Abstract
An injection flaw is the result of an invalidated input. Some input validation programs are poorly written, lacking even the most basic security procedures for constraining input. Enforcing proper input validation is an effective countermeasure to use as a defense against injection attacks. However it may induce some detection errors because of improper sanitizing rules. In this paper, we propose a heuristic mechanism that can automatically generate proper validation rules based on each vulnerable injection point. The method can also both guarantee security (false negatives) and convenience (false positives). The experimental results show that our method has better detection accuracy while compared with other constraining strategies.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Huang, Y.W., Huang, S.K., Lin, T.P., Tsai, C.H.: Securing Web application code by static analysis and runtime protection. In: Proceedings of the 13th International World Wide Web Conference (2004)
Huang, Y.W., Tsa, C.H., Lin, T.P., Huang, S.K., Lee, D.T., Kuo, S.Y.: A Testing Framework for Web Application Security Assessment. Journal of Computer Networks 48(5), 739–761 (2005)
OWASP, WebScarab Project (2007), http://www.owasp.org/webscarab/
SPI Dynamics, Web Application Security Assessment, SPI Dynamics Whitepaper (2007), http://www.spidynamics.com/
IBM Rational Corp., Web Application Security Testing—App-Scan (2009), http://www-01.ibm.com/software/rational/offerings/websecurity/
Sanctum Inc., AppShield white paper (2003), http://www.sanctuminc.com/
Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.D.: Packet Inspection Using Parallel Bloom Filters. In: Proc. of the 11th Symp. for High Performance Interconnect, pp. 44–51 (2003)
Lin, J.C., Chen, J.M.: An Automatic Revised Tool for Anti-malicious Injection. In: The Sixth IEEE International Conference on Computer and Information Technology (2006)
Lin, J.C., Chen, J.M., Wong, H.K.: An automatic meta-revised mechanism for anti-malicious injection. In: Enokido, T., Barolli, L., Takizawa, M. (eds.) NBiS 2007. LNCS, vol. 4658, pp. 98–107. Springer, Heidelberg (2007)
Lin, J.C., Chen, J.M., Liu, C.H.: An Automatic Mechanism for Sanitizing Malicious Injection. In: Proc. of the 9th International Conference for Young Computer Scientists, pp. 1470–1475 (2008)
Open Source Web Application Firewall: ModSecurity, http://www.webresourcesdepot.com/open-source-web-application-firewall-modsecurity/
Web Application Firewall, http://www.owasp.org/index.php/Web_Application_Firewall
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chen, JM. (2011). An Improved Sanitizing Mechanism Based on Heuristic Constraining Method. In: Shen, G., Huang, X. (eds) Advanced Research on Electronic Commerce, Web Application, and Communication. ECWAC 2011. Communications in Computer and Information Science, vol 144. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-20370-1_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-20370-1_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-20369-5
Online ISBN: 978-3-642-20370-1
eBook Packages: Computer ScienceComputer Science (R0)