Prithvi Bisht

XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks

This paper focuses on defense mechanisms for cross-site scripting attacks, the top threat on web applications today. It is believed that input validation (or filtering) can effectively prevent XSS attacks on the server side. In this paper, we discuss several recent real-world XSS attacks and analyze the reasons for the failure of filtering mechanisms in defending these attacks. We conclude that while filtering is useful as a first level of defense against XSS attacks, it is ineffective in preventing several instances of attack, especially when user input includes content-rich HTML. We then propose XSS-Guard , a new framework that is designed to be a prevention mechanism against XSS attacks on the server side. XSS-Guard works by dynamically learning the set of scripts that a web application intends to create for any HTML request. Our approach also includes a robust mechanism for identifying scripts at the server side and removes any script in the output that is not intended by the web application. We discuss extensive experimental results that demonstrate the resilience of XSS-Guard in preventing a number of real-world XSS exploits.

CANDID: preventing sql injection attacks using dynamic candidate evaluations

SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called C<scp>ANDID</scp>, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called C<scp>ANDID</scp>, that retrofits Web applications written in Java to defend them against SQL injection attacks. We report extensive experimental results that show that our approach performs remarkably well in practice.

CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks

SQL injection attacks are one of the top-most threats for applications written for the Web. These attacks are launched through specially crafted user inputs, on Web applications that use low-level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming Web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called Candid, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called Candid that retrofits Web applications written in Java to defend them against SQL injection attacks. We have also implemented Candid by modifying a Java Virtual Machine, which safeguards applications without requiring retrofitting. We report extensive experimental results that show that our approach performs remarkably well in practice.

WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction

Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client. Malicious users who circumvent the client can capitalize on the missing server validation. In this paper, we describe WAPTEC, a tool that is designed to automatically identify parameter tampering vulnerabilities and generate exploits by construction to demonstrate those vulnerabilities. WAPTEC involves a new approach to whitebox analysis of the servers code. We tested WAPTEC on six open source applications and found previously unknown vulnerabilities in every single one of them.

Automatically preparing safe SQL queries

We present the first sound program source transformation approach for automatically transforming the code of a legacy web application to employ PREPARE statements in place of unsafe SQL queries. Our approach therefore opens the way for eradicating the SQL injection threat vector from legacy web applications.

TamperProof: a server-agnostic defense for parameter tampering attacks on web applications

Parameter tampering attacks are dangerous to a web application whose server performs weaker data sanitization than its client. This paper presents TamperProof, a methodology and tool that offers a novel and efficient mechanism to protect Web applications from parameter tampering attacks. TamperProof is an online defense deployed in a trusted environment between the client and server and requires no access to, or knowledge of, the server side codebase, making it effective for both new and legacy applications. The paper reports on experiments that demonstrate TamperProofs power in efficiently preventing all known parameter tampering vulnerabilities on ten different applications.

SWIPE: eager erasure of sensitive data in large scale systems software

We describe SWIPE, an approach to reduce the life time of sensitive, memory resident data in large scale applications written in C. In contrast to prior approaches that used a delayed or lazy approach to the problem of erasing sensitive data, SWIPE uses a novel eager erasure approach that minimizes the risk of accidental sensitive data leakage. SWIPE achieves this by transforming a legacy C program to include additional instructions that erase sensitive data immediately after its intended use. SWIPE is guided by a highly-scalable static analysis technique that precisely identifies the locations to introduce erase instructions in the original program. The programs transformed using SWIPE enjoy several additional benefits: minimization of leaks that arise due to data dependencies; erasure of sensitive data with minimal developer guidance; and negligible performance overheads.

Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation

Cross Site Request Forgery (XSRF) is regarded as one of the major threats on the Web. In this paper, we propose an approach that automatically retrofits the source code of legacy web applications with a widely-used defense approach for this attack. Our approach addresses a number of shortcomings in prior blackbox solutions for automatic XSRF protection. Our approach has been implemented in a tool called X-PROTECT that was used to retrofit several commercial Java-based web applications. Our experimental results demonstrate that the X-PROTECT approach is both effective and efficient in practice.

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

The current practice of Web application development treats the client and server components of the application as two separate pieces of software. Each component is written independently, usually in distinct programming languages and development platforms - a process known to be prone to errors when the client and server share application logic. When the client and server are out of sync, an âimpedance mismatchâ occurs, often leading to software vulnerabilities as demonstrated by recent work on parameter tampering. This paper outlines the groundwork for a new software development approach, WAVES, where developers author the server-side application logic and rely on tools to automatically synthesize the corresponding client-side application logic. WAVES employs program analysis techniques to extract a logical specification from the server, from which it synthesizes client code. WAVES also synthesizes interactive client interfaces that include asynchronous callbacks (AJAX) whose performance and coverage rival that of manually written clients while ensuring no new security vulnerabilities are introduced. The effectiveness of WAVES is demonstrated and evaluated on three real-world web applications.

Automated detection of parameter tampering opportunities and vulnerabilities in web applications

Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client in web forms. Malicious users who circumvent the client can capitalize on the missing server validation. In this paper, we provide a formal description of parameter tampering vulnerabilities and a high level approach for their detection. We specialize this high level approach to develop complementary detection solutions in two interesting settings: blackbox only analyze client-side code in web forms and whitebox also analyze server-side code that processes submitted web forms. This paper presents interesting challenges encountered in realizing the high level approach for each setting and novel technical contributions that address these challenges. We also contrast utility, difficulties and effectiveness issues in both settings and provide a quantitative comparison of results. Our experiments with real world and open source applications demonstrate that parameter tampering vulnerabilities are prolific total 47 in 9 applications, and their exploitation can have serious consequences including unauthorized transactions, account hijacking and financial losses. We conclude this paper with a discussion on countermeasures for parameter tampering attacks and present a detailed survey of existing defenses and their suitability.