Abstract
The growing acceptance of XML technologies for documents and protocols, it is logical that security should be integrated with XML solutions. In a web application, an improper user input is root cause for a wide variety of attacks. XML Path or XPath language is used for querying information from the nodes of an XML document. XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents such as SQL in Databases. Hence, we proposed an approach to detect XPath injection attack in XML databases at runtime through Aspect Oriented Programming (AOP). Our approach intercept XPath expression i.e.) XQuery from the web application through Aspect Oriented Programming (AOP) and parse the XQuery expression to find the inputs to be placed in the expression. The identified inputs are used to design an XML file and it would be validated through a proposed schema. The validation results the correctness of the XQuery.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: Proceedings of the Thirty Third ACM Symposium on Principles of Programming Languages, South Carolina, pp. 372–382 (2006)
Kelvin, A.: Blind XPath Injection, a whitepaper from Watchfire, Director of Security and Research, Sanctum (2005)
Blasco, J.: Introduction to XPath Injection Techniques. In: Hakin9, Conference on IT Underground, Czech Republic, pp. 23–31 (2007)
Mitropoulos, D., Karakoidas, V., Spinellis, D.: Fortifying Applications against XPath Injection Attacks. In: MCIS 2009: 4th Mediterranean Conference on Information Systems, Athens, pp. 1169–1179 (2009)
Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services. In: IEEE International Conference on Services Computing, Portugal, pp. 260–267 (2009)
Hermosillo, G., Gomez, R., Seinturier, L., Duchien, L.: Using Aspect Programming to Secure Web Applications. Journal of Software 6(2), 53–63 (2008)
Groppe, J., Groppe, S.: Filtering unsatisfiable XPath queries. Journal Data & Knowledge Engineering 64(1), 134–169 (2008)
XML Path Language (XPath) version 2.0, http://www.w3.org/TR/XPath
OWASP Guide, http://www.owasp.org/index.php/Blind_XPath_Injection
Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. In: Intl.Conf. on Dependable Systems and Networks, Lisbon (2009)
Laranjeiro, N., Vieira, M., Madeira, H.: Protecting Database Centric Web Services against SQL/XPath Injection Attacks. In: Bhowmick, S.S., Küng, J., Wagner, R. (eds.) DEXA 2009. LNCS, vol. 5690, pp. 271–278. Springer, Heidelberg (2009)
Wu, R., Hisada, H., Ranaweera, R.: Static analysis of web security in generic syntax format. In: The International Conference on Internet Computing (ICOMP 2009), Las Vegas, NV, pp. 58–63 (2009)
Gegick, M., Williams, L.: Toward the use of automated static analysis alerts for early identification of vulnerability- and attack-prone components, Research paper, North Carolina State University, Raleigh, NC (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shanmughaneethi, V., Pravin, R.Y., Swamynathan, S. (2011). XIVD: Runtime Detection of XPath Injection Vulnerabilities in XML Databases through Aspect Oriented Programming. In: Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D. (eds) Advances in Computing and Information Technology. ACITY 2011. Communications in Computer and Information Science, vol 198. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22555-0_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-22555-0_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22554-3
Online ISBN: 978-3-642-22555-0
eBook Packages: Computer ScienceComputer Science (R0)