Securing web applications from injection and logic vulnerabilities: Approaches and challenges

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the application could allow an attacker to steal sensitive information and perform adversary actions, and hence it is important to secure web applications from attacks. Defensive mechanisms for securing web applications from the flaws have received attention from both academia and industry.Objective: The objective of this literature review is to summarize the current state of the art for securing web applications from major flaws such as injection and logic flaws. Though different kinds of injection flaws exist, the scope is restricted to SQL Injection (SQLI) and Cross-site scripting (XSS), since they are rated as the top most threats by different security consortiums.Method: The relevant articles recently published are identified from well-known digital libraries, and a total of 86 primary studies are considered. A total of 17 articles related to SQLI, 35 related to XSS and 34 related to logic flaws are discussed.Results: The articles are categorized based on the phase of software development life cycle where the defense mechanism is put into place. Most of the articles focus on detecting the flaws and preventing the attacks against web applications.Conclusion: Even though various approaches are available for securing web applications from SQLI and XSS, they are still prevalent due to their impact and severity. Logic flaws are gaining attention of the researchers since they violate the business specifications of applications. There is no single solution to mitigate all the flaws. More research is needed in the area of fixing flaws in the source code of applications.

[1]  Martin Hofmann,et al.  Type-Based Enforcement of Secure Programming Guidelines - Code Injection Prevention at SAP , 2011, Formal Aspects in Security and Trust.

[2]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[3]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[4]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[5]  Nikhil Swamy,et al.  Cross-tier, label-based security enforcement for web applications , 2009, SIGMOD Conference.

[6]  Christopher Krügel,et al.  deDacota: toward preventing server-side XSS via automatic code and data separation , 2013, CCS.

[7]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[8]  Ann Q. Gates,et al.  A taxonomy and catalog of runtime software-fault monitoring tools , 2004, IEEE Transactions on Software Engineering.

[9]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[10]  Pascal Meunier,et al.  Classes of Vulnerabilities and Attacks , 2008 .

[11]  John Viega,et al.  19 deadly sins of software security : programming flaws and how to fix them , 2005 .

[12]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[13]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[14]  Laurie A. Williams,et al.  Using Automated Fix Generation to Secure SQL Statements , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[15]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[16]  V. N. Venkatakrishnan,et al.  NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications , 2010, CCS '10.

[17]  Engin Kirda,et al.  Have things changed now? An empirical study on input validation vulnerabilities in web applications , 2012, Comput. Secur..

[18]  Joachim Posegga,et al.  Secure Code Generation for Web Applications , 2010, ESSoS.

[19]  Yves Le Traon,et al.  Tailored Shielding and Bypass Testing of Web Applications , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[20]  Marco Vieira,et al.  Analysis of Field Data on Web Security Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[21]  Novia Admodisastro,et al.  Current state of research on cross-site scripting (XSS) - A systematic literature review , 2015, Inf. Softw. Technol..

[22]  Lionel C. Briand,et al.  Automated testing for SQL injection vulnerabilities: an input mutation approach , 2014, ISSTA 2014.

[23]  Joachim Posegga,et al.  Reliable protection against session fixation attacks , 2011, SAC.

[24]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[25]  Frank Wang,et al.  Vulnerability Factors in New Web Applications : Audit Tools , Developer Selection & Languages , 2013 .

[26]  Wouter Joosen,et al.  FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications , 2012, ASIACCS '12.

[27]  Gary McGraw,et al.  Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors , 2005, IEEE Secur. Priv..

[28]  Sebastian Lekies,et al.  Towards stateless, client-side driven Cross-Site Request Forgery protection for Web applications , 2012, Sicherheit.

[29]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[30]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[31]  Colum J. Cronin,et al.  Doing your literature review: traditional and systematic techniques , 2011 .

[32]  Martin Johns SessionSafe: Implementing XSS Immune Session Handling , 2006, ESORICS.

[33]  Simon Liu,et al.  Cyberattacks: Why, What, Who, and How , 2009, IT Professional.

[34]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[35]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[36]  Rui Wang,et al.  How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores , 2011, 2011 IEEE Symposium on Security and Privacy.

[37]  Giovanni Vigna,et al.  Vulnerability Analysis of Web-based Applications , 2007, Test and Analysis of Web Services.

[38]  P. Santhi Thilagam,et al.  SQL Injection Attack Mechanisms and Prevention Techniques , 2011, ADCONS.

[39]  V. N. Venkatakrishnan,et al.  TamperProof: a server-agnostic defense for parameter tampering attacks on web applications , 2013, CODASPY '13.

[40]  Prasad Naldurg,et al.  MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications , 2014, CCS.

[41]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[42]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[43]  Xiaowei Li,et al.  LogicScope: automatic discovery of logic vulnerabilities within web applications , 2013, ASIA CCS '13.

[44]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[45]  Engin Kirda,et al.  Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications , 2011, NDSS.

[46]  Joachim Posegga,et al.  A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities , 2012, TrustBus.

[47]  Xiaowei Li,et al.  BLOCK: a black-box approach for detection of state violation attacks towards web applications , 2011, ACSAC '11.

[48]  Alessandro Orso,et al.  ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies , 2012, ISSTA 2012.

[49]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[50]  Wenliang Du,et al.  Categorization of Software Errors that led to Security Breaches , 1998 .

[51]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[52]  Xiaowei Li,et al.  A survey on server-side approaches to securing web applications , 2014, ACM Comput. Surv..

[53]  Joachim Posegga,et al.  XSSDS: Server-Side Detection of Cross-Site Scripting Attacks , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[54]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[55]  Mohammad Zulkernine,et al.  Mitigating program security vulnerabilities: Approaches and challenges , 2012, CSUR.

[56]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[57]  Zhendong Su,et al.  Detecting Logic Vulnerabilities in E-commerce Applications , 2014, NDSS.

[58]  Nicolas Juillerat,et al.  Enforcing code security in database web applications using libraries and object models , 2007, LCSD '07.

[59]  David A. Wagner,et al.  Fine-grained privilege separation for web applications , 2010, WWW '10.

[60]  Marco Vieira,et al.  Defending against Web Application Vulnerabilities , 2012, Computer.

[61]  Christopher Krügel,et al.  Client-side cross-site scripting protection , 2009, Comput. Secur..

[62]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[63]  Mohammad Zulkernine,et al.  Taxonomy and classification of automatic monitoring of program security vulnerability exploitations , 2011, J. Syst. Softw..

[64]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[65]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[66]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.

[67]  Steve Zdancewic,et al.  AURA: a programming language for authorization and audit , 2008, ICFP 2008.

[68]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[69]  Zhendong Su,et al.  Static Detection of Access Control Vulnerabilities in Web Applications , 2011, USENIX Security Symposium.

[70]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[71]  Hossain Shahriar,et al.  Classification of Clickjacking Attacks and Detection Techniques , 2014, Inf. Secur. J. A Glob. Perspect..

[72]  Hossein Saiedian,et al.  An Analytical Study of Web Application Session Management Mechanisms and HTTP Session Hijacking Attacks , 2013, Inf. Secur. J. A Glob. Perspect..

[73]  Hossain Shahriar,et al.  Risk assessment of code injection vulnerabilities using fuzzy logic-based system , 2014, SAC.

[74]  Davide Balzarotti,et al.  Toward Black-Box Detection of Logic Flaws in Web Applications , 2014, NDSS.

[75]  Sanjay Rawat,et al.  KameleonFuzz: evolutionary fuzzing for black-box XSS detection , 2014, CODASPY '14.

[76]  XiaoFeng Wang,et al.  InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations , 2013, NDSS.

[78]  Juan Chen,et al.  Enforcing Stateful Authorization and Information Flow Policies in Fine , 2010, ESOP.

[79]  Dong Hoon Lee,et al.  Data-mining based SQL injection attack detection using internal query trees , 2014, Expert Syst. Appl..

[80]  Alessandro Orso,et al.  WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation , 2008, IEEE Transactions on Software Engineering.

[81]  Christoforos E. Kozyrakis,et al.  Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications , 2009, USENIX Security Symposium.

[82]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[83]  William K. Robertson,et al.  Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference.

[84]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[85]  Lwin Khin Shar,et al.  Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns , 2013, Inf. Softw. Technol..

[86]  Marco Vieira,et al.  Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks , 2007 .

[87]  Ronald D. Williams,et al.  Taxonomies of attacks and vulnerabilities in computer systems , 2008, IEEE Communications Surveys & Tutorials.

[88]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[89]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[90]  Hossein Saiedian,et al.  Secure Software Engineering: Learning from the Past to Address Future Challenges , 2009, Inf. Secur. J. A Glob. Perspect..

[91]  Benjamin Livshits,et al.  SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications , 2011, CCS '11.

[92]  V. N. Venkatakrishnan,et al.  WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction , 2011, CCS '11.

[93]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[94]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[95]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[96]  Vitaly Shmatikov,et al.  Fix Me Up: Repairing Access-Control Bugs in Web Applications , 2013, NDSS.

[97]  Mohammad Zulkernine,et al.  S2XS2: A Server Side Approach to Automatically Detect XSS Attacks , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[98]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[99]  Benjamin Livshits,et al.  Ripley: automatically securing web 2.0 applications through replicated execution , 2009, CCS.

[100]  Sang-Soo Yeo,et al.  A novel method for SQL injection attack detection based on removing SQL query attribute values , 2012, Math. Comput. Model..

[101]  Giuseppe A. Di Lucca,et al.  Identifying cross site scripting vulnerabilities in Web applications , 2004, Proceedings. Sixth IEEE International Workshop on Web Site Evolution.

[102]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[103]  Mohammad Zulkernine,et al.  MUTEC: Mutation-based testing of Cross Site Scripting , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[104]  Hossain Shahriar,et al.  Server-side code injection attack detection based on Kullback-Leibler distance , 2014 .

[105]  Massimiliano Di Penta,et al.  A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications , 2010, SESS '10.

[106]  Hossain Shahriar,et al.  Information Theoretic XSS Attack Detection in Web Applications , 2014, Int. J. Secur. Softw. Eng..

[107]  Sebastian Lekies,et al.  Tamper-Resistant LikeJacking Protection , 2013, RAID.

[108]  Jin-Young Choi,et al.  Detecting SQL injection attacks using query result size , 2014, Comput. Secur..

[109]  Mohammad Zulkernine,et al.  Information-Theoretic Detection of SQL Injection Attacks , 2012, 2012 IEEE 14th International Symposium on High-Assurance Systems Engineering.

[110]  Christopher Krügel,et al.  SWAP: Mitigating XSS attacks using a reverse proxy , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[111]  D. T. Lee,et al.  A testing framework for Web application security assessment , 2005, Comput. Networks.

[112]  Joaquín García,et al.  A Survey on Cross-Site Scripting Attacks , 2009, ArXiv.

[113]  Daniel R. Licata,et al.  Security-typed programming within dependently typed programming , 2010, ICFP '10.

[114]  Vitaly Shmatikov,et al.  RoleCast: finding missing security checks when you do not know what checks are , 2011, OOPSLA '11.

[115]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[116]  Hao Chen,et al.  Noncespaces: Using randomization to defeat cross-site scripting attacks , 2012, Comput. Secur..

[117]  Hossain Shahriar,et al.  Web Session Security: Attack and Defense Techniques , 2014 .

[118]  Avik Chaudhuri,et al.  Symbolic security analysis of ruby-on-rails web applications , 2010, CCS '10.

[119]  Xiaowei Li,et al.  SENTINEL: securing database from logic flaws in web applications , 2012, CODASPY '12.

[120]  Vinod Yegneswaran,et al.  Poster: a path-cutting approach to blocking XSS worms in social web networks , 2011, CCS '11.

[121]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[122]  Ben Stock,et al.  Precise Client-side Protection against DOM-based Cross-Site Scripting , 2014, USENIX Security Symposium.

[123]  Lwin Khin Shar,et al.  Automated removal of cross site scripting vulnerabilities in web applications , 2012, Inf. Softw. Technol..

[124]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[125]  Adrian Perrig,et al.  CLAMP: Practical Prevention of Large-Scale Data Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[126]  王萍,et al.  Rich Internet Application——推动网络教育软件的新发展 , 2006 .

[127]  Joaquín García,et al.  A Survey on Detection Techniques to Prevent Cross-Site Scripting Attacks on Current Web Applications , 2007, CRITIS.

[128]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[129]  Xiaowei Li,et al.  Automated black-box detection of access control vulnerabilities in web applications , 2014, CODASPY '14.