishra AMehra NMishra J(2024)A Novel Technique for Sql Injection, Detection and Preventions using Token Separation2024 International Conference on Advances in Computing Research on Science Engineering and Technology (ACROSET)10.1109/ACROSET62108.2024.10743869(1-4)Online publication date: 27-Sep-2024
https://doi.org/10.1109/ACROSET62108.2024.10743869
Wang PLiu SLiu AJiang W(2024)Detecting security vulnerabilities with vulnerability netsJournal of Systems and Software10.1016/j.jss.2023.111902208:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.jss.2023.111902
Show More Cited By

Recommendations

The essence of command injection attacks in web applications
Proceedings of the 2006 POPL Conference

Web applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by ...
Hacking the DBMS to Prevent Injection Attacks
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

After more than a decade of research, web application security continues to be a challenge and the backend database the most appetizing target. The paper proposes preventing injection attacks against the database management system (DBMS) behind web ...
Defending against injection attacks through context-sensitive string evaluation
RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Injection vulnerabilities pose a major threat to application-level security. Some of the more common types are SQL injection, cross-site scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, that is, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages

January 2006

432 pages

ISBN:1595930272

DOI:10.1145/1111037

General Chair:
Greg Morrisett
Harvard University, USA
,
Program Chair:
Simon Peyton Jones
Microsoft Research, UK

ACM SIGPLAN Notices Volume 41, Issue 1
Proceedings of the 2006 POPL Conference
January 2006
421 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1111320
Issue’s Table of Contents

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 January 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

POPL06

Sponsor:

POPL06: The 33rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages 2006

January 11 - 13, 2006

South Carolina, Charleston, USA

Acceptance Rates

Overall Acceptance Rate 824 of 4,130 submissions, 20%

Upcoming Conference

POPL '25

Sponsor:
sigplan

The 52nd Annual ACM SIGPLAN Symposium on Principles of Programming Languages

January 19 - 25, 2025

Denver , CO , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

340
Total Citations
View Citations
4,640
Total Downloads

Downloads (Last 12 months)141
Downloads (Last 6 weeks)16

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang PLiu S(2024)Toward Pointer-Analysis-Based Vulnerability Discovery in Human–Machine Pair ProgrammingInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402450001334:05(751-774)Online publication date: 22-Feb-2024
https://doi.org/10.1142/S0218194024500013
Mishra AMehra NMishra J(2024)A Novel Technique for Sql Injection, Detection and Preventions using Token Separation2024 International Conference on Advances in Computing Research on Science Engineering and Technology (ACROSET)10.1109/ACROSET62108.2024.10743869(1-4)Online publication date: 27-Sep-2024
https://doi.org/10.1109/ACROSET62108.2024.10743869
Wang PLiu SLiu AJiang W(2024)Detecting security vulnerabilities with vulnerability netsJournal of Systems and Software10.1016/j.jss.2023.111902208:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.jss.2023.111902
Mahesh RChellathurai SThirunavukkarasu MRaman P(2024)SQL Injection Attack Detection and Prevention Based on Manipulating the SQL Query Input AttributesComputational Sciences and Sustainable Technologies10.1007/978-3-031-50993-3_17(213-221)Online publication date: 3-Feb-2024
https://doi.org/10.1007/978-3-031-50993-3_17
Al Wahaibi SFoley MMaffeis SCalandrino JTroncoso C(2023)SQIRLProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620578(6097-6114)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620578
Abdullah AR AMohapatra P(2023)Detection and Analysis of Port Scanning and SQL Injection Vulnerabilities with correlating factors in Web Applications to Enhance secure Data Transmission2023 International Conference on Research Methodologies in Knowledge Management, Artificial Intelligence and Telecommunication Engineering (RMKMATE)10.1109/RMKMATE59243.2023.10368777(1-5)Online publication date: 1-Nov-2023
https://doi.org/10.1109/RMKMATE59243.2023.10368777
Chimuco FSequeiros JLopes CSimões TFreire MInácio P(2023)Secure cloud-based mobile apps: attack taxonomy, requirements, mechanisms, tests and automationInternational Journal of Information Security10.1007/s10207-023-00669-z22:4(833-867)Online publication date: 17-Feb-2023
https://doi.org/10.1007/s10207-023-00669-z
Wang PLiu SLiu AJiang W(2022)Detecting Security Vulnerabilities with Vulnerability Nets2022 IEEE 22nd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C57518.2022.00062(375-383)Online publication date: Dec-2022
https://doi.org/10.1109/QRS-C57518.2022.00062
Karayat RJadhav MKondaka LNambiar A(2022)Web Application Penetration Testing & Patch Development Using Kali Linux2022 8th International Conference on Advanced Computing and Communication Systems (ICACCS)10.1109/ICACCS54159.2022.9785232(1392-1397)Online publication date: 25-Mar-2022
https://doi.org/10.1109/ICACCS54159.2022.9785232
Sendner CIfflander LSchindler SJobst MDmitrienko AKounev S(2022)Ransomware Detection in Databases through Dynamic Analysis of Query Sequences2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947244(326-334)Online publication date: 3-Oct-2022
https://doi.org/10.1109/CNS56114.2022.9947244
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents