The essence of command injection attacks in web applications

Web applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by dynamically constructing query strings within a general-purpose programming language, such as Java. This low-level interaction is ad hoc because it does not take into account the structure of the output language. Accordingly, user inputs are treated as isolated lexical entities which, if not properly sanitized, can cause the web application to generate unintended output. This is called a command injection attack, which poses a serious threat to web application security. This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques. Our key observation is that, for an attack to succeed, the input that gets propagated into the database query or the output document must change the intended syntactic structure of the query or document. Our definition and algorithm are general and apply to many forms of command injection attacks. We validate our approach with SqlCheckS, an implementation for the setting of SQL command injection attacks. We evaluated SqlCheckS on real-world web applications with systematically compiled real-world attack data as input. SqlCheckS produced no false positives or false negatives, incurred low runtime overhead, and applied straightforwardly to web applications written in different languages.

[1]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[2]  Jeffrey D. Ullman,et al.  Global Data Flow Analysis and Iterative Algorithms , 1976, J. ACM.

[3]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[4]  Matthias Felleisen,et al.  Hygienic macro expansion , 1986, LFP '86.

[5]  David Davies,et al.  Security focus , 1987, Comput. Law Secur. Rev..

[6]  Larry Wall,et al.  Programming Perl , 1991 .

[7]  Daniel Weise,et al.  Programmable syntax macros , 1993, PLDI '93.

[8]  Walid Taha,et al.  Multi-stage programming with explicit annotations , 1997, PEPM.

[9]  Walid Taha,et al.  Multi-stage programming with explicit annotations , 1997 .

[10]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[11]  Paul Barry,et al.  Programming Perl 3rd Edition , 2000 .

[12]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[13]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[14]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[15]  Marco Pistoia,et al.  Access rights analysis for Java , 2002, OOPSLA '02.

[16]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[17]  Richard Sharp,et al.  Specifying and Enforcing Application-Level Web Security Policies , 2003, IEEE Trans. Knowl. Data Eng..

[18]  Wolfram Schulte,et al.  Unifying Tables, Objects and Documents , 2003 .

[19]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[20]  Monica S. Lam,et al.  Finding Application Errors Using PQL: a Program Query Language , 2004 .

[21]  Static checking of dynamically generated queries in database applications , 2004, ICSE 2004.

[22]  Amit Klein Blind XPath Injection , 2004 .

[23]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[24]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[25]  Paolina Centonze,et al.  Static analysis of role-based access control in J2EE applications , 2004, SOEN.

[26]  Zhendong Su,et al.  An Analysis Framework for Security in Web Applications , 2004 .

[27]  Claus Brabrand,et al.  PowerForms: Declarative client-side form field validation , 2004, World Wide Web.

[28]  Robert DeLine,et al.  The fugue protocol checker: is your software baroque? technical report msr-tr-2004-07 , 2004 .

[29]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[30]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[31]  Benjamin Livshits,et al.  Context-sensitive program analysis as database queries , 2005, PODS.

[32]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[33]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[34]  Gavin M. Bierman,et al.  The Essence of Data Access in Comega , 2005, European Conference on Object-Oriented Programming.

[35]  Jeffrey S. Foster,et al.  Checking type safety of foreign function calls , 2005, PLDI '05.

[36]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[37]  S. Rai,et al.  Safe query objects: statically typed objects as remotely executable queries , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[38]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[39]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[40]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[41]  Wolfram Schulte,et al.  The essence of data access in Cω: the power is in the dot! , 2005 .