Abstract
As the World Wide Web continues to evolve, the number of web-based attacks that target web applications is on the rise. Attacks such as Cross-site Scripting (XSS), SQL Injection and Cross-site Request Forgery (XSRF) are among the topmost threats on the Web, and defending against these attacks is a growing concern. In this paper, we describe WebAppArmor, a framework that is aimed at preventing these attacks on existing (legacy) web applications. The main feature of this framework is that it offers a unified perspective to address these problems in the context of existing web applications. The framework incorporates techniques based on static and dynamic analysis, symbolic evaluation and execution monitoring to retrofit existing web applications to be resilient to these attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
htmLawed: PHP Code to Purify & Filter HTML, http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/ (retrieved on October 10, 2010)
kses - PHP HTML/XHTML filter, http://sourceforge.net/projects/kses/ (retrieved on October 10, 2010)
PHP Input Filter, http://sourceforge.net/projects/phpinputfilter/ (retrieved on October 10, 2010)
XSS (Cross Site Scripting) Cheat Sheet. Esp: for filter evasion, http://ha.ckers.org/xss.html (retrieved on October 10, 2010)
DOM mutation events. W3C draft (November 2003)
16th Annual Network & Distributed System Security Symposium, San Diego, California, USA (February 2009)
TJX Hacker Charged With Heartland, Hannaford Breaches (August 2009), http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland (retrieved on October 10, 2010)
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: Proceedings of the 29th IEEE Symposium on Security and Privacy, SP 2008, Oakland, California, USA (2008)
Barth, A., Jackson, C., Mitchell, J.C.: Securing Frame Communication in Browsers. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, San Jose, California, USA (2008)
Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA (2010)
Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Trans. Inf. Syst. Secur. 13(2), 1–39 (2010)
Bisht, P., Prasad Sistla, A., Venkatakrishnan, V.N.: Automatically Preparing Safe SQL Queries. In: Proceedings of the 14th International Conference on Financial Cryptography and Data Security, FC 2010, Tenerife, Canary Islands, Spain (2010)
Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)
Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)
Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, SEM 2005, Lisbon, Portugal (2005)
Symantec Corporation. Symantec internet security threat report. Technical report, Symantec Corporation (March 2008)
Crockford, D.: ADsafe, http://www.adsafe.org/ (retrieved on October 10, 2010)
Facebook Developers. Facebook JavaScript, http://wiki.developers.facebook.com/index.php/FBJS (retrieved on October 10, 2010)
Felt, A., Hooimeijer, P., Evans, D., Weimer, W.: Talking to Strangers Without Taking Their Candy: Isolating Proxied Content. In: Proceedings of the 1st Workshop on Social Network Systems, SNS 2008, Glasgow, Scotland (2008)
Finifter, M., Weinberger, J., Barth, A.: Preventing Capability Leaks in Secure JavaScript Subsets. In: Proceedings of the 17th Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA (2010)
Fisher, D.: Hackers broaden reach of cross-site scripting attacks (March 2007), ComputerWeekly.com
Caja, G.: A source-to-source translator for securing JavaScript-based web content, http://code.google.com/p/google-caja/ (retrieved on October 10, 2010)
Grossman, J.: Cross site scripting worms and viruses. Technical report, WhiteHat Security Inc. (June 2007)
Guha, S., Cheng, B., Reznichenko, A., Haddadi, H., Francis, P.: Privad: Rearchitecting online advertising for privacy. Technical Report MPI-SWS-2009-004, Max Planck Institute for Software Systems, Kaiserslautern-Saarbruecken, Germany (October 2009)
Halfond, W.G.J., Orso, A., Manolios, P.: Using Positive Tainting and Syntax-aware Evaluation to Counter SQL Injection Attacks. In: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2006, Portland, Oregon, USA (2006)
Hansen, R.: XSS cheat sheet, http://ha.ckers.org/xss.html (retrieved on October 10, 2010)
Jackson, C., Wang, H.J.: Subspace: Secure cross-domain communication for web mashups. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, Banff, Alberta, Canada (2007)
Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-enforced Embedded Policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, Banff, Alberta, Canada (2007)
Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: Proceedings of the OWASP Europe 2006 Conference, OWASP-APPSEC 2006, Leuven, Belgium (2006)
Jovanovic, N., Kirda, E., Kruegel, C.: Preventing Cross Site Request Forgery Attacks. In: Proceedings of the 2nd IEEE Communications Society International Conference on Security and Privacy in Communication Networks, SecureComm 2006, Baltimore, Maryland, USA (2006)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP 2006, Oakland, California, USA (2006)
Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: JavaScript Instrumentation in Practice. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 326–341. Springer, Heidelberg (2008)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A Client-side Solution for Mitigating Cross-site Scripting Attacks. In: Proceedings of the 21st ACM Symposium on Applied Computing, SAC 2006, Dijon, France (2006)
Benjamin Livshits, V., Guarnieri, S.: Gatekeeper: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In: Proceedings of the 18th USENIX Security Symposium, SS 2009, Montreal, Canada (2009)
Benjamin Livshits, V., Lam, M.S.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: Proceedings of the 14th USENIX Security Symposium, SS 2005, Baltimore, Maryland, USA (2005)
Louw, M.T., Bisht, P., Venkatakrishnan, V.N.: Analysis of Hypertext Markup Isolation Techniques for XSS Prevention. In: Workshop on Web 2.0 Security and Privacy (W2SP), W2SP 2008, Oakland, California, USA (2008)
Maffeis, S., Mitchell, J.C., Taly, A.: Language-Based Isolation of Untrusted JavaScript. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, Port Jefferson, New York, USA (2009)
Maffeis, S., Mitchell, J.C., Taly, A.: Run-Time Enforcement of Secure JavaScript Subsets. In: Web 2.0 Security and Privacy, W2SP 2009, Oakland, California, USA (2009)
McFeters, N.: Multiple facebook vulnerabilities reported on full-disclosure. Zero-Day Vulnerabilities blog (July 2008)
Microsoft Live Labs. Web Sandbox, http://websandbox.livelabs.com (retrieved on October 10, 2010)
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications using Precise Tainting. In: Proceedings of the 20th IFIP Conference on Information Security, SEC 2005, Makuhari-Messe, Chiba, Japan (2005)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceedings of the 14th Annual Network & Distributed System Security Symposium, NDSS 2007, San Diego, CA, USA (2007)
Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: Proceedings of the 4th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Novotel Rockford Darling Harbour, Sydney, Australia (2009)
Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)
Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. In: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2006, Seattle, Washington, USA (2006)
Samy. I’m popular. Description of the MySpace worm by the author, including a technical exaplanation (2005), http://namb.la/popular (retrieved on October 10, 2010)
Saxena, P., Song, D., Nadji, Y.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Proceedings of 16th Annual Network & Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)
Sekar, R.: An Efficient Black-box Technique for Defeating Web Application Attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)
Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: Proceedings of the 33rd Symposium on Principles of Programming Languages, POPL 2006, Charleston, South Carolina, USA (2006)
Louw, M.T., Ganesh, K.T., Venkatakrishnan, V.N.: AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In: Proceedings of the 19th USENIX Security Symposium, SS 2010, Washington, DC, USA (2010)
Louw, M.T., Venkatakrishnan, V.N.: Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, SP 2009, Oakland, California, USA (2009)
Toubiana, V., Narayanan, A., Boneh, D., Nissenbaum, H., Barocas, S.: Adnostic: Privacy Preserving Targeted Advertising. Technical report
Van Gundy, M., Chen, H.: Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-site Scripting Attacks. In: Proceedings of the 16th Annual Network & Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)
Vance, A.: Times Web Ads Show Security Breach. NY Times (September 2009) (retrieved on October 10, 2010)
World Wide Web Consortium (W3C). HTML 5: A vocabulary and associated APIs for HTML and XHTML (working draft) (January 2008), http://www.w3.org/TR/2008/WD-html5-20080122/
Wassermann, G., Su, Z.: Static Detection of Cross-site Scripting Vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, ICSE 2008, Leipzig, Germany (2008)
Wikipedia contributors. Same origin policy (February 2008), http://en.wikipedia.org/w/index.php?title=Same_origin_policy&oldid=190222964
World Internet Usage Statistics. Internet bulletin (March 2008), http://www.internetworldstats.com/stats.htm
Xie, Y., Aiken, A.: Static Detection of Security Vulnerabilities in Scripting Languages. In: Proceedings of the 15th USENIX Security Symposium, SS 2006, Vancouver, BC, Canada (2006)
Xu, W., Bhatkar, S., Sekar, R.: Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In: Proceedings of the 15th USENIX Security Symposium, SS 2006, Vancouver, BC, Canada (2006)
Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Annual ACM Symposium on Principles of Programming Languages, POPL 2007, Nice, France (2007)
Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University (Fall 2008)
Zhou, M., Bisht, P., Venkatakrishnan, V.N.: Strengthening XSRF Defenses for Legacy Web Applications Using White-box Analysis and Transformation. In: 6th International Conference on Information Systems Security, ICISS 2010 (December 2010) (to appear)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Venkatakrishnan, V.N., Bisht, P., Ter Louw, M., Zhou, M., Gondi, K., Ganesh, K.T. (2010). WebAppArmor: A Framework for Robust Prevention of Attacks on Web Applications (Invited Paper). In: Jha, S., Mathuria, A. (eds) Information Systems Security. ICISS 2010. Lecture Notes in Computer Science, vol 6503. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17714-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-17714-9_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17713-2
Online ISBN: 978-3-642-17714-9
eBook Packages: Computer ScienceComputer Science (R0)