Preventing input validation vulnerabilities in web applications through automated type analysis

Scholte, Theodoor; Robertson, William; Balzarotti, Davide; Kirda, Engin
COMPSAC 2012, 36th Annual IEEE Computer Software and Applications Conference, July 16-20, 2012, Izmir, Turkey

Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and critical vulnerabilities such as cross-site scripting and SQL injection are still common. As a consequence, much effort in the past decade has been spent on mitigating web application vulnerabilities. Current techniques focus mainly on sanitization: either on automated sanitization, the detection of missing sanitizers, the correctness of sanitizers, or the correct placement of sanitizers. However, these techniques are either not able to prevent new forms of input validation vulnerabilities such as HTTP Parameter Pollution, come with large runtime overhead, lack precision, or require significant modifications to the client and/or server infrastructure. In this paper, we present IPAAS, a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. IPAAS automatically and transparently augments otherwise insecure web application development environments with input validators that result in significant and tangible security improvements for real systems. We implemented IPAAS for PHP and evaluated it on five real-world web applications with known cross-site scripting and SQL injection vulnerabilities. Our evaluation demonstrates that IPAAS would have prevented 83% of SQL injection vulnerabilities and 65% of cross-site scripting vulnerabilities while incurring no developer burden.

Digital Security
Eurecom Ref:
© 2012 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.