05473561
TRANSCRIPT
8/3/2019 05473561
http://slidepdf.com/reader/full/05473561 1/5
A Static Analysis Tool for Detecting Web
Application Injection Vulnerabilities for ASP
Program
Zhang Xin-hua
Computer & Information Engineering College
Hohai University, 210098
Nanjing, China
Wang Zhi-jian
Computer & Information Engineering College
Hohai University, 210098
Nanjing, China
Abstract —Publicly reported vulnerability in recent years strong
growth of the Web Application , Cross-site scripting (XSS) and
SQL injection have been the most dominant class of web
vulnerabilities, Web application security has been a greatchallenge. For the case, the static analysis tools ASPWC
presented in this paper to detect XSS attacks and SQL injection
vulnerabilities based on taint analysis, It tracks various kinds of
external input, tags taint types, constructing control flow graph
is constructed based on the use of data flow analysis of the
relevant information, taint data propagate to various kinds of
vulnerability functions, and detect the XSS or SQL Injection
vulnerability in web application’s source code. Experiments
show that the detection approach is an effective way; it can be
used to detect the XSS and SQL Injection vulnerability in the
web application program based on ASP technology development.
Keywords-component; WebApp vulnerability; XSS; Taint
Trace; SQL injection; Code Review
I. I NTRODUCTION
The total number of publicly reported software vulner-abilities has increased in the last few years, and Most of it hasrisen in Web application. So-called injection vulnerabilitiesdominate, including SQL injection, command injection, cross-site scripting (XSS), and so on. In 2005 and 2006, XSS wasnumber 1, and SQL injection was number 2 [1]. In 2009around domestic college entrance examination onlineenrollment, the domestic university's admission websites suffer the threat by “Trojan horse” attack, when the user visits the
page that attacked by XSS, the user’s sensitive data are stolen.These explained that strengthens the Web application security
the work to be urgent.
The reasons for the increase of threats in Web applicationcould be divided into two main parts: On one hand, softwareare developing in too large a scale together with the expandingcomplexity and extensibility of software while flaws still existin their source codes; On the other hand, This is probably dueto ease of detection and exploitation of web vulnerabilities,combined with the proliferation of low-grade softwareapplications. At the moment, the overflow of Web application
programs and Plug-in lead to the result that much of the codeis alpha or beta, written by inexperienced programmers with
easy-to learn languages such as ASP (Active Server Pages).Such software is often rife with easy-to-find vulnerabilities,even malicious hideaway back door. For instance, injection
threats exist in the early version of Eweb editor and thefckeditor.
Security problem in software refers to threats incurred because of the flaws in software research, designation, programming, testing and implementation [2]. They are takenuse of by attackers so as to change the function of the softwarefrom original intention of the software designers.
As a typical Web application attacks, the most popular isthe SQL injection and XSS, because the most basic datamanipulations for these vulnerabilities are very simple to
perform, e.g. '’' for SQL injection and '<script> alert('hi')</script>' for XSS [13]. This makes it easy for beginningresearchers to quickly test large amounts of software.
A. Principle and Example of SQL Injection Attack
When the application program access the database withSQL language based on inputs, SQL injection vulnerabilitiescome into being. Were storing applied to the codes, while this
process is transmitted as the users' inputs, SQL injectionvulnerabilities occur again. The process could be elaborated asthis: complex SQL codes are constructed with initial inputs,which would then yield the users sensitive information or those required to control the entire server. Thus SQL injectioncomes into being. The higher the priority of database user’srole which is connected to the database in program, the moreserious the problem would be. Hence information would be
divulged, if not all the data within the database be destroyed.
When the application uses input variable to constructdynamic SQL statement to access the database, SQL injectionvulnerabilities occur. The main principle is to use unprocessed inputs to construct SQL statement, users can submit themalicious code in order to obtain sensitive information or gaincontrol of the server, thus SQL injection comes into being. Thehigher the priority of application program which is connectedto the database, the more serious the problem would be. Henceinformation would be divulged, if not all the data within thedatabase be destroyed.
978-1-4244-5895-0/10/$26.00 ©2010 IEEE
8/3/2019 05473561
http://slidepdf.com/reader/full/05473561 2/5
The test method of common SQL Injection attack is the use“ ' ”, “ union ”, “ --; ” and so on key words, in test dynamicSQL sentence in program whether to exist injectionvulnerability. For example, consider the login page of a webapplication that expects a user-name and the corresponding
password. When the credentials are submitted, they areinserted within a query template such as the following:
“select * from admin where username =’” +request.form(“username”) + “‘ and Password = ‘” +request.form(“passwd”)+“’”
Instead of a valid user name, the malicious user sets the“username” variable to the string:’ or 1=1; - -’, causing theVbscript to submit the following SQL query to the database:
“select * from admin where username = ‘’ or 1=1; - -‘‘ and
Password = ‘ any_passwd’ ”
Therefore, the password value is irrelevant and may be setto any character string. The result set of the query contains atleast one record, since the “where” clause evaluates to true. If the application identifies a valid user by testing whether theresult set is non-empty, the attacker can bypass the security
check.
B. Injection principle and example of XSS
XSS attacks are usually Web pages by inserting maliciousscript, when the visitor visit the Web page, the malicious scripton the visitor's browser to run quietly, malicious script cansteal a user's private information and send it out; or thedownload Trojan program and install it. This act violates the
browser security basic principles: the principle of homologousSOP (Same-origin policy), that is, a domain document or ascript, without user approval, you can not access or modify thedocument to another domain properties.
The data flow diagram of XSS attacks is as follows.
Figure 1. The data flow diagram of XSS Attacks
XSS attacks can be divided into storage type, reflectivetype and based on DOM-based type [3]. Fig.1 shows the typefor the storage-based XSS. Its attack, the attacker generallymalicious script through a form submitted to the Web server's
back-end database when a user browsing a page that containsmalicious script, XSS attacks occurred. Reflection Type ismost common one whose construction is the easiest. It isusually contained in URL. Once it is clicked, the maliciousscript would be decoded and operated by HTML. Thecharacteristics of such threats are non permanence, passivity.That is, only users' click would incur it. Reflective XSS attack on the characteristics of non-persistent, passive, and only whenthe user clicks on the URL connection can be triggered. Basedon DOM-based XSS attack is the direct operation of Javascript and variables rather than the HTML element, the use of
CSS, HTML language, as well as AJAX technology todynamically load a malicious script to run to achieve one XSSattack.
Influential examples of XSS threats are done to QQ space,e-mails in 163.com here in China, while to MYSPACE abroad.In the later instance, a guy called "samy" wrote the first trans-website malicious worm, which infected one million userswithin 20 hours and led breaking-down of MySpace web site.
II. OUTLINE OF RESEARCH IN XSS THREATS AND SQL
THREATS
In recent years, XSS attack and SQL injection attacksagainst a lot of research, mainly focused on the development of a protection mechanism to improve software security. Under the Protection of the software deployment location, and can bedivided into three modes: server-side, the client, client / server.
Server-side protection: Blot model in Perl [4] is the most
effective protection in dynamic server. Protection is provided
separately to Java-based virtual machine and interpreter PHP-
based web server [5] [6]. Recently, R. Sekar proposed a
frame-work with Black Box technique to prevent web threats.Based on the inputs and outputs of the application program,
deduct-ion is made whether or not there are tainted data,
interceptor at the server conducts data processing. An
experimental evaluation shows that their approach achieve the
desired objective.Client-side protection: Relative papers are rare in this
category, while P. Vogt, et al. propose a sensitive-information-flow approach to trace the client browser [8]. In that case,users have the rights to accept or decline the sensitiveinformation from a third party. Noxes [9] is a client principle-
based agent, which avoid the client's visit to insecure web sitewith heuristic means.
Client-side / Server-side protection: In order to make upthe insufficiency of clients or servers, Yacin Nadji, Prateek Saxena, Dawn Song [10] come up with the conclusion thatmain reason for XSS threats is the lack of right system defined
by HIML and browser which could separate the data generated by clients safely. To deal with that, they propose a C/S system,which efficiently insulate clients' data so as to realize theintegrity of codes in believable web application program.
Above is mainly aimed at how to protect and reinforce theWeb application to prevent vulnerabilities explore. In recentyears, the study aimed at software security has gradually
become a hot field. Gray McGraw proposed Software
Security: Building Security IN (BSS) [2], whose basic idea is:to make software security throughout the life cycle of thesoftware necessary part of the proposed point of contactsoftware security thinking, which is an important link in codereview.
Code review is to analyze a program’s source code, whichcould be divided as manual auditing and static analysis tools.The former is very time-consuming, and to do it effectively,human code auditors must first know what securityvulnerabilities look like before they can rigorously examinethe code. So it is conducted in the critical part of the program,
8/3/2019 05473561
http://slidepdf.com/reader/full/05473561 3/5
TABLE I. TOOLS FOR ASSESSMENT AND IMPROVEMENT IN CODE SECURITY
name Program language link
Inspector C/C++ binary system http://www.hbgray.com
Code Assure C/C++ java http://www.securesw.com/products/
RATS C/C++ Python Perl PHP http://www.securesw.com/resources/tools.html
ITS4 C/C++ http://www.cigital.com
Coverity C/C++ http://www.coverity.com
Fortifysource code analysis setASP.NET,C,C++,C#,Java,JSP
PL/SQL,T-SQL,VB.NET,XML http://www.fortifysoftware.com
DevPartnerSecurityChecker C#,VB.NET http://www.compuware.com
such as receiving and processing user input module,authentication components, and so on. Static analysis tools to
be much more efficient than manual auditing, but now thestatic analysis tools are not comprehensive, nor as accurate asthe manual auditing, general audit report issued after examination by manual to determine whether a truevulnerability. Nevertheless, some tools are available nowwhich is displayed in the table I.
Based on table I, it is obvious that most of tools are in
C/C++. To detect XSS and SQL injection vulnerability is onlya part of their functions. Pixy[11] propose a static way toanalyze the original web programs based on analysistechniques of data flow like flow sensitivity, interproceduraland context sensitivity so as to detect the vulnerability in
programs that is easy to suffer from XSS and SQL injectionthreats. In this paper, we propose a detection model for webapplication threats based on taint propagation technique,especially for static code examination in web applicationdeveloped by ASP.
III. STATIC ANALYSIS METHODS
Detection software security vulnerabilities are mainly
dynamic analysis, formal method validation and static analysis.Static analysis is divided as type inference, data flow analysisand constraints analysis [12].
A. Type Inference
Type system of programming language concludes typedefinition and rules for type equivalence, type inclusivenessand type dedication. Type dedication is to derive the types of variables and methods within a program automatically so as todetermine whether or not their visit meet these type rules. Thiskind of dedication could be used to examine the bug in typesand conduct necessary type transmission with proper operations. It boasts the characteristics of simplicity and high
efficiency which makes it perfect for quick detection of security threats in software. Now it is mainly applied indetection of format string vulnerability, OS kernel vulnerable
pointer use.
B. Data-Flow Analysis
Data-flow analysis is used in the process programming,which collect semantic information from programs and thendefine and use the variables with algebraic approach. It is usedin program optimization, program validation, debugging,
parallel, Vectorization and serial program environment. Itsrealization makes use of the pair "variable definition-quoting".
C. Constraint Analysis
Constraint analysis divides program analysis into constraintgeneration and constraint solution. The former constructsvariable type with constraint generation rules or analysesconstraint system among statuses. While the later solve suchconstraint systems.
Constraint system is comprised of equation constraint, setconstraint and incorporate constraint. In the first kind, onlyequation exists between constraint objects. Set constraint takes
program variables as a set of values, whose evaluation isregarded as conclusion relation between set expressions?While the last constraint concludes equation constraint partand set constraint part.
D. the Comparison among three Main methods
The three main methods mentioned are all explain theabstract semantics of programs and construct mathematicmodels based on the program property, with which theydetermine the property of the program. In comparison,
constraint analysis boasts the greatest ability in detection whilethe lowest speed of that, which makes it fit for securityexamination of software, data-flow analysis has relativelyhigh speed and remarkable ability of detection which isappropriate in static analysis which should take control flowinformation and requires only simple operation among variable
properties; when it comes to type dedication, it has the poorestability and the fastest speed in examination and suits for security test in finite property domain and unrelated controlflow.
The website that issued news or BBS forum is one kind of web application. Analyzing the logic characteristics of itsservices, it is not complex to find out that the process of data-
flow could be give a summaries: data input (parameters) →data service processing (web server )→result output (HTML).
Based on principles of XSS threats and SQL injection threats,we could see vulnerability is mainly generated from thesanitation process of input data. Thus sanitation process of allthe input data would neglect such vulnerability of taint data(outside client input data). In this paper, we would examine thecode with data flow analysis; the function framework of system is shown in fig 2.
8/3/2019 05473561
http://slidepdf.com/reader/full/05473561 4/5
Figure 2. Function Framework of Code Review System
IV. K EY TECHNOLOGIES
The main part in examination of the source code with thegoal to detect its vulnerability is pre-process of the sourcecode, morphological analysis and semantic analysis so as toyield semantic tree and control flow program. Examination of the control flow program is conducted based on analysis ruleswhich would then generate the vulnerability report of the exactinput program. The key is to analyze the control flow program
and semantic tree based on spot broadcast algorithm in order todetect the vulnerability of input variables without datasanitation. These vulnerabilities are then recorded in analysisreport which also contains relative information through codeexamination, such as input variable name, line number, bugtype and vulnerability level, etc.
A. The basic idea of the taint propagation
By Perl's Taint mode inspired by tracking taint data whichto be input, recording of data flow changes, to analyze thecorresponding constraints that violate the rules or code of software vulnerabilities, Perfect example in this type is CQualwhich is used to detect the format string vulnerability in C
programs.
1) Source of Taint DataThe data that accept from the user's browser is marked as
untrusting data, which often needs to be sanitized before using,so as to eliminate potential vulnerabilities. The function whichis used to accept the user input data is treated as a taint datainput source node (Snode). There are some functions to acceptuser input data in ASP. Main functions are as follows in tableII.
TABLE II. I NPUT FUNCTION FOR TAINTED DATA (PART)
Function Name Description
Request.Form(); Collect data from tableRequest.string() Collect data from URL
Request.cookies Collect data from clients' cookie
2) Taint Data Output Programs often have data output functions such as the
operation of the DML statement to database or output data tothe user's browser. Which to be as an end node (Tnode) on the
path which taint data propagate. There are some functions tooutput data in ASP. Main functions are as follows in table III.
TABLE III. OUTPUT FUNCTION FOR TAINTED DATA (PART)
Function Name Description
Response.write() Output to client
SQL operation Compile background database
Response.Redirect Redirect URL page
3) Taint Data Output Propagation of taint data is divided into the following
broad classes of operations:
• assignments
• arithmetic and logic operations
• function call and procedure call
When an instruction is executed, some (or all) of itsoperands could be tainted. In detection of the data flow fromthe marked source node to end node, the key point is todetermine whether or not taint data variable is output in endnode.
B. Pre-Process
It is divided into two parts, namely, the formation of file byimporting ASP included files and the filtering of source codes,which deletes the useless codes such as notes and blank lines;the match of taint data input and output method. If the lineconcludes no taint data method, it has no vulnerability.Otherwise, it jumps into data flow analysis. Pre-processingfilters a lot of source codes which decrease computing of
property analysis significantly so as to yield higher analysisefficiency.
C. Control Flow graph
Control flow graph is a direct graph that contains singleand fixed entrance node and exit node. It is a way to realize
data-flow analysis which could be generated through pre- processing, morphology analysis and semantic analysis. Thegraph is composed of nodes (circles with serial numbers) andcontrol flow edge or arc (expressed with arrows). Traversingevery path in control flow graph to examine the variables usedon the path collects variables affected by the operation of accepting outside untrusted data. If a path contains output, itmight conclude software vulnerability as well.
D. Process of Feature Analysis
The sets used in feature analysis include the following:VarList{} is used to record all the variables exist in theoriginal program. Vex{} records all the sets of codes in control
flow diagram. InNode{} records node number of variables participates in taint input function. OutNode{} records nodenumbers of variables participates in taint output function. Theanalysis process could be expressed as follows:
(1) Traverse the semantic tree of target program so as tocollect variable information of the original program, yieldvariable table VarList{} and control flow diagram G= (V, E)with V as the node set and E as set of direct edge; e = (T (e), H(e)) is a pair of neighboring nodes with e from T(e) to H(e).
(2) Execute breadth first search in control flow of programG. Should a node with variable var participates in taint input
8/3/2019 05473561
http://slidepdf.com/reader/full/05473561 5/5
function, then add its node number into the set of taint nodes,namely, operation Add( InNode, v ) is executed; Should a nodewith variable var participates in taint output function, then addits node number into the set of taint nodes, namely, operationAdd( OutNode, v ) is executed.
(3) On control flow diagram G= (V, E) (V= {V in, V1, V2,
∧ , Vout}), set A denotes all the variables of taint output
function, set T denotes vulnerable nodes. Suppose∃
b, b∈A,delete(A, b) denotes that node b is deleted from A, Addvul(T
, b) denotes that node b is added to set of vulnerablevariables.
Set of paths from input nodes V in of taint input function tooutput node of taint output function is denoted asP={p1,p2,…,pn}. Scan orderly the VarList of examined
program and conduct this operation:
>=<∩∈∀ out jiin V V V V p ,,1 , pP:op , with V i denotes
taint input variable a and Aa∈ . If V j exists which denotes a
calling sentence for a, then " delete(A,a),addVul(T,a) "
is executed. On completion of such operation to all the pathswithin set P, all the nodes in T are potential vulnerable nodes.That is, operation of those input taint data variables containsvulnerability. In this way will the vulnerability of XSS or SQLinjection threats be detected and recorded in database.Otherwise, jump to (4).
(4) Check VarList, were node that has not been examinedconcluded, then go to (3); otherwise, exit.
V. EXPERIMENTS
To test the validity of our approach, we select three opensource program written by ASP. These software are commonlyused a source codes of tools in network application layer and
are representative. Test environment: Intel XEON CPU:3.0GHz, 1GB cache, Windows 2003 Server ,IIS6.0. Then we
conduct penetrating examination in Acunetix Web with theresults shown in table IV. We develop a tools named asASPWC. The number of XSS reported by Acunetix Web toolsis success of the XSS attack test.
TABLE IV. RESULTS OF EXPERIMENTS
Tools
Name
Vulner-
ability
Type
DVBBS OK3W Leichi news
Ver. 7.0 Ver. 3.0 Ver. 3.0
Acunetix
Web
XSS 5* 53* 67*
SQL 0 0 2
ASPWC XSS 4 2 3SQL 1 1 2
The experimental results analysis: experimental data can beseen from the above, based on control flow graph; data-flowanalysis of the vulnerability detection algorithm can beeffectively used to detect XSS, SQL injection vulnerabilitieswhich exist in the source code.
The blacklist is applied to check the input data in OK3Wand Leichinews program. They have a common function tocheck all input string. The programs produce a certain false
positive. Despite the weaknesses found in the report contains
false positives, reporting the total number of articles, or less,from the relatively small number of reports of these find thetrue vulnerabilities have been greatly reduced the workload.
VI. CONCLUSIONS
Web application programs have become a common andinterrelated platform in this age. Meanwhile, security
vulnerability within web application is usually reported. Timecost, personal cost and fallibility depletes its wide use. Thusautomatic code examination tools for the detection of vulnerability in programs makes a key means. The approach
based on taint tracing to detect malicious input data and ensureno output taint data could be used to derive vulnerability for most taint data (XSS, SQL). This tool has manifests itsusefulness in examining the web sites based on ASP of thevirtual host computer in a high school. Despite the fact thatfault rate remains high now, we would use data-flow analysisand add rules to detect sensitive information so as to yieldhigher accuracy of examination in source code and lower false
positive amount within an acceptable bound.
R EFERENCES
[1] Steve Christey, Robert A. Martin. Vulnerability Type Distributions inCVE.[EB/OL].2007:V1.1, (2007 -5-22).
http://cwe.mitre.org/documents/vuln-trends.html
[2] Gray McGraw. Software Security. IEEE Secruity & Privacy[J]. March-April 2004,2(2):80-83
[3] THE TEN MOST CRITICAL WEB APPLICATION SECURITYVULNERABILITIES[EB/OL]. http:// http://www.owasp.org/
[4] J. Allen. Perl Version 5.8.8 Documentation - Perlsec.http://perldoc.perl.org/perlsec.pdf, 2006.
[5] V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Twenty-First Annual Computer Security ApplicationsConference (ACSAC), 2005.
[6] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans.
Automatically Hardening Web Applications Using Precise Tainting. In20th IFIP International Information Security Conference, Makuhari-Messe, Chiba, Japan, 05 06 2005.
[7] R Sekar. An Efficient Black-box Technique for Defeating WebApplication Attacks. 16th Annual Network & Distributedprecisetainting. 20th IFIP International Information Secu-System SecuritySymposium, 2009.
[8] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G.Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting andStatic Analysis. In Proceeding of the Network and Distributed SystemSecurity Symposium (NDSS), San Diego, CA, February 2007.
[9] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: a client-sidesolution for mitigating cross-site scripting attacks. In Proceedings of the2006 ACM symposium on Applied computing, 2006.
[10] Yacin Nadji, Prateek Saxena, DawnSong . Document Structure
Integrity: ARobust BasisforCross-siteScripting Defense. 16th Annual Network & Distributedprecise tainting. 20th IFIP InternationalInformation Secu-System Security Symposium, 2009
[11] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Toolfor DetectingWeb Application Vulnerabilities (Short Paper). In IEEESymposium on Security and Privacy, 2006.
[12] Xia Yiming. Security Vulnerability Detection Study Based on StaticAnalysis[J]. Computer Science, 2006, 33(10): 279-283.(in Chinese)
[13] R. Hansen. Xss cheat sheet[EB/OL]. http://ha.ckers.org/ xss.html.