|
 ABSTRACT
Web applications employ a heterogeneous set of programming languages: the language that was used to write the application's logic and several supporting languages. Supporting languages are e.g., server-side languages for data management like SQL and client-side interface languages such as HTML and JavaScript. These languages are handled as string values by the application's logic. Therefore, no syntactic means exists to differentiate between executable code and generic data. This circumstance is the root of most code injection vulnerabilities: Attackers succeed in providing malicious data that is executed by the application as code. In this paper we introduce SMask, a novel approach towards approximating data/code separation. By using string masking to persistently mark legitimate code in string values, SMask is able to identify code that was injected during the processing of an http request. SMask works transparently to the application and is implementable either by integration in the application server or by source-to-source translation using code instrumentation.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Maksymilian Arciemowicz. Bypass xss filter in phpnuke 7.9. mailing list BugTraq, <http://www.securityfocus.com/archive/1/419496/30/0/threaded>, December 2005.
|
| |
2
|
Blwood. Multiple xss vulnerabilities in tikiwiki 1.9.x. mailing list BugTraq, <http://www.securityfocus.com/archive/1/435127/30/120/threaded>, May 2006.
|
| |
3
|
Stephen W. Boyd and Angelos D. Keromytis. Sqlrand: Preventing sql injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, 2004.
|
 |
4
|
Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA
[doi> 10.1145/988672.988679]
|
| |
5
|
Ian Jacobs, Arnaud Le Hors, and David Raggett. Html 4.01 specification. W3C recommendation, November 1999.
|
| |
6
|
|
| |
7
|
Amit Klein. Cross site scripting explained. White Paper, Sanctum Security Group, <http://crypto.stanford.edu/cs155/CSS.pdf>, June 2002.
|
| |
8
|
LarryWall, Tom Christiansen, and Jon Orwant. Programming Perl. O'Reilly, 3rd edition, July 2000.
|
| |
9
|
|
| |
10
|
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In 20th IFIP International Information Security Conference, 2005.
|
| |
11
|
Tadeusz Pietraszek and Chris Vanden Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection (RAID2005), 2005.
|
| |
12
|
Alex Pigrelax. Xss in nested tag in phpbb 2.0.16. mailing list BugTraq, <http://www.securityfocus.com/archive/1/404300>, July 2005.
|
| |
13
|
H. G Rice. Classes of recursively enumerable sets and their decision problems. Trans. Amer. Math. Soc., 74:358--366, 1953.
|
| |
14
|
|
| |
15
|
RSnake. Xss (cross site scripting) cheat sheet - esp: for filter evasion. Website, <http://ha.ckers.org/xss.html>, last visit 18/08/06.
|
| |
16
|
|
| |
17
|
|
| |
18
|
|
| |
19
|
Wei Xu , Sandeep Bhatkar , R. Sekar, Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks, Proceedings of the 15th conference on USENIX Security Symposium, p.9-9, July 31-August 04, 2006, Vancouver, B.C., Canada
|
CITED BY 2
|
|
Shay Artzi , Adam Kiezun , Julian Dolby , Frank Tip , Danny Dig , Amit Paradkar , Michael D. Ernst, Finding bugs in dynamic web applications, Proceedings of the 2008 international symposium on Software testing and analysis, July 20-24, 2008, Seattle, WA, USA
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
D.3