Fortifying Applications Against Xpath Injection Attacks

نویسندگان

  • Dimitris Mitropoulos
  • Vassilios Karakoidas
  • Diomidis Spinellis
چکیده

Code injection derives from a software vulnerability that allows a malicious user to inject custom code into the server engine. In recent years, there have been a great number of such exploits targeting web applications. In this paper we propose an approach that prevents a specific kind of code injection attacks known as xpath injection in a novel way. To detect an attack, our scheme uses location-specific identifiers to validate the executable xpath code. This identifiers represent all the unique fragments of this code along with their call sites within the application.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Countering Code Injection Attacks: A Unified Approach

Code injection exploits a software vulnerability through which a malicious user can make an application run unauthorized code. Server applications frequently employ dynamic and domain-specific languages, which are used as vectors for the attack. We propose a generic approach that prevents the class of injection attacks involving these vectors: our scheme detects attacks by using location-specif...

متن کامل

Protecting Database Centric Web Services against SQL/XPath Injection Attacks

Web services represent a powerful interface for back­end database systems and are increasingly being used in business critical applications. How­ ever, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been propos...

متن کامل

PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications

Generally, most Web applications use relational databases to store and retrieve information. But, the growing acceptance of XML technologies for documents it is logical that security should be integrated with XML solutions. In a web application, an improper user inputs is a main cause for a wide variety of attacks. XML Path or XPath language is used for querying information from the nodes of an...

متن کامل

Blind XPath Injection

This paper describes a Blind XPath Injection attack that enables an attacker to extract a complete XML document used for XPath querying without prior knowledge of the XPath query. The attack is “complete” since all possible data is exposed. The attack makes use of two techniques – XPath crawling, and Booleanization of XPath queries. Using this attack, it is possible to get hold of the XML “data...

متن کامل

An Approach to Detect and Prevent SQL Injection Attacks in Database Using Web Service

SQL injection is an attack methodology that targets the data residing in a database through the firewall that shields it. The attack takes advantage of poor input validation in code and website administration. SQL Injection Attacks occur when an attacker is able to insert a series of SQL statements in to a ‘query’ by manipulating user input data in to a web-based application, attacker can take ...

متن کامل

ذخیره در منابع من

ذخیره در منابع من قبلا به منابع من ذحیره شده

{@ msg_add @}


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2009