A Metamodel for Web Application Injection Attacks and Countermeasures

Web application injection attacks such as cross site scripting and SQL injection are common and problematic for enterprises. In order to defend against them, practitioners with large heterogeneous system architectures and limited resources struggle to understand the effectiveness of different countermeasures under various conditions. This paper presents an enterprise architecture metamodel that can be used by enterprise decision makers when deciding between different countermeasures for web application injection attacks. The scope of the model is to provide low-effort guidance on an abstraction level of use for an enterprise decision maker. This metamodel is based on a literature review and revised according to the judgment by six domain experts identified through peer-review.

[1]  Dimitris Mitropoulos,et al.  Countering Code Injection Attacks: A Unified Approach , 2011, Inf. Manag. Comput. Secur..

[2]  C T Dinardo,et al.  Computers and security , 1986 .

[3]  Marc M. Lankhorst Enterprise Architecture at Work - Modelling, Communication and Analysis, 3rd Edition , 2005, The Enterprise Engineering Series.

[4]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[5]  Robert Lagerström Analyzing System Maintainability using Enterprise Architecture Models , 2007 .

[6]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[7]  Mathias Ekstedt,et al.  Indicators of expert judgement and their significance: an empirical investigation in the area of cyber security , 2014, Expert Syst. J. Knowl. Eng..

[8]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[9]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[10]  Mathias Ekstedt,et al.  The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures , 2013, IEEE Systems Journal.

[11]  L. Crespi The Interview Effect in Polling , 1948 .

[12]  Amit Klein Blind XPath Injection , 2004 .

[13]  Gonzalo Álvarez,et al.  A new taxonomy of Web attacks suitable for efficient encoding , 2003, Comput. Secur..

[14]  Roger M. Cooke,et al.  Special issue on expert judgment , 2008, Reliab. Eng. Syst. Saf..

[15]  Engin Kirda,et al.  Have things changed now? An empirical study on input validation vulnerabilities in web applications , 2012, Comput. Secur..

[16]  Amy L. Murphy,et al.  Proceedings of the 5th international workshop on Software engineering and middleware , 2005 .

[17]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[18]  Jun Han,et al.  Security Attack Ontology for Web Services , 2006, SKG.

[19]  Jigang Liu,et al.  A Framework for Enhancing Web Services Security , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[20]  Ray Hunt,et al.  A taxonomy of network and computer attacks , 2005, Comput. Secur..

[21]  Richard D. Graubart,et al.  Improving Cyber Security and Mission Assurance Via Cyber Preparedness (Cyber Prep) Levels , 2010, 2010 IEEE Second International Conference on Social Computing.

[22]  Adel Bouhoula,et al.  Experimental analysis of attacks against web services and countermeasures , 2010, iiWAS.

[23]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[24]  Moustafa Chenine,et al.  Data accuracy assessment using enterprise architecture , 2011, Enterp. Inf. Syst..

[25]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[26]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[27]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[28]  Benjamin Livshits,et al.  SecuriFly: Runtime Protection and Recovery from Web Application Vulnerabilities , 2006 .

[29]  George Wright,et al.  Assessing the quality of expert judgment: Issues and analysis , 1994, Decis. Support Syst..

[30]  Martin Nystrom,et al.  SQL Injection Defenses , 2007 .

[31]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[32]  Laurie Ann Williams,et al.  Towards a taxonomy of techniques to detect cross-site scripting and SQL injection vulnerabilities , 2008 .

[33]  David J. Weiss,et al.  Empirical Assessment of Expertise , 2003, Hum. Factors.

[34]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[35]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[36]  Gary McGraw,et al.  Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors , 2005, IEEE Secur. Priv..