The Code Sanitizer: Regular Expression Based Prevention of Content Injection Attacks
 |
International Journal of Computer Trends and Technology (IJCTT) | 
|
| © 2016 by IJCTT Journal | ||
| Volume-35 Number-1 |
||
| Year of Publication : 2016 | ||
| Authors : Sandeep D Sukhdeve, Prof.(Mrs) Hemlata Channe | ||
| DOI : 10.14445/22312803/IJCTT-V35P104 |
Sandeep D Sukhdeve, Prof.(Mrs) Hemlata Channe "The Code Sanitizer: Regular Expression Based Prevention of Content Injection Attacks". International Journal of Computer Trends and Technology (IJCTT) V35(1):21-28, May 2016. ISSN:2231-2803. www.ijcttjournal.org. Published by Seventh Sense Research Group.
Abstract -
We are increasingly relying on web, and performing
important transactions online through it. The impact
and quantity of security vulnerabilities in such applications
has increased in recent years. Regular expression has become
a common practice to ensure execution of trusted application
code. However, its effectiveness in protecting client-side web
application code has not yet been established. In this paper,
we seek to study the efficacy of regular expression based
approach for preventing script injection attacks. The paper
proposes an efficient use of regular expressions to identify
malicious payload contents. This paper analyzes important
aspects in content injection attacks. The goals of this research
work are two-fold: i) propose an efficient way to identify
content injection attacks (XSS and SQL injection) using regular
expressions, and ii) We present a Nondeterministic Finite
Automata (NFA) based approach to detect content injection
attacks. Our evaluation on Alexas top 500 sites and phpBB
popular PHP application shows that the proposed approach
effective on preventing content injection attacks on the input
fields available on those websites. The proposed approach
incurs an average performance overhead of 1.02%.
References
[1] G. Buehrer, B.W. Weide, and P.A.G. Sivilotti. Using parse tree
validation to prevent sql injection attacks. In Proceedings of
the 5th International Workshop on Software Engineering and
Middleware, 2005.
[2] CGIsecurity. The cross-site scripting (xss) faq.
http://www.cgisecurity.com/xss-faq.html.
[3] Xinshu Dong, Kailas Patil, Xuhui Liu, Jian Mao, and Zhenkai
Liang. An entensible security framework in web browsers.
Technical Report TR-SEC-2012-01, Systems Security Group,
School of Computing, National University of Singapore, 2012.
[4] Xinshu Dong, Kailas Patil, Jian Mao, and Zhenkai Liang.
A comprehensive client-side behavior model for diagnosing
attacks in ajax applications. In Proceedings of the 18th
International Conference on Engineering of Complex Computer
Systems (ICECCS), 2013.
[5] Dennis Fisher. Persistent xss bug on twitter exploited
by worm. http://threatpost.com/en us/blogs/persistent-xss-bugtwitter-
being-exploited-092110.
[6] W.G.J. Halfond and A. Orso. Amnesia: analysis and monitoring
for neutralizing sql-injection attacks. In Proceedings of the 20th
IEEE/ACM International Conference on Automated Software
Engineering, 2005.
[7] W.G.J. Halfond and A. Orso. Combining static analysis and
runtime monitoring to counter sql-injection attacks. In Proceedings
of the Third International Workshop on Dynamic Analysis,
2005.
[8] W.G.J. Halfond, A. Orso, and P. Manolios. Using positive
tainting and syntax-aware evaluation to counter sql-injection attacks.
In Proceedings of the 14th ACM SIGSOFT International
Symposium on Foundations of Software Engineering, 2006.
[9] Mark Hofman. Sql injection attack happening atm.
isc.sans.org/diary/SQL+Injection+Attack+happening+ATM/12127.
[10] J. E. Hopcroft and J. D. Ullman. Introduction to automata
theory, languages and computation. In Reading, 2nd Ed.,
Addison-Wesley, 2001, 2001.
[11] Collin Jackson, Andrew Bortz, Dan Boneh, and John C.
Mitchell. Protecting browser state from web privacy attacks.
In Proceedings of the International Conference on World Wide
Web (WWW), 2006.
[12] Kamlesh Kumar and Deen Bandhu. Prevention and detection
techniques for sql injection attacks. In Proceedings of the IJCTT
vol-12, No-03, 2014.
[13] Mozilla. Same origin policy for
javascript. https://developer.mozilla.org/En/
Same origin policy for JavaScript.
[14] Mozillia. Mozilla. signing a xpi. In https://goo.gl/Ffls5r.
[15] Nex. The clickjacking meets xss: a state of art.
http://www.milw0rm.com/papers/265, 2008.
[16] Anh Nguyen-tuong, Salvatore Guarnieri, Doug Greene, Jeff
Shirley, and David Evans. Automatically hardening web applications
using precise tainting. In Proceeding of the 20th
IFIP International Information Security Conference, 2005.
[17] National Institute of Standards and Technology.
National vulnerability database (nvd).
http://web.nvd.nist.gov/view/vuln/search.
[18] Kailas Patil, Xinshu Dong, Xiaolei Li, Zhenkai Liang, and
Xuxian Jiang. Towards fine-grained access control in javascript
contexts. In 31st International Conference on Distributed
Computing Systems (ICDCS), 2011, pages 720–729, June 2011.
[19] Kailas Patil, Tanvi Vyas, Fredrik Braun, Mark Goodwin, and
Zhenkai Liang. Poster:usercsp-user specified content security
policies. Symposium On Usable Privacy and Security (SOUPS)
POSTER, 2013.
[20] Tadeusz Pietraszek, Chris V, and En Berghe. Defending against
injection attacks through context-sensitive string evaluation. In
Proceeding of the Recent Advances in Intrusion Detection,
2005.
[21] Cristian Pinzn, Javier Bajo Juan F. De Paz, lvaro Herrero, and
Emilio Corchado. Aiida-sql: An adaptive intelligent intrusion
detector agent for detecting sql injection attacks. In Proceedings
of the 10th International Conference on Hybrid Intelligent
Systems, 2010.
[22] OWASP-The Open Web Applicaiton Security
Project. Owasp top ten project.
https://www.owasp.org/index.php/Top10#OWASP Top 10 for 2013.
[23] Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky,
and Saher Esmeir. Browsershield: Vulnerability-driven filtering
of dynamic html. In Proceedings of the Symposium on Operating
Systems Design and Implementation (OSDI), 2006.
[24] RSnake. Xss(cross site scripting) cheat sheet esp: for filter
evasion. http://ha.ckers.org/xss.html.
[25] Jesse Ruderman. Signed scripts in mozilla.
http://www.mozilla.org/projects/security/ components/signedscripts.
html.
[26] Zhendong Su and Gary Wassermann. The essence of command
injection attacks in web applications. In Proceedings of the
ACM Symposium on Principles of Programming Languages
(POPL), 2006.
[27] Symantec. Internet security threat report volume 20.
https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932 GAinternet-
security-threat-report-volume-20-2015-social v2.pdfg,
April 2015.
[28] Stephen Thomas, Laurie Williams, and Tao Xie. On automated
prepared statement generation to remove sql injection
vulnerabilities. In Proceedings of the Elsevier Journal on the
Information and Software Technology, 2009.
[29] Wikipedia. Cross-site scripting.
http://en.wikipedia.org/wiki/Cross-site scripting.
[30] Wikipedia. Sql injection.
https://en.wikipedia.org/wiki/SQL injection.
[31] Yichen Xie and Alex Aiken. Static detection of security
vulnerabilities in scripting languages. In Proceedings of the
USENIX Security Symposium, 2006.
[32] xssed.com. Myspace.com hit by a permanent xss. http://www.
xssed.com/news/83/Myspace.com hit by a Permanent XSS/.
[33] xssed.com. New orkut xss worm by brazilian web security
group. http://www.xssed.com/news/77/New Orkut XSS
worm by Brazilian web security group/.
[34] Z. Yan and S. Holtmanns. Trust modeling and management:
from social trust to digital trust. In IGI Global, 2008.
Keywords
Regular expression, Content Injection, Crosssite
scripting, SQL injection, injection attacks.