Abstract
HTTP Parameter Pollution (HPP) vulnerabilities allow attackers to exploit web applications by manipulating the query parameters of the requested URLs. In this paper, we present Application Request Cache (ARC), a framework for protecting web applications against HPP exploitation. ARC hosts all benign URL schemas, which act as generators of the complete functional set of URLs that compose the application’s logic. For each incoming request, ARC exports the URL, extracts the associated schema, and searches for it in the set of already known benign schemas. In case the schema is not found, the request is rejected, and the event is recorded.
ARC can be transparently integrated with existing web applications without any modifications to the server and client code. It is implemented in Google’s Go language and uses efficient data structures for storing the URL schemas, imposing negligible computational overhead on the web application server. When running on a 4-core Linux server, ARC can process hundreds of thousands of URL requests per second. A typical URL resolution is in the scale of microseconds.
Chapter PDF
Similar content being viewed by others
Keywords
References
Athanasopoulos, E.: HPP Finder (2011), http://www.ics.forth.gr/~elathan/extra/hpp/index.html
Bangert, B., Gardner, J.: The Pylons Project, http://pylonsproject.org (last visited on July 2011)
Balduzzi, M., Gimenez, C., Balzarotti, D., Kirda, E.: Automated discovery of parameter pollution vulnerabilities in web applications. In: Proceedings of the 18th Network and Distributed System Security Symposium (2011)
Barth, A., Caballero, J., Song, D.: Secure Content Sniffing for Web Browsers or How to Stop Papers from Reviewing Themselves. In: Proceedings of the 30th IEEE Symposium on Security & Privacy, Oakland, CA (May 2009)
Barth, A., Jackson, C., Mitchell, J.C.: Robust Defenses for Cross-Site Request Forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS (2008), http://crypto.stanford.edu/websec/csrf/csrf.pdf
Berners-Lee, T., Masinter, L., McCahill, M.: RFC 1738: Uniform Resource Locators (1994), http://www.ietf.org/rfc/rfc1738.txt
Bojinov, H., Bursztein, E., Boneh, D.: XCS: Cross Channel Scripting and Its Impact on Web Applications. In: CCS 2009: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 420–431. ACM, New York (2009)
Chapman, P., Evans, D.: Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 263–274. ACM, New York (2011), http://doi.acm.org/10.1145/2046707.2046737
Ciurana, E.: Developing with Google AppEngine. Springer (2009)
Dhamija, R., Tygar, J., Hearst, M.: Why Phishing Works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM, New York (2006)
Fogie, S., Grossman, J., Hansen, R., Rager, A., Petkov, P.: XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress Publishing (2007)
Garrett, J., et al.: Ajax: A New Approach to Web Applications. Adaptive Path 18 (2005)
Grier, C., Tang, S., King, S.: Secure Web Browsing with the OP Web Browser. In: Security and Privacy, pp. 402–416. IEEE (2008)
Gundy, M.V., Chen, H.: Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 8-11 (2009)
Hansen, R., Grossman, J.: Clickjacking, technical Report, SecTheory (2008), http://www.sectheory.com/clickjacking.htm
Hansson, D.H., et al.: Ruby on Rails, http://www.rubyonrails.org (last visited on July 2011)
Jackson, C., Barth, A.: Forcehttps: Protecting High-security Web Sites from Network Attacks. In: Proceeding of the 17th International Conference on World Wide Web, WWW 2008, pp. 525–534. ACM, New York (2008), http://doi.acm.org/10.1145/1367497.1367569
Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 601–610. ACM, New York (2007)
Baugh, J.P.: Go Programming (June 2010) ISBN: 1453636676
Lin-Shung, H., Zack, W., Chris, E., Collin, J.: Protecting Browsers from Cross-Origin CSS Attacks. In: CCS 2010: Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, New York (2010)
Carettoni, L., di Paola, S: HTTP Parameter Pollution (2009), https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
Mesbah, A., Bozdag, E., Deursen, A.: v.: Crawling AJAX by Inferring User Interface State Changes. In: Proceedings of the 2008 Eighth International Conference on Web Engineering, ICWE 2008, pp. 122–134. IEEE Computer Society, Washington, DC (2008), http://dx.doi.org/10.1109/ICWE.2008.24
Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 8-11 (2009)
Reis, C., Gribble, S.: Isolating web programs in modern browser architectures. In: Proceedings of the 4th ACM European Conference on Computer Systems (EuroSys), pp. 219–232. ACM (2009)
Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.: Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks. In: Proceeding of the Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2006)
Robertson, W., Vigna, G.: Static Enforcement of Web Application Integrity Through Strong Typing. In: Proceedings of the 18th USENIX Security Symposium, Montreal, Quebec (August 2009)
Saxena, P., Hanna, S., Poosankam, P., Song, D.: FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In: Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS)
Sekar, R.: An Efficient Black-box Technique for Defeating Web Application Attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 8-11 (2009)
Sommer, R., Paxson, V.: Outside the closed world: On using machine learning for network intrusion detection. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 305–316. IEEE Computer Society, Washington, DC (2010), http://dx.doi.org/10.1109/SP.2010.25
Song, Y., Keromytis, A., Stolfo, S.: Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS (2009)
Tang, S., Mai, H., King, S.: Trust and Protection in the Illinois Browser Operating System. In: Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation (OSDI). USENIX (2010)
Ter Louw, M., Venkatakrishnan, V.: Blueprint: Precise Browser-neutral Prevention of Cross-site Scripting Attacks. In: Proceedings of the 30th IEEE Symposium on Security & Privacy, Oakland, CA (May 2009)
Berners-Lee, T.: Tim Berners-Lee on the WorldWideWeb project. USENET post (1991), http://groups.google.com/group/alt.hypertext/tree/browse_frm/thread/7824e490ea164c06/f61c1ef93d2a8398
Wang, H.J., Fan, X., Howell, J., Jackson, C.: Protection and Communication Abstractions for Web Browsers in MashupOS. In: Bressoud, T.C., Kaashoek, M.F. (eds.) SOSP, pp. 1–16. ACM (2007)
Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The Multi-Principal OS Construction of the Gazelle Web Browser. In: Proceedings of the 18th USENIX Security Symposium, Montreal, Canada (August 2009)
Weinberg, Z., Chen, E., Jayaraman, P., Jackson, C.: I Still Know What You Visited Last Summer. In: Proceedings of the 32th IEEE Symposium on Security & Privacy, Oakland, CA (May 2011)
XSSed.com: XSS exploit in key example, http://xssed.com/mirror/33541/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Athanasopoulos, E., Kemerlis, V.P., Polychronakis, M., Markatos, E.P. (2012). ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches. In: Bao, F., Samarati, P., Zhou, J. (eds) Applied Cryptography and Network Security. ACNS 2012. Lecture Notes in Computer Science, vol 7341. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31284-7_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-31284-7_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31283-0
Online ISBN: 978-3-642-31284-7
eBook Packages: Computer ScienceComputer Science (R0)