The essence of command injection attacks in web applications

Conference Record of the Annual ACM Symposium on Principles of Programming Languages

Volumn , Issue , 2006, Pages 372-382

  Su, Zhendong ^a   Wassermann, Gary ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Command injection attacks; Grammars; Parsing; Runtime verification; Web applications

Indexed keywords

COMPUTER PROGRAMMING LANGUAGES; CONTEXT FREE GRAMMARS; HTML; INFORMATION RETRIEVAL; QUERY LANGUAGES; WORLD WIDE WEB;

COMMAND INJECTION ATTACKS; PARSING; RUNTIME VERIFICATION; WEB APPLICATIONS;

DATABASE SYSTEMS;

EID: 33745811685     PISSN: 07308566     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1111037.1111070     Document Type: Conference Paper

References (43)

1. A. Aho, R. Sethi, and J. Ullman. Compilers, Principles, Techniques and Tools. Addison-Wesley, 1986.
2. C. Anley. Advanced SQL Injection in SQL Server Applications. An NGSSoftware Insight Security Research (NISR) publication, 2002. URL: http://www.nextgenss.com/papers/advanced_sql_injection.pdf.
3. ω. In The 19th European Conference on Object-Oriented Programming (ECOOP), 2005. To appear.
4. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (ACNS), LNCS, volume 2, 2004.
5. C. Brabrand, A. Møller, M. Ricky, and M. I. Schwartzbach. Powerforms: Declarative client-side form field validation. World Wide Web, 3(4), 2000.
6. G. T. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the International Workshop on Software Engineering and Middleware (SEM) at Joint FSE and ESEC, Sept. 2005.
7. W. R. Cook and S. Rai. Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In Proceedings of the 27th International Conference on Software Engineering (ICSE), 2005.
8. D. Dean and D. Wagner. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 2001. IEEE Computer Society, Technical Committee on Security and Privacy, IEEE Computer Society Press.
9. R. DeLine and M. Fähndrich. The Fugue protocol checker: Is your software baroque? Technical Report MSR-TR-2004-07, Microsoft Research, Jan. 2004. http://research.microsoft.com/~maf/Papers/tr-2004-07.pdf.
10. J. Foster, M. Fähndrich, and A. Aiken. A theory of type qualifiers. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 192-203, Atlanta, Georgia, May 1-4, 1999.
11. M. Furr and J. S. Foster. Checking type safety of foreign function calls. In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation, pages 62-72, 2005.
12. C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 25th International Conference on Software Engineering (ICSE), pages 645-654, May 2004.
13. W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Nov. 2005.
14. Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In World Wide Web, 2003.
15. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In World Wide Web, pages 40-52, 2004.
16. J. B. Kam and J. D. Ullman. Global data flow analysis and iterative algorithms. Journal of the ACM, 23(1):158-171, 1976.
17. Kavado, Inc. InterDo Vers. 3.0, 2003.
18. G. A. Kildall. A unified approach to global program optimization. In Proceedings of the 1st Annual Symposium on Principles of Programming Languages (POPL), pages 194-206, Oct. 1973.
19. A. Klein. Blind XPath Injection. Whitepaper from Watchfire, 2005.
20. E. Kohlbecker, D. P. Friedman, M. Felleisen, and B. Duba. Hygienic macro expansion. In Conference on LISP and Functional Programming, 1986.
21. L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In Proceedings of the 17th Annual Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pages 359-372, Nov. 2002.
22. M. S. Lam, J. Whaley, V. B. Livshits, M. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Proceedings of the ACM Conference on Principles of Database Systems (PODS), June 2005.
23. R. Lemos. Flawed USC admissions site allowed access to applicant data, July 2005. http://www.securityfocus.com/news/11239.
24. V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Usenix Security Symposium, Aug. 2005. To appear.
25. K. J. L. Mark Grechanik, William R. Cook. Static checking of object-oriented polylingual systems. http://www.cs.utexas.edu/users/wcook/Drafts/FOREL.pdf, Mar. 2005.
26. M. Martin, V. B. Livshits, and M. S. Lam. Finding application errors using PQL: a program query language. In 20th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, oct 2005. To appear.
27. R. A. McClure and I. H. Krüger. SQL DOM: compile time checking of dynamic SQL statements. In Proceedings of the 27th International Conference on Software Engineering, pages 88-96, 2005.
28. S. McPeak. Elsa: An Elkhound-based C++ Parser, May 2005. http://www.cs.berkeley.edu/~smcpeak/elkhound/.
29. E. Meijer, W. Schulte, and G. Bierman. Unifying tables, objects and documents, 2003.
30. G. Naumovich and P. Centonze. Static analysis of role-based access control in J2EE applications. SIGSOFT Software Engineering Notes, 29(5): 1-10, 2004.
31. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC'05), 2005.
32. T. Pietraszek and C. V. Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.
33. Sanctum Inc. Web Application Security Testing-Appscan 3.5. URL: http://www.sanctuminc.com.
34. Sanctum Inc. AppShield 4.0 Whitepaper., 2002. URL: http://www.sanctuminc.com.
35. D. Scott and R. Sharp. Abstracting application-level web security. In World Wide Web, 2002.
36. D. Scott and R. Sharp. Specifying and enforcing application-level web security policies. IEEE Transactions on Knowledge and Data Engineering, 15(4):771-783, 2003.
37. Security Focus, http://www.securityfocus.com.
38. SPI Dynamics. Web Application Security Assessment. SPI Dynamics Whitepaper, 2003.
39. W. Taha and T. Sheard. Multi-stage programming with explicit annotations. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation (PEPM), 1997.
40. L. Wall, T. Christiansen, and R. L. Schwartz. Programming Perl (3rd Edition). O'Reilly, 2000.
41. G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70-78, 2004.
42. D. Weise and R. Crew. Programmable syntax macros. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 156-165, 1993.
43. J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 131-144, June 2004.