Advertisement

WebAppArmor: A Framework for Robust Prevention of Attacks on Web Applications (Invited Paper)

  • V. N. Venkatakrishnan
  • Prithvi Bisht
  • Mike Ter Louw
  • Michelle Zhou
  • Kalpana Gondi
  • Karthik Thotta Ganesh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6503)

Abstract

As the World Wide Web continues to evolve, the number of web-based attacks that target web applications is on the rise. Attacks such as Cross-site Scripting (XSS), SQL Injection and Cross-site Request Forgery (XSRF) are among the topmost threats on the Web, and defending against these attacks is a growing concern. In this paper, we describe WebAppArmor, a framework that is aimed at preventing these attacks on existing (legacy) web applications. The main feature of this framework is that it offers a unified perspective to address these problems in the context of existing web applications. The framework incorporates techniques based on static and dynamic analysis, symbolic evaluation and execution monitoring to retrofit existing web applications to be resilient to these attacks.

Keywords

Document Object Model USENIX Security Symposium Distribute System Security Symposium Shadow Page Symbolic Query 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    htmLawed: PHP Code to Purify & Filter HTML, http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/ (retrieved on October 10, 2010)
  2. 2.
    kses - PHP HTML/XHTML filter, http://sourceforge.net/projects/kses/ (retrieved on October 10, 2010)
  3. 3.
    PHP Input Filter, http://sourceforge.net/projects/phpinputfilter/ (retrieved on October 10, 2010)
  4. 4.
    XSS (Cross Site Scripting) Cheat Sheet. Esp: for filter evasion, http://ha.ckers.org/xss.html (retrieved on October 10, 2010)
  5. 5.
    DOM mutation events. W3C draft (November 2003)Google Scholar
  6. 6.
    16th Annual Network & Distributed System Security Symposium, San Diego, California, USA (February 2009)Google Scholar
  7. 7.
    TJX Hacker Charged With Heartland, Hannaford Breaches (August 2009), http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland (retrieved on October 10, 2010)
  8. 8.
    Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: Proceedings of the 29th IEEE Symposium on Security and Privacy, SP 2008, Oakland, California, USA (2008)Google Scholar
  9. 9.
    Barth, A., Jackson, C., Mitchell, J.C.: Securing Frame Communication in Browsers. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, San Jose, California, USA (2008)Google Scholar
  10. 10.
    Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA (2010)Google Scholar
  11. 11.
    Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Trans. Inf. Syst. Secur. 13(2), 1–39 (2010)CrossRefGoogle Scholar
  12. 12.
    Bisht, P., Prasad Sistla, A., Venkatakrishnan, V.N.: Automatically Preparing Safe SQL Queries. In: Proceedings of the 14th International Conference on Financial Cryptography and Data Security, FC 2010, Tenerife, Canary Islands, Spain (2010)Google Scholar
  13. 13.
    Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, SEM 2005, Lisbon, Portugal (2005)Google Scholar
  16. 16.
    Symantec Corporation. Symantec internet security threat report. Technical report, Symantec Corporation (March 2008)Google Scholar
  17. 17.
    Crockford, D.: ADsafe, http://www.adsafe.org/ (retrieved on October 10, 2010)
  18. 18.
    Facebook Developers. Facebook JavaScript, http://wiki.developers.facebook.com/index.php/FBJS (retrieved on October 10, 2010)
  19. 19.
    Felt, A., Hooimeijer, P., Evans, D., Weimer, W.: Talking to Strangers Without Taking Their Candy: Isolating Proxied Content. In: Proceedings of the 1st Workshop on Social Network Systems, SNS 2008, Glasgow, Scotland (2008)Google Scholar
  20. 20.
    Finifter, M., Weinberger, J., Barth, A.: Preventing Capability Leaks in Secure JavaScript Subsets. In: Proceedings of the 17th Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA (2010)Google Scholar
  21. 21.
    Fisher, D.: Hackers broaden reach of cross-site scripting attacks (March 2007), ComputerWeekly.com
  22. 22.
    Caja, G.: A source-to-source translator for securing JavaScript-based web content, http://code.google.com/p/google-caja/ (retrieved on October 10, 2010)
  23. 23.
    Grossman, J.: Cross site scripting worms and viruses. Technical report, WhiteHat Security Inc. (June 2007)Google Scholar
  24. 24.
    Guha, S., Cheng, B., Reznichenko, A., Haddadi, H., Francis, P.: Privad: Rearchitecting online advertising for privacy. Technical Report MPI-SWS-2009-004, Max Planck Institute for Software Systems, Kaiserslautern-Saarbruecken, Germany (October 2009)Google Scholar
  25. 25.
    Halfond, W.G.J., Orso, A., Manolios, P.: Using Positive Tainting and Syntax-aware Evaluation to Counter SQL Injection Attacks. In: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2006, Portland, Oregon, USA (2006)Google Scholar
  26. 26.
    Hansen, R.: XSS cheat sheet, http://ha.ckers.org/xss.html (retrieved on October 10, 2010)
  27. 27.
    Jackson, C., Wang, H.J.: Subspace: Secure cross-domain communication for web mashups. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, Banff, Alberta, Canada (2007)Google Scholar
  28. 28.
    Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-enforced Embedded Policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, Banff, Alberta, Canada (2007)Google Scholar
  29. 29.
    Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: Proceedings of the OWASP Europe 2006 Conference, OWASP-APPSEC 2006, Leuven, Belgium (2006)Google Scholar
  30. 30.
    Jovanovic, N., Kirda, E., Kruegel, C.: Preventing Cross Site Request Forgery Attacks. In: Proceedings of the 2nd IEEE Communications Society International Conference on Security and Privacy in Communication Networks, SecureComm 2006, Baltimore, Maryland, USA (2006)Google Scholar
  31. 31.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP 2006, Oakland, California, USA (2006)Google Scholar
  32. 32.
    Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: JavaScript Instrumentation in Practice. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 326–341. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A Client-side Solution for Mitigating Cross-site Scripting Attacks. In: Proceedings of the 21st ACM Symposium on Applied Computing, SAC 2006, Dijon, France (2006)Google Scholar
  34. 34.
    Benjamin Livshits, V., Guarnieri, S.: Gatekeeper: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In: Proceedings of the 18th USENIX Security Symposium, SS 2009, Montreal, Canada (2009)Google Scholar
  35. 35.
    Benjamin Livshits, V., Lam, M.S.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: Proceedings of the 14th USENIX Security Symposium, SS 2005, Baltimore, Maryland, USA (2005)Google Scholar
  36. 36.
    Louw, M.T., Bisht, P., Venkatakrishnan, V.N.: Analysis of Hypertext Markup Isolation Techniques for XSS Prevention. In: Workshop on Web 2.0 Security and Privacy (W2SP), W2SP 2008, Oakland, California, USA (2008)Google Scholar
  37. 37.
    Maffeis, S., Mitchell, J.C., Taly, A.: Language-Based Isolation of Untrusted JavaScript. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, Port Jefferson, New York, USA (2009)Google Scholar
  38. 38.
    Maffeis, S., Mitchell, J.C., Taly, A.: Run-Time Enforcement of Secure JavaScript Subsets. In: Web 2.0 Security and Privacy, W2SP 2009, Oakland, California, USA (2009)Google Scholar
  39. 39.
    McFeters, N.: Multiple facebook vulnerabilities reported on full-disclosure. Zero-Day Vulnerabilities blog (July 2008)Google Scholar
  40. 40.
    Microsoft Live Labs. Web Sandbox, http://websandbox.livelabs.com (retrieved on October 10, 2010)
  41. 41.
    Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications using Precise Tainting. In: Proceedings of the 20th IFIP Conference on Information Security, SEC 2005, Makuhari-Messe, Chiba, Japan (2005)Google Scholar
  42. 42.
    Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceedings of the 14th Annual Network & Distributed System Security Symposium, NDSS 2007, San Diego, CA, USA (2007)Google Scholar
  43. 43.
    Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: Proceedings of the 4th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Novotel Rockford Darling Harbour, Sydney, Australia (2009)Google Scholar
  44. 44.
    Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  45. 45.
    Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. In: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2006, Seattle, Washington, USA (2006)Google Scholar
  46. 46.
    Samy. I’m popular. Description of the MySpace worm by the author, including a technical exaplanation (2005), http://namb.la/popular (retrieved on October 10, 2010)
  47. 47.
    Saxena, P., Song, D., Nadji, Y.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Proceedings of 16th Annual Network & Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)Google Scholar
  48. 48.
    Sekar, R.: An Efficient Black-box Technique for Defeating Web Application Attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)Google Scholar
  49. 49.
    Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: Proceedings of the 33rd Symposium on Principles of Programming Languages, POPL 2006, Charleston, South Carolina, USA (2006)Google Scholar
  50. 50.
    Louw, M.T., Ganesh, K.T., Venkatakrishnan, V.N.: AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In: Proceedings of the 19th USENIX Security Symposium, SS 2010, Washington, DC, USA (2010)Google Scholar
  51. 51.
    Louw, M.T., Venkatakrishnan, V.N.: Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, SP 2009, Oakland, California, USA (2009)Google Scholar
  52. 52.
    Toubiana, V., Narayanan, A., Boneh, D., Nissenbaum, H., Barocas, S.: Adnostic: Privacy Preserving Targeted Advertising. Technical reportGoogle Scholar
  53. 53.
    Van Gundy, M., Chen, H.: Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-site Scripting Attacks. In: Proceedings of the 16th Annual Network & Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)Google Scholar
  54. 54.
    Vance, A.: Times Web Ads Show Security Breach. NY Times (September 2009) (retrieved on October 10, 2010) Google Scholar
  55. 55.
    World Wide Web Consortium (W3C). HTML 5: A vocabulary and associated APIs for HTML and XHTML (working draft) (January 2008), http://www.w3.org/TR/2008/WD-html5-20080122/
  56. 56.
    Wassermann, G., Su, Z.: Static Detection of Cross-site Scripting Vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, ICSE 2008, Leipzig, Germany (2008)Google Scholar
  57. 57.
    Wikipedia contributors. Same origin policy (February 2008), http://en.wikipedia.org/w/index.php?title=Same_origin_policy&oldid=190222964
  58. 58.
    World Internet Usage Statistics. Internet bulletin (March 2008), http://www.internetworldstats.com/stats.htm
  59. 59.
    Xie, Y., Aiken, A.: Static Detection of Security Vulnerabilities in Scripting Languages. In: Proceedings of the 15th USENIX Security Symposium, SS 2006, Vancouver, BC, Canada (2006)Google Scholar
  60. 60.
    Xu, W., Bhatkar, S., Sekar, R.: Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In: Proceedings of the 15th USENIX Security Symposium, SS 2006, Vancouver, BC, Canada (2006)Google Scholar
  61. 61.
    Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Annual ACM Symposium on Principles of Programming Languages, POPL 2007, Nice, France (2007)Google Scholar
  62. 62.
    Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University (Fall 2008)Google Scholar
  63. 63.
    Zhou, M., Bisht, P., Venkatakrishnan, V.N.: Strengthening XSRF Defenses for Legacy Web Applications Using White-box Analysis and Transformation. In: 6th International Conference on Information Systems Security, ICISS 2010 (December 2010) (to appear)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • V. N. Venkatakrishnan
    • 1
  • Prithvi Bisht
    • 1
  • Mike Ter Louw
    • 1
  • Michelle Zhou
    • 1
  • Kalpana Gondi
    • 1
  • Karthik Thotta Ganesh
    • 1
  1. 1.Department of Computer ScienceUniversity of IllinoisChicagoUSA

Personalised recommendations