Defending Against Web Application Attacks: Approaches, Challenges and Implications

Some of the most dangerous web attacks, such as Cross-Site Scripting and sql injection, exploit vulnerabilities in web applications that may accept and process data of uncertain origin without proper validation or filtering, allowing the injection and execution of dynamic or domain-specific language code. These attacks have been constantly topping the lists of various security bulletin providers despite the numerous countermeasures that have been proposed over the past 15 years. In this paper, we provide an analysis on various defense mechanisms against web code injection attacks. We propose a model that highlights the key weaknesses enabling these attacks, and that provides a common perspective for studying the available defenses. We then categorize and analyze a set of 41 previously proposed defenses based on their accuracy, performance, deployment, security, and availability characteristics. Detection accuracy is of particular importance, as our findings show that many defense mechanisms have been tested in a poor manner. In addition, we observe that some mechanisms can be bypassed by attackers with knowledge of how the mechanisms work. Finally, we discuss the results of our analysis, with emphasis on factors that may hinder the widespread adoption of defenses in practice.

[1]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[2]  Paul C. van Oorschot,et al.  SOMA: mutual approval for included content in web pages , 2008, CCS.

[3]  Dimitris Mitropoulos,et al.  Countering Code Injection Attacks: A Unified Approach , 2011, Inf. Manag. Comput. Secur..

[4]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[5]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[6]  Wouter Joosen,et al.  CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests , 2010, Engineering Secure Software and Systems.

[7]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[8]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[9]  Brendan Gregg,et al.  Systems Performance: Enterprise and the Cloud , 2013 .

[10]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[11]  Sin Yeung Lee,et al.  Learning Fingerprints for a Database Intrusion Detection System , 2002, ESORICS.

[12]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[13]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[14]  Vitaly Shmatikov,et al.  Diglossia: detecting code injection attacks with precision and efficiency , 2013, CCS.

[15]  Wouter Joosen,et al.  Runtime countermeasures for code injection attacks against C and C++ programs , 2012, CSUR.

[16]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[17]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[18]  Guofei Gu,et al.  Measuring intrusion detection capability: an information-theoretic approach , 2006, ASIACCS '06.

[19]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[20]  Yuan Tian,et al.  Run-time Monitoring and Formal Analysis of Information Flows in Chromium , 2015, NDSS.

[21]  R. Sekar,et al.  A server- and browser-transparent CSRF defense for web 2.0 applications , 2011, ACSAC '11.

[22]  Ray Jain,et al.  The art of computer systems performance analysis - techniques for experimental design, measurement, simulation, and modeling , 1991, Wiley professional computing.

[23]  Angelos D. Keromytis Randomized Instruction Sets and Runtime Environments Past Research and Future Directions , 2009, IEEE Security & Privacy Magazine.

[24]  Sergey Bratus,et al.  Exploit Programming: From Buffer Overflows to "Weird Machines" and Theory of Computation , 2011, login Usenix Mag..

[25]  AxelssonStefan The base-rate fallacy and the difficulty of intrusion detection , 2000 .

[26]  Deian Stefan,et al.  Protecting Users by Confining JavaScript with COWL , 2014, OSDI.

[27]  Nathanael Paul,et al.  Where's the FEEB? The Effectiveness of Instruction Set Randomization , 2005, USENIX Security Symposium.

[28]  Dimitris Mitropoulos,et al.  SDriver: Location-specific signatures prevent SQL injection attacks , 2009, Comput. Secur..

[29]  Evangelos P. Markatos,et al.  xJS: Practical XSS Prevention for Web Application Development , 2010, WebApps.

[30]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[31]  Pavol Zavarsky,et al.  Threat Modeling for CSRF Attacks , 2009, 2009 International Conference on Computational Science and Engineering.

[32]  Wouter Joosen,et al.  WebJail: least-privilege integration of third-party components in web mashups , 2011, ACSAC '11.

[33]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[34]  Martin Johns,et al.  SMask: preventing injection attacks in web applications by approximating automatic data/code separation , 2007, SAC '07.

[35]  Shai Linn,et al.  A New Conceptual Approach to Teaching the Interpretation of Clinical Tests , 2004 .

[36]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[37]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[38]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[39]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[40]  Christopher Krügel,et al.  SWAP: Mitigating XSS attacks using a reverse proxy , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[41]  WassermannGary,et al.  The essence of command injection attacks in web applications , 2006 .

[42]  Thorsten Holz,et al.  Code Reuse Attacks in PHP: Automated POP Chain Generation , 2014, CCS.

[43]  Jay Ligatti,et al.  Defining code-injection attacks , 2012, POPL '12.

[44]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[45]  Shari Lawrence Pfleeger,et al.  Analyzing Computer Security - A Threat / Vulnerability / Countermeasure Approach , 2012 .

[46]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[47]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[48]  Tzi-cker Chiueh,et al.  Dynamic multi-process information flow tracking for web application security , 2007, MC '07.

[49]  Winnie Cheng,et al.  Abstractions for Usable Information Flow Control in Aeolus , 2012, USENIX Annual Technical Conference.

[50]  Christopher Krügel,et al.  Client-side cross-site scripting protection , 2009, Comput. Secur..

[51]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[52]  L. Brown,et al.  Interval Estimation for a Binomial Proportion , 2001 .

[53]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[54]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[55]  Joachim Posegga,et al.  XSSDS: Server-Side Detection of Cross-Site Scripting Attacks , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[56]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[57]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[58]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[59]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[60]  Steve Easterbrook,et al.  Open code for open science , 2014 .

[61]  David Sands,et al.  Lightweight self-protecting JavaScript , 2009, ASIACCS '09.

[62]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[63]  Ben Stock,et al.  Precise Client-side Protection against DOM-based Cross-Site Scripting , 2014, USENIX Security Symposium.

[64]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[65]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[66]  Dan Boneh,et al.  XCS: cross channel scripting and its impact on web applications , 2009, CCS.

[67]  Kyung-Suk Lhee,et al.  Buffer overflow and format string overflow vulnerabilities , 2003, Softw. Pract. Exp..

[68]  Mohammad Zulkernine,et al.  Mitigating program security vulnerabilities: Approaches and challenges , 2012, CSUR.

[69]  Stephen McCamant,et al.  A simulation-based proof technique for dynamic information flow , 2007, PLAS '07.

[70]  Peter R. Pietzuch,et al.  PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks , 2011, WebApps.

[71]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[72]  Jörg Schwenk,et al.  Scriptless attacks: stealing the pie without touching the sill , 2012, CCS.

[73]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.