The Code Sanitizer: Regular Expression Based Prevention of Content Injection Attacks

  IJCTT-book-cover
 
International Journal of Computer Trends and Technology (IJCTT)          
 
© 2016 by IJCTT Journal
Volume-35 Number-1
Year of Publication : 2016
Authors : Sandeep D Sukhdeve, Prof.(Mrs) Hemlata Channe
  10.14445/22312803/IJCTT-V35P104

MLA

Sandeep D Sukhdeve, Prof.(Mrs) Hemlata Channe "The Code Sanitizer: Regular Expression Based Prevention of Content Injection Attacks". International Journal of Computer Trends and Technology (IJCTT) V35(1):21-28, May 2016. ISSN:2231-2803. www.ijcttjournal.org. Published by Seventh Sense Research Group.

Abstract -
We are increasingly relying on web, and performing important transactions online through it. The impact and quantity of security vulnerabilities in such applications has increased in recent years. Regular expression has become a common practice to ensure execution of trusted application code. However, its effectiveness in protecting client-side web application code has not yet been established. In this paper, we seek to study the efficacy of regular expression based approach for preventing script injection attacks. The paper proposes an efficient use of regular expressions to identify malicious payload contents. This paper analyzes important aspects in content injection attacks. The goals of this research work are two-fold: i) propose an efficient way to identify content injection attacks (XSS and SQL injection) using regular expressions, and ii) We present a Nondeterministic Finite Automata (NFA) based approach to detect content injection attacks. Our evaluation on Alexas top 500 sites and phpBB popular PHP application shows that the proposed approach effective on preventing content injection attacks on the input fields available on those websites. The proposed approach incurs an average performance overhead of 1.02%.

References
[1] G. Buehrer, B.W. Weide, and P.A.G. Sivilotti. Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware, 2005.
[2] CGIsecurity. The cross-site scripting (xss) faq. http://www.cgisecurity.com/xss-faq.html.
[3] Xinshu Dong, Kailas Patil, Xuhui Liu, Jian Mao, and Zhenkai Liang. An entensible security framework in web browsers. Technical Report TR-SEC-2012-01, Systems Security Group, School of Computing, National University of Singapore, 2012.
[4] Xinshu Dong, Kailas Patil, Jian Mao, and Zhenkai Liang. A comprehensive client-side behavior model for diagnosing attacks in ajax applications. In Proceedings of the 18th International Conference on Engineering of Complex Computer Systems (ICECCS), 2013.
[5] Dennis Fisher. Persistent xss bug on twitter exploited by worm. http://threatpost.com/en us/blogs/persistent-xss-bugtwitter- being-exploited-092110.
[6] W.G.J. Halfond and A. Orso. Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, 2005.
[7] W.G.J. Halfond and A. Orso. Combining static analysis and runtime monitoring to counter sql-injection attacks. In Proceedings of the Third International Workshop on Dynamic Analysis, 2005.
[8] W.G.J. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter sql-injection attacks. In Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2006.
[9] Mark Hofman. Sql injection attack happening atm. isc.sans.org/diary/SQL+Injection+Attack+happening+ATM/12127.
[10] J. E. Hopcroft and J. D. Ullman. Introduction to automata theory, languages and computation. In Reading, 2nd Ed., Addison-Wesley, 2001, 2001.
[11] Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the International Conference on World Wide Web (WWW), 2006.
[12] Kamlesh Kumar and Deen Bandhu. Prevention and detection techniques for sql injection attacks. In Proceedings of the IJCTT vol-12, No-03, 2014.
[13] Mozilla. Same origin policy for javascript. https://developer.mozilla.org/En/ Same origin policy for JavaScript.
[14] Mozillia. Mozilla. signing a xpi. In https://goo.gl/Ffls5r.
[15] Nex. The clickjacking meets xss: a state of art. http://www.milw0rm.com/papers/265, 2008.
[16] Anh Nguyen-tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. Automatically hardening web applications using precise tainting. In Proceeding of the 20th IFIP International Information Security Conference, 2005.
[17] National Institute of Standards and Technology. National vulnerability database (nvd). http://web.nvd.nist.gov/view/vuln/search.
[18] Kailas Patil, Xinshu Dong, Xiaolei Li, Zhenkai Liang, and Xuxian Jiang. Towards fine-grained access control in javascript contexts. In 31st International Conference on Distributed Computing Systems (ICDCS), 2011, pages 720–729, June 2011.
[19] Kailas Patil, Tanvi Vyas, Fredrik Braun, Mark Goodwin, and Zhenkai Liang. Poster:usercsp-user specified content security policies. Symposium On Usable Privacy and Security (SOUPS) POSTER, 2013.
[20] Tadeusz Pietraszek, Chris V, and En Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceeding of the Recent Advances in Intrusion Detection, 2005.
[21] Cristian Pinzn, Javier Bajo Juan F. De Paz, lvaro Herrero, and Emilio Corchado. Aiida-sql: An adaptive intelligent intrusion detector agent for detecting sql injection attacks. In Proceedings of the 10th International Conference on Hybrid Intelligent Systems, 2010.
[22] OWASP-The Open Web Applicaiton Security Project. Owasp top ten project. https://www.owasp.org/index.php/Top10#OWASP Top 10 for 2013.
[23] Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. Browsershield: Vulnerability-driven filtering of dynamic html. In Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI), 2006.
[24] RSnake. Xss(cross site scripting) cheat sheet esp: for filter evasion. http://ha.ckers.org/xss.html.
[25] Jesse Ruderman. Signed scripts in mozilla. http://www.mozilla.org/projects/security/ components/signedscripts. html.
[26] Zhendong Su and Gary Wassermann. The essence of command injection attacks in web applications. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL), 2006.
[27] Symantec. Internet security threat report volume 20. https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932 GAinternet- security-threat-report-volume-20-2015-social v2.pdfg, April 2015.
[28] Stephen Thomas, Laurie Williams, and Tao Xie. On automated prepared statement generation to remove sql injection vulnerabilities. In Proceedings of the Elsevier Journal on the Information and Software Technology, 2009.
[29] Wikipedia. Cross-site scripting. http://en.wikipedia.org/wiki/Cross-site scripting.
[30] Wikipedia. Sql injection. https://en.wikipedia.org/wiki/SQL injection.
[31] Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the USENIX Security Symposium, 2006.
[32] xssed.com. Myspace.com hit by a permanent xss. http://www. xssed.com/news/83/Myspace.com hit by a Permanent XSS/. [33] xssed.com. New orkut xss worm by brazilian web security group. http://www.xssed.com/news/77/New Orkut XSS worm by Brazilian web security group/.
[34] Z. Yan and S. Holtmanns. Trust modeling and management: from social trust to digital trust. In IGI Global, 2008.

Keywords
Regular expression, Content Injection, Crosssite scripting, SQL injection, injection attacks.