A deliberately insecure RDF-based Semantic Web application framework for teaching SPARQL/SPARUL injection attacks and defense mechanisms

SemWebGoat is a deliberately insecure learning framework for software developers.This work provides an analysis and categorization of SPARQL and SPARUL injection attacks.This research contributes interactive lessons to teach good programming practices and defensive techniques.Developers are mostly unaware of vulnerabilities in RDF-based web applications. The Semantic Web uses the Resource Description Framework (RDF) and the Simple Protocol and Query/Update Languages (SPARQL/SPARUL) as standardized logical data representation and manipulation models allowing machines to directly interpret data on the Web. As Semantic Web applications grow increasingly popular, new and challenging security threats emerge. Semantic query languages owing to their flexible nature introduce new vulnerabilities if secure programming practices are not followed. This makes them prone to both existing attacks such as command injection as well as novel attacks, making it necessary for application developers to understand the security risks involved when developing and deploying semantic applications. In this research, we have analyzed and categorized the possible SPARQL/SPARUL injection attacks to which semantic applications are vulnerable. Moreover, we have developed a deliberately insecure RDF-based Semantic Web application, called SemWebGoat - inspired by the open source vulnerable web application, WebGoat - which offers a realistic teaching and learning environment for exploiting SPARQL/SPARUL oriented injection vulnerabilities. With the aim of teaching both developers and web administrators the art of protecting their Semantic Web applications, we have implemented web application firewall (WAF) rules using the popular open-source firewall - ModSecurity - and extended some penetration testing tools to detect and mitigate SPARQL/SPARUL injections. For the evaluation, we conducted a user study to determine the usability of SemWebGoat attack lessons as well as a detection rate and false alarm analysis of our proposed firewall rules based on OWASP top-ten attack dataset. The results of the user study conclude that web developers are not normally familiar with the injection vulnerabilities demonstrated. The positive test results of our ModSecurity rule set show that it a suitable defense mechanism for protecting vulnerable Semantic Web application against injection attacks.

[1]  Hilary Cheng,et al.  An ontology-based business intelligence application in a financial knowledge management system , 2009, Expert Syst. Appl..

[2]  Jim Sermersheim,et al.  Lightweight Directory Access Protocol (LDAP): The Protocol , 2006, RFC.

[3]  Georg Lausen,et al.  SP^2Bench: A SPARQL Performance Benchmark , 2008, 2009 IEEE 25th International Conference on Data Engineering.

[4]  Bhavani M. Thuraisingham,et al.  Security standards for the semantic web , 2005, Comput. Stand. Interfaces.

[5]  Brian McBride,et al.  Jena: A Semantic Web Toolkit , 2002, IEEE Internet Comput..

[6]  Chengqi Zhang,et al.  Building an Ontology for Financial Investment , 2000, IDEAL.

[7]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[8]  Ivan Marsá-Maestre,et al.  Design and evaluation of a learning environment to effectively provide network security skills , 2013, Comput. Educ..

[9]  Martin Hepp,et al.  GoodRelations: An Ontology for Describing Products and Services Offers on the Web , 2008, EKAW.

[10]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[11]  Shuai Zhang,et al.  Exploring injection prevention technologies for security-aware distributed collaborative manufacturing on the Semantic Web , 2011 .

[12]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[13]  Andy Seaborne,et al.  SPARQL/Update: A language for updating RDF graphs , 2007 .

[14]  Patrícia Augustin Jaques,et al.  A Semantic Web-based authoring tool to facilitate the planning of collaborative learning scenarios compliant with learning theories , 2013, Comput. Educ..

[15]  Frank van Harmelen,et al.  Sesame: A Generic Architecture for Storing and Querying RDF and RDF Schema , 2002, SEMWEB.

[16]  S. T. Sarasamma,et al.  Hierarchical Kohonenen net for anomaly detection in network security , 2005, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[17]  David LeBlanc,et al.  Writing Secure Code , 2001 .