ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches

HTTP Parameter Pollution (HPP) vulnerabilities allow attackers to exploit web applications by manipulating the query parameters of the requested URLs. In this paper, we present Application Request Cache (ARC), a framework for protecting web applications against HPP exploitation. ARC hosts all benign URL schemas, which act as generators of the complete functional set of URLs that compose the application's logic. For each incoming request, ARC exports the URL, extracts the associated schema, and searches for it in the set of already known benign schemas. In case the schema is not found, the request is rejected, and the event is recorded. ARC can be transparently integrated with existing web applications without any modifications to the server and client code. It is implemented in Google's Go language and uses efficient data structures for storing the URL schemas, imposing negligible computational overhead on the web application server. When running on a 4-core Linux server, ARC can process hundreds of thousands of URL requests per second. A typical URL resolution is in the scale of microseconds.

[1]  R. Sekar An Efficient Black-box Technique for Defeating Web Application Attacks , 2009, NDSS.

[2]  Salvatore J. Stolfo,et al.  Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic , 2009, NDSS.

[3]  Peter Chapman,et al.  Automated black-box detection of side-channel vulnerabilities in web applications , 2011, CCS '11.

[4]  Samuel T. King,et al.  Trust and Protection in the Illinois Browser Operating System , 2010, OSDI.

[5]  Eugene Ciurana,et al.  Developing with Google App Engine , 2009 .

[6]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[7]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[8]  W. Marsden I and J , 2012 .

[9]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[10]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[11]  Giovanni Vigna,et al.  Static Enforcement of Web Application Integrity Through Strong Typing , 2009, USENIX Security Symposium.

[12]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[13]  Collin Jackson,et al.  Protecting browsers from cross-origin CSS attacks , 2010, CCS '10.

[14]  Vitaly Shmatikov,et al.  Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 , 2011, CCS.

[15]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[16]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[17]  Arie van Deursen,et al.  Crawling AJAX by Inferring User Interface State Changes , 2008, 2008 Eighth International Conference on Web Engineering.

[18]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[19]  Zachary Weinberg,et al.  I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks , 2011, 2011 IEEE Symposium on Security and Privacy.

[20]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[21]  Steve Hanna,et al.  FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications , 2010, NDSS.

[22]  Sriram Subramanian,et al.  Talking about tactile experiences , 2013, CHI.

[23]  Engin Kirda,et al.  Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications , 2011, NDSS.

[24]  Dawn Xiaodong Song,et al.  Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[25]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[26]  Dan Boneh,et al.  XCS: cross channel scripting and its impact on web applications , 2009, CCS.

[27]  Michael Bächle,et al.  Ruby on Rails , 2006, Softwaretechnik-Trends.

[28]  Jesse James Garrett Ajax: A New Approach to Web Applications , 2007 .

[29]  John P. Baugh Go Programming , 2010 .

[30]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[31]  Christopher Krügel,et al.  Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks , 2006, NDSS.

[32]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[33]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.