SCRIPTGARD: Preventing Script Injection Attacks in Legacy Web Applications with Automatic Sanitization
نویسندگان
چکیده
The primary defense against cross site scripting attacks in web applications is the use of sanitization, the practice of filtering untrusted inputs. We analyze sanitizer use in a shipping web application with over 400,00 lines of code, one of the largest applications studied to date. Our analysis reveals two novel problems: inconsistent sanitization and inconsistent multiple sanitization. We formally define these problems and propose SCRIPTGARD: a system for preventing such problems automatically matching the correct sanitizer with the correct browser context. While command injection techniques are the subject of intense prior research, none of the previous approaches consider both server and browser context, none of them achieve the same degree of precision, and many other mitigation techniques require major changes to server side code. Our approach, in contrast, can be incrementally retrofitted to legacy systems. We show how to provide an aid to testers during development. Finally we sketch how SCRIPTGARD can be used as a runtime mitigation technique.
منابع مشابه
Preventing SQL Injection through Automatic Query Sanitization with ASSIST
Web applications are becoming an essential part of our everyday lives. Many of our activities are dependent on the functionality and security of these applications. As the scale of these applications grows, injection vulnerabilities such as SQL injection are major security challenges for developers today. This paper presents the technique of automatic query sanitization to automatically remove ...
متن کاملWeb Security by Preventing SQL Injection Using Encryption in Stored Procedures
SQL Injection attacks target databases that are accessible through a web front-end, and take advantage of flaws in the input validation logic of Web components such as CGI scripts. SQL Injection attacks can be easily prevented by applying more secure authentication schemes in login phase itself. In this paper we are going to prevent SQLIA (SQL Injection Attacks) by using encryption in Stored Pr...
متن کاملInput Validation Vulnerabilities (SQLIA) and Defenses in Web Applications Security
-The internet has evolved into a critical delivery pipeline for institutions to interact with Customers, partners and employees. Peoples use web sites to send and receive Information via Hypertext Markup Language (HTML) messages to web applications reside on web servers. Generally this information, expected as legitimate messages, can be used illegitimately by the unauthorized persons to compro...
متن کاملIntrusion Protection against SQL Injection and Cross Site Scripting Attacks Using a Reverse Proxy
SQL Injection attacks and Cross-Site Scripting attacks are the two most common attacks on web application. Proposed method is a new policy based Proxy Agent, which classifies the request as a scripted request, or query based request, and then, detects the respective type of attack, if any in the request. This method detects both SQL injection attack as well as the Cross-Site Scripting attacks. ...
متن کاملStructural Learning of Attack Vectors for Generating Mutated XSS Attacks
Web applications suffer from cross-site scripting (XSS) attacks that resulting from incomplete or incorrect input sanitization. Learning the structure of attack vectors could enrich the variety of manifestations in generated XSS attacks. In this study, we focus on generating more threatening XSS attacks for the state-of-the-art detection approaches that can find potential XSS vulnerabilities in...
متن کامل