Abstract
Injection vulnerabilities are still prevalent today, ranking first on OWASP top ten threats to software security. Developers often have trouble to adopt secure coding practices during the software development life cycle, failing to prevent these vulnerabilities. This paper addresses the problem of modular input validation for web applications as a countermeasure to several kinds of code injection attacks. The solution relies on annotations that enrich the metadata concerning the application’s input parameters. This information is then used to automatically insert validation code in the target application, using aspect-oriented programming. Our approach allows to mitigate risks and to maintain security functionality separated from the application logic.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP ’08, pp. 387–401. IEEE Computer Society, Washington, DC (2008). http://dx.doi.org/10.1109/SP.2008.22
Bernard, E., Peterson, S.: JSR 303: bean validation, bean validation expert group. http://jcp.org/aboutJava/communityprocess/pfd/jsr303/index.html (2009)
Chen, S.: The web application vulnerability scanner evaluation project - v1.2. https://code.google.com/p/wavsep/ (2012)
Foundation, T.A.S.: Struts 2. http://struts.apache.org/ (2011)
Hafiz, M., Johnson, R.: Improving perimeter security with security-oriented program transformations. In: ICSE Workshop on Software Engineering for Secure Systems, SESS ’09, pp. 61–67 (2009)
Halfond, W.G.J., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, SIGSOFT ’06/FSE-14, pp. 175–185. ACM, New York http://doi.acm.org/10.1145/1181775.1181797 (2006)
Hookom, J.: Validating objects through metadata. http://www.onjava.com/pub/a/onjava/2005/01/19/metadata_validation.html (2005)
Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: WWW ’04: Proceedings of the 13th International Conference on World Wide Web, pp. 40–52. ACM, New York (2004)
Imperva: The securesphere web application firewall. http://www.imperva.com/products/wsc_web-application-firewall.html (2011)
Inc., B.N.: The barracuda web application firewall. http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php (2011)
Ismail, O., Etoh, M., Kadobayashi, Y., Yamaguchi, S.: A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability. In: 18th International Conference on Advanced Information Networking and Applications, AINA 2004, vol. 1, pp. 145–151 (2004)
JBoss: Hibernate validator. http://hibernate.org/subprojects/validator (2011)
Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW ’07, pp. 601–610. ACM, New York (2007). http://doi.acm.org/10.1145/1242572.1242654
Johns, M., Beyerlein, C.: Smask: preventing injection attacks in web applications by approximating automatic data/code separation. In: Proceedings of the 2007 ACM Symposium on Applied Computing, SAC ’07, pp. 284–291. ACM, New York (2007). http://doi.acm.org/10.1145/1244002.1244071
Johns, M., Beyerlein, C., Giesecke, R., Posegga, J.: Secure code generation for web applications. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 96–113. Springer, Heidelberg (2010)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP ’06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society, Washington, DC (2006)
Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: PLAS ’06: Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security, pp. 27–36. ACM, New York (2006)
Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C., Loingtier, J.M., Irwin, J.: Aspect-oriented programming. In: Aksit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)
Kirda, E., Krgel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC’06, pp. 330–337 (2006)
Laranjeiro, N., Vieira, M., Madeira, H.: Improving web services robustness. In: IEEE International Conference on Web Services, ICWS 2009, pp. 397–404 (2009)
Laskos, T.: Arachni 0.4.2 - web application security scanner framework. http://www.arachni-scanner.com/ (2013)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: SSYM’05: Proceedings of the 14th Conference on USENIX Security Symposium, p. 18. USENIX Association, Berkeley (2005)
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: SEC, pp. 295–308 (2005)
Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)
Riancho, A.: W3af 1.0 - open source web application security scanner. http://w3af.org/ (2011)
Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM’09, pp. 283–298. USENIX Association, Berkeley (2009)
Scholte, T., Balzarotti, D., Kirda, E.: Have things changed now? an empirical study on input validation vulnerabilities in web applications. Comput. Secur. 31(3), 344–356 (2012)
Scholte, T., Robertson, W.K., Balzarotti, D., Kirda, E.: Preventing input validation vulnerabilities in web applications through automated type analysis. In: Bai, X., Belli, F., Bertino, E., Chang, C.K., Elçi, A., Seceleanu, C.C., Xie, H., Zulkernine, M. (eds.) COMPSAC, pp. 233–243. IEEE Computer Society (2012)
Scott, D., Sharp, R.: Abstracting application-level web security. In: Proceedings of the 11th International Conference on World Wide Web, WWW ’02, pp. 396–407. ACM, New York (2002). http://doi.acm.org/10.1145/511446.511498
Source, S.: Spring web mvc. http://www.springsource.org/go-webflow2 (2011)
Trustwave: Trustwave webdefend - web application firewall. https://www.trustwave.com/web-application-firewall.php (2011)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., KrĂĽgel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS. The Internet Society (2007)
Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’07, pp. 32–41. ACM, New York (2007). http://doi.acm.org/10.1145/1250734.1250739
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE ’08: Proceedings of the 30th International Conference on Software Engineering, pp. 171–180. ACM, New York (2008)
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15. USENIX Association, Berkeley (2006). http://portal.acm.org/citation.cfm?id=1267336.1267349
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Serme, G., Scholte, T., de Oliveira, A.S. (2014). Enforcing Input Validation through Aspect Oriented Programming. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2013 2013. Lecture Notes in Computer Science(), vol 8247. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54568-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-54568-9_20
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-54567-2
Online ISBN: 978-3-642-54568-9
eBook Packages: Computer ScienceComputer Science (R0)