Skip to main content
SpringerLink
Log in

XIVD: Runtime Detection of XPath Injection Vulnerabilities in XML Databases through Aspect Oriented Programming

  • Conference paper
Advances in Computing and Information Technology (ACITY 2011)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 198))

  • 1785 Accesses

Abstract

The growing acceptance of XML technologies for documents and protocols, it is logical that security should be integrated with XML solutions. In a web application, an improper user input is root cause for a wide variety of attacks. XML Path or XPath language is used for querying information from the nodes of an XML document. XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents such as SQL in Databases. Hence, we proposed an approach to detect XPath injection attack in XML databases at runtime through Aspect Oriented Programming (AOP). Our approach intercept XPath expression i.e.) XQuery from the web application through Aspect Oriented Programming (AOP) and parse the XQuery expression to find the inputs to be placed in the expression. The identified inputs are used to design an XML file and it would be validated through a proposed schema. The validation results the correctness of the XQuery.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: Proceedings of the Thirty Third ACM Symposium on Principles of Programming Languages, South Carolina, pp. 372–382 (2006)

    Google Scholar 

  2. Kelvin, A.: Blind XPath Injection, a whitepaper from Watchfire, Director of Security and Research, Sanctum (2005)

    Google Scholar 

  3. Blasco, J.: Introduction to XPath Injection Techniques. In: Hakin9, Conference on IT Underground, Czech Republic, pp. 23–31 (2007)

    Google Scholar 

  4. Mitropoulos, D., Karakoidas, V., Spinellis, D.: Fortifying Applications against XPath Injection Attacks. In: MCIS 2009: 4th Mediterranean Conference on Information Systems, Athens, pp. 1169–1179 (2009)

    Google Scholar 

  5. Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services. In: IEEE International Conference on Services Computing, Portugal, pp. 260–267 (2009)

    Google Scholar 

  6. Hermosillo, G., Gomez, R., Seinturier, L., Duchien, L.: Using Aspect Programming to Secure Web Applications. Journal of Software 6(2), 53–63 (2008)

    Google Scholar 

  7. Groppe, J., Groppe, S.: Filtering unsatisfiable XPath queries. Journal Data & Knowledge Engineering 64(1), 134–169 (2008)

    Article  Google Scholar 

  8. XML Path Language (XPath) version 2.0, http://www.w3.org/TR/XPath

  9. OWASP Guide, http://www.owasp.org/index.php/Blind_XPath_Injection

  10. Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. In: Intl.Conf. on Dependable Systems and Networks, Lisbon (2009)

    Google Scholar 

  11. Laranjeiro, N., Vieira, M., Madeira, H.: Protecting Database Centric Web Services against SQL/XPath Injection Attacks. In: Bhowmick, S.S., Küng, J., Wagner, R. (eds.) DEXA 2009. LNCS, vol. 5690, pp. 271–278. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  12. Wu, R., Hisada, H., Ranaweera, R.: Static analysis of web security in generic syntax format. In: The International Conference on Internet Computing (ICOMP 2009), Las Vegas, NV, pp. 58–63 (2009)

    Google Scholar 

  13. Gegick, M., Williams, L.: Toward the use of automated static analysis alerts for early identification of vulnerability- and attack-prone components, Research paper, North Carolina State University, Raleigh, NC (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, College of Engineering Guindy Campus, Anna university, Chennai, India

    Velu Shanmughaneethi, Ra. Yagna Pravin & S. Swamynathan

Authors
  1. Velu Shanmughaneethi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ra. Yagna Pravin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. S. Swamynathan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Southeastern Louisiana University, 70402, Hammond, LA, USA

    David C. Wyld

  2. Chair of Systems and Computer Networks, Wroclaw University of Technology, Wybrzeze Wyspianskiego 27, 50-370, Wroclaw, Poland

    Michal Wozniak

  3. University of Calcutta, Calcutta, India

    Nabendu Chaki

  4. Jackson State University Jackson, 39217, MS, USA

    Natarajan Meghanathan

  5. Wireilla Net Solutions PTY Ltd, Melbourne, Victoria, Australia

    Dhinaharan Nagamalai

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Shanmughaneethi, V., Pravin, R.Y., Swamynathan, S. (2011). XIVD: Runtime Detection of XPath Injection Vulnerabilities in XML Databases through Aspect Oriented Programming. In: Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D. (eds) Advances in Computing and Information Technology. ACITY 2011. Communications in Computer and Information Science, vol 198. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22555-0_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22555-0_21

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-22554-3

  • Online ISBN: 978-3-642-22555-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation