Skip to main content
SpringerLink
Log in

WebAppArmor: A Framework for Robust Prevention of Attacks on Web Applications (Invited Paper)

  • Conference paper
Information Systems Security (ICISS 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6503))

Included in the following conference series:

Abstract

As the World Wide Web continues to evolve, the number of web-based attacks that target web applications is on the rise. Attacks such as Cross-site Scripting (XSS), SQL Injection and Cross-site Request Forgery (XSRF) are among the topmost threats on the Web, and defending against these attacks is a growing concern. In this paper, we describe WebAppArmor, a framework that is aimed at preventing these attacks on existing (legacy) web applications. The main feature of this framework is that it offers a unified perspective to address these problems in the context of existing web applications. The framework incorporates techniques based on static and dynamic analysis, symbolic evaluation and execution monitoring to retrofit existing web applications to be resilient to these attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. htmLawed: PHP Code to Purify & Filter HTML, http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/ (retrieved on October 10, 2010)

  2. kses - PHP HTML/XHTML filter, http://sourceforge.net/projects/kses/ (retrieved on October 10, 2010)

  3. PHP Input Filter, http://sourceforge.net/projects/phpinputfilter/ (retrieved on October 10, 2010)

  4. XSS (Cross Site Scripting) Cheat Sheet. Esp: for filter evasion, http://ha.ckers.org/xss.html (retrieved on October 10, 2010)

  5. DOM mutation events. W3C draft (November 2003)

    Google Scholar 

  6. 16th Annual Network & Distributed System Security Symposium, San Diego, California, USA (February 2009)

    Google Scholar 

  7. TJX Hacker Charged With Heartland, Hannaford Breaches (August 2009), http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland (retrieved on October 10, 2010)

  8. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: Proceedings of the 29th IEEE Symposium on Security and Privacy, SP 2008, Oakland, California, USA (2008)

    Google Scholar 

  9. Barth, A., Jackson, C., Mitchell, J.C.: Securing Frame Communication in Browsers. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, San Jose, California, USA (2008)

    Google Scholar 

  10. Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA (2010)

    Google Scholar 

  11. Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Trans. Inf. Syst. Secur. 13(2), 1–39 (2010)

    Article  Google Scholar 

  12. Bisht, P., Prasad Sistla, A., Venkatakrishnan, V.N.: Automatically Preparing Safe SQL Queries. In: Proceedings of the 14th International Conference on Financial Cryptography and Data Security, FC 2010, Tenerife, Canary Islands, Spain (2010)

    Google Scholar 

  13. Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  14. Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  15. Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, SEM 2005, Lisbon, Portugal (2005)

    Google Scholar 

  16. Symantec Corporation. Symantec internet security threat report. Technical report, Symantec Corporation (March 2008)

    Google Scholar 

  17. Crockford, D.: ADsafe, http://www.adsafe.org/ (retrieved on October 10, 2010)

  18. Facebook Developers. Facebook JavaScript, http://wiki.developers.facebook.com/index.php/FBJS (retrieved on October 10, 2010)

  19. Felt, A., Hooimeijer, P., Evans, D., Weimer, W.: Talking to Strangers Without Taking Their Candy: Isolating Proxied Content. In: Proceedings of the 1st Workshop on Social Network Systems, SNS 2008, Glasgow, Scotland (2008)

    Google Scholar 

  20. Finifter, M., Weinberger, J., Barth, A.: Preventing Capability Leaks in Secure JavaScript Subsets. In: Proceedings of the 17th Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA (2010)

    Google Scholar 

  21. Fisher, D.: Hackers broaden reach of cross-site scripting attacks (March 2007), ComputerWeekly.com

  22. Caja, G.: A source-to-source translator for securing JavaScript-based web content, http://code.google.com/p/google-caja/ (retrieved on October 10, 2010)

  23. Grossman, J.: Cross site scripting worms and viruses. Technical report, WhiteHat Security Inc. (June 2007)

    Google Scholar 

  24. Guha, S., Cheng, B., Reznichenko, A., Haddadi, H., Francis, P.: Privad: Rearchitecting online advertising for privacy. Technical Report MPI-SWS-2009-004, Max Planck Institute for Software Systems, Kaiserslautern-Saarbruecken, Germany (October 2009)

    Google Scholar 

  25. Halfond, W.G.J., Orso, A., Manolios, P.: Using Positive Tainting and Syntax-aware Evaluation to Counter SQL Injection Attacks. In: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2006, Portland, Oregon, USA (2006)

    Google Scholar 

  26. Hansen, R.: XSS cheat sheet, http://ha.ckers.org/xss.html (retrieved on October 10, 2010)

  27. Jackson, C., Wang, H.J.: Subspace: Secure cross-domain communication for web mashups. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, Banff, Alberta, Canada (2007)

    Google Scholar 

  28. Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-enforced Embedded Policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, Banff, Alberta, Canada (2007)

    Google Scholar 

  29. Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: Proceedings of the OWASP Europe 2006 Conference, OWASP-APPSEC 2006, Leuven, Belgium (2006)

    Google Scholar 

  30. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing Cross Site Request Forgery Attacks. In: Proceedings of the 2nd IEEE Communications Society International Conference on Security and Privacy in Communication Networks, SecureComm 2006, Baltimore, Maryland, USA (2006)

    Google Scholar 

  31. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP 2006, Oakland, California, USA (2006)

    Google Scholar 

  32. Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: JavaScript Instrumentation in Practice. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 326–341. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  33. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A Client-side Solution for Mitigating Cross-site Scripting Attacks. In: Proceedings of the 21st ACM Symposium on Applied Computing, SAC 2006, Dijon, France (2006)

    Google Scholar 

  34. Benjamin Livshits, V., Guarnieri, S.: Gatekeeper: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In: Proceedings of the 18th USENIX Security Symposium, SS 2009, Montreal, Canada (2009)

    Google Scholar 

  35. Benjamin Livshits, V., Lam, M.S.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: Proceedings of the 14th USENIX Security Symposium, SS 2005, Baltimore, Maryland, USA (2005)

    Google Scholar 

  36. Louw, M.T., Bisht, P., Venkatakrishnan, V.N.: Analysis of Hypertext Markup Isolation Techniques for XSS Prevention. In: Workshop on Web 2.0 Security and Privacy (W2SP), W2SP 2008, Oakland, California, USA (2008)

    Google Scholar 

  37. Maffeis, S., Mitchell, J.C., Taly, A.: Language-Based Isolation of Untrusted JavaScript. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, Port Jefferson, New York, USA (2009)

    Google Scholar 

  38. Maffeis, S., Mitchell, J.C., Taly, A.: Run-Time Enforcement of Secure JavaScript Subsets. In: Web 2.0 Security and Privacy, W2SP 2009, Oakland, California, USA (2009)

    Google Scholar 

  39. McFeters, N.: Multiple facebook vulnerabilities reported on full-disclosure. Zero-Day Vulnerabilities blog (July 2008)

    Google Scholar 

  40. Microsoft Live Labs. Web Sandbox, http://websandbox.livelabs.com (retrieved on October 10, 2010)

  41. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications using Precise Tainting. In: Proceedings of the 20th IFIP Conference on Information Security, SEC 2005, Makuhari-Messe, Chiba, Japan (2005)

    Google Scholar 

  42. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceedings of the 14th Annual Network & Distributed System Security Symposium, NDSS 2007, San Diego, CA, USA (2007)

    Google Scholar 

  43. Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: Proceedings of the 4th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Novotel Rockford Darling Harbour, Sydney, Australia (2009)

    Google Scholar 

  44. Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  45. Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. In: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2006, Seattle, Washington, USA (2006)

    Google Scholar 

  46. Samy. I’m popular. Description of the MySpace worm by the author, including a technical exaplanation (2005), http://namb.la/popular (retrieved on October 10, 2010)

  47. Saxena, P., Song, D., Nadji, Y.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Proceedings of 16th Annual Network & Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)

    Google Scholar 

  48. Sekar, R.: An Efficient Black-box Technique for Defeating Web Application Attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)

    Google Scholar 

  49. Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: Proceedings of the 33rd Symposium on Principles of Programming Languages, POPL 2006, Charleston, South Carolina, USA (2006)

    Google Scholar 

  50. Louw, M.T., Ganesh, K.T., Venkatakrishnan, V.N.: AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In: Proceedings of the 19th USENIX Security Symposium, SS 2010, Washington, DC, USA (2010)

    Google Scholar 

  51. Louw, M.T., Venkatakrishnan, V.N.: Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, SP 2009, Oakland, California, USA (2009)

    Google Scholar 

  52. Toubiana, V., Narayanan, A., Boneh, D., Nissenbaum, H., Barocas, S.: Adnostic: Privacy Preserving Targeted Advertising. Technical report

    Google Scholar 

  53. Van Gundy, M., Chen, H.: Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-site Scripting Attacks. In: Proceedings of the 16th Annual Network & Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)

    Google Scholar 

  54. Vance, A.: Times Web Ads Show Security Breach. NY Times (September 2009) (retrieved on October 10, 2010)

    Google Scholar 

  55. World Wide Web Consortium (W3C). HTML 5: A vocabulary and associated APIs for HTML and XHTML (working draft) (January 2008), http://www.w3.org/TR/2008/WD-html5-20080122/

  56. Wassermann, G., Su, Z.: Static Detection of Cross-site Scripting Vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, ICSE 2008, Leipzig, Germany (2008)

    Google Scholar 

  57. Wikipedia contributors. Same origin policy (February 2008), http://en.wikipedia.org/w/index.php?title=Same_origin_policy&oldid=190222964

  58. World Internet Usage Statistics. Internet bulletin (March 2008), http://www.internetworldstats.com/stats.htm

  59. Xie, Y., Aiken, A.: Static Detection of Security Vulnerabilities in Scripting Languages. In: Proceedings of the 15th USENIX Security Symposium, SS 2006, Vancouver, BC, Canada (2006)

    Google Scholar 

  60. Xu, W., Bhatkar, S., Sekar, R.: Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In: Proceedings of the 15th USENIX Security Symposium, SS 2006, Vancouver, BC, Canada (2006)

    Google Scholar 

  61. Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Annual ACM Symposium on Principles of Programming Languages, POPL 2007, Nice, France (2007)

    Google Scholar 

  62. Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University (Fall 2008)

    Google Scholar 

  63. Zhou, M., Bisht, P., Venkatakrishnan, V.N.: Strengthening XSRF Defenses for Legacy Web Applications Using White-box Analysis and Transformation. In: 6th International Conference on Information Systems Security, ICISS 2010 (December 2010) (to appear)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Illinois, Chicago, USA

    V. N. Venkatakrishnan, Prithvi Bisht, Mike Ter Louw, Michelle Zhou, Kalpana Gondi & Karthik Thotta Ganesh

Authors
  1. V. N. Venkatakrishnan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Prithvi Bisht
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mike Ter Louw
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michelle Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Kalpana Gondi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Karthik Thotta Ganesh
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. Dhirubhai Ambani Institute of Information and Communication Technology, Gandhinagar, 382007, Gujarat, India

    Anish Mathuria

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Venkatakrishnan, V.N., Bisht, P., Ter Louw, M., Zhou, M., Gondi, K., Ganesh, K.T. (2010). WebAppArmor: A Framework for Robust Prevention of Attacks on Web Applications (Invited Paper). In: Jha, S., Mathuria, A. (eds) Information Systems Security. ICISS 2010. Lecture Notes in Computer Science, vol 6503. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17714-9_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17714-9_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17713-2

  • Online ISBN: 978-3-642-17714-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation