Multi-module vulnerability analysis of web-based applications

In recent years, web applications have become tremendously popular, and nowadays they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has increased, the number and sophistication of attacks against these applications have grown as well. Current approaches to securing web applications focus either on detecting and blocking web-based attacks using application-level firewalls, or on using vulnerability analysis techniques to identify security problems before deployment. The vulnerability analysis of web applications is made difficult by a number of factors, such as the use of scripting languages, the structuring of the application logic into separate pages and code modules, and the interaction with back-end databases. So far, approaches to web application vulnerability analysis have focused on single application modules to identify insecure uses of information provided as input to the application. Unfortunately, these approaches are limited in scope, and, therefore, they cannot detect multi-step attacks that exploit the interaction among multiple modules of an application. We have developed a novel vulnerability analysis approach that characterizes both the extended state and the intended workflow of a web application. By doing this, our analysis approach is able to take into account inter-module relationships as well as the interaction of an application's modules with back-end databases. As a result, our vulnerability analysis technique is able to identify sophisticated multi-step attacks against the application's workflow that were not addressed by previous approaches. We implemented our technique in a prototype tool, called MiMoSA, and tested it on several applications, identifying both known and new vulnerabilities.

[1]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[2]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[3]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[4]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[5]  Marc Dacier,et al.  A Lightweight Tool for Detecting Web Server Attacks , 2000, NDSS.

[6]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[7]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[8]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[9]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[10]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[11]  Amit Klein,et al.  Cross Site Scripting Explained , 2002 .

[12]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[14]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[15]  Giovanni Vigna,et al.  A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[16]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[17]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[18]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[19]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.