Preventing web application injections with complementary character coding

Raymond Mui, Phyllis Frankl

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Web application injection attacks, such as SQL injection and cross-site scripting (XSS) are major threats to the security of the Internet. Several recent research efforts have investigated the use of dynamic tainting to mitigate these threats. This paper presents complementary character coding, a new approach to character level dynamic tainting which allows efficient and precise taint propagation across the boundaries of server components, and also between servers and clients over HTTP. In this approach, each character has two encodings, which can be used to distinguish trusted and untrusted data. Small modifications to the lexical analyzers in components, such as the application code interpreter, the database management system, and (optionally) the web browser, allow them to become complement aware components, capable of using this alternative character coding scheme to enforce security policies aimed at preventing injection attacks, while continuing to function normally in other respects. This approach overcomes some weaknesses of previous dynamic tainting approaches. Notably, it offers a precise protection against persistent cross-site scripting attacks, as taint information is maintained when data is passed to a database and later retrieved by the application program. A prototype implementation with LAMP and Firefox is described. An empirical evaluation shows that the technique is effective on a group of vulnerable benchmarks and has low overhead.

    Original languageEnglish (US)
    Title of host publicationComputer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings
    Pages80-99
    Number of pages20
    Volume6879 LNCS
    DOIs
    StatePublished - 2011
    Event16th European Symposium on Research in Computer Security, ESORICS 2011 - Leuven, Belgium
    Duration: Sep 12 2011Sep 14 2011

    Publication series

    NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    Volume6879 LNCS
    ISSN (Print)03029743
    ISSN (Electronic)16113349

    Other

    Other16th European Symposium on Research in Computer Security, ESORICS 2011
    CountryBelgium
    CityLeuven
    Period9/12/119/14/11

    Fingerprint

    Web Application
    Injection
    Coding
    Attack
    Servers
    HTTP
    Web browsers
    Server
    Application programs
    Security Policy
    Internet
    Encoding
    Complement
    Prototype
    Propagation
    Benchmark
    Character
    Alternatives
    Evaluation

    ASJC Scopus subject areas

    • Computer Science(all)
    • Theoretical Computer Science

    Cite this

    Mui, R., & Frankl, P. (2011). Preventing web application injections with complementary character coding. In Computer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings (Vol. 6879 LNCS, pp. 80-99). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6879 LNCS). https://doi.org/10.1007/978-3-642-23822-2_5

    Preventing web application injections with complementary character coding. / Mui, Raymond; Frankl, Phyllis.

    Computer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings. Vol. 6879 LNCS 2011. p. 80-99 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6879 LNCS).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Mui, R & Frankl, P 2011, Preventing web application injections with complementary character coding. in Computer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings. vol. 6879 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6879 LNCS, pp. 80-99, 16th European Symposium on Research in Computer Security, ESORICS 2011, Leuven, Belgium, 9/12/11. https://doi.org/10.1007/978-3-642-23822-2_5
    Mui R, Frankl P. Preventing web application injections with complementary character coding. In Computer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings. Vol. 6879 LNCS. 2011. p. 80-99. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-23822-2_5
    Mui, Raymond ; Frankl, Phyllis. / Preventing web application injections with complementary character coding. Computer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings. Vol. 6879 LNCS 2011. pp. 80-99 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
    @inproceedings{bfa6ccedddc54aa19b8410acef665ca3,
    title = "Preventing web application injections with complementary character coding",
    abstract = "Web application injection attacks, such as SQL injection and cross-site scripting (XSS) are major threats to the security of the Internet. Several recent research efforts have investigated the use of dynamic tainting to mitigate these threats. This paper presents complementary character coding, a new approach to character level dynamic tainting which allows efficient and precise taint propagation across the boundaries of server components, and also between servers and clients over HTTP. In this approach, each character has two encodings, which can be used to distinguish trusted and untrusted data. Small modifications to the lexical analyzers in components, such as the application code interpreter, the database management system, and (optionally) the web browser, allow them to become complement aware components, capable of using this alternative character coding scheme to enforce security policies aimed at preventing injection attacks, while continuing to function normally in other respects. This approach overcomes some weaknesses of previous dynamic tainting approaches. Notably, it offers a precise protection against persistent cross-site scripting attacks, as taint information is maintained when data is passed to a database and later retrieved by the application program. A prototype implementation with LAMP and Firefox is described. An empirical evaluation shows that the technique is effective on a group of vulnerable benchmarks and has low overhead.",
    author = "Raymond Mui and Phyllis Frankl",
    year = "2011",
    doi = "10.1007/978-3-642-23822-2_5",
    language = "English (US)",
    isbn = "9783642238215",
    volume = "6879 LNCS",
    series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
    pages = "80--99",
    booktitle = "Computer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings",

    }

    TY - GEN

    T1 - Preventing web application injections with complementary character coding

    AU - Mui, Raymond

    AU - Frankl, Phyllis

    PY - 2011

    Y1 - 2011

    N2 - Web application injection attacks, such as SQL injection and cross-site scripting (XSS) are major threats to the security of the Internet. Several recent research efforts have investigated the use of dynamic tainting to mitigate these threats. This paper presents complementary character coding, a new approach to character level dynamic tainting which allows efficient and precise taint propagation across the boundaries of server components, and also between servers and clients over HTTP. In this approach, each character has two encodings, which can be used to distinguish trusted and untrusted data. Small modifications to the lexical analyzers in components, such as the application code interpreter, the database management system, and (optionally) the web browser, allow them to become complement aware components, capable of using this alternative character coding scheme to enforce security policies aimed at preventing injection attacks, while continuing to function normally in other respects. This approach overcomes some weaknesses of previous dynamic tainting approaches. Notably, it offers a precise protection against persistent cross-site scripting attacks, as taint information is maintained when data is passed to a database and later retrieved by the application program. A prototype implementation with LAMP and Firefox is described. An empirical evaluation shows that the technique is effective on a group of vulnerable benchmarks and has low overhead.

    AB - Web application injection attacks, such as SQL injection and cross-site scripting (XSS) are major threats to the security of the Internet. Several recent research efforts have investigated the use of dynamic tainting to mitigate these threats. This paper presents complementary character coding, a new approach to character level dynamic tainting which allows efficient and precise taint propagation across the boundaries of server components, and also between servers and clients over HTTP. In this approach, each character has two encodings, which can be used to distinguish trusted and untrusted data. Small modifications to the lexical analyzers in components, such as the application code interpreter, the database management system, and (optionally) the web browser, allow them to become complement aware components, capable of using this alternative character coding scheme to enforce security policies aimed at preventing injection attacks, while continuing to function normally in other respects. This approach overcomes some weaknesses of previous dynamic tainting approaches. Notably, it offers a precise protection against persistent cross-site scripting attacks, as taint information is maintained when data is passed to a database and later retrieved by the application program. A prototype implementation with LAMP and Firefox is described. An empirical evaluation shows that the technique is effective on a group of vulnerable benchmarks and has low overhead.

    UR - http://www.scopus.com/inward/record.url?scp=80053047875&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=80053047875&partnerID=8YFLogxK

    U2 - 10.1007/978-3-642-23822-2_5

    DO - 10.1007/978-3-642-23822-2_5

    M3 - Conference contribution

    SN - 9783642238215

    VL - 6879 LNCS

    T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

    SP - 80

    EP - 99

    BT - Computer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings

    ER -