Our work focusses on characterizing attacks on web applications and finding corresponding mitigation approaches. We have applied this approach to SQL command injection attacks (SQLCIAs) by defining generated queries to be instances such attacks if substrings from untrusted input are not syntactically confined, i.e., a valid sentential form cannot be constructed for the query by replacing each untrusted substring by a single nonterminal.

To prevent SQLCIAs at runtime, we can track untrusted input into the query sites, phrase the untrusted substrings, and attempt to parse the generated queries with a modified parser (described in our POPL'06 paper). To check whether web application code may produce such queries, we can characterize the possible string values that may be generated at the query sites using a contest free grammar, mark certain grammar symbols as "tainted", and use formal language operations to check for attack queries (described in our PLDI'07 paper).

Previously we explored semantic characterizations of attacks, and addressed the problem of checking type correctness of generated queries. Both of these are based on characterizing the possible string values at query sites using regular languages.

People

• Zhendong Su
• Prem Devanbu
• Gary Wassermann
• Carl Gould

Publications

• Sound and Precise Analysis of Web Applications for Injection Vulnerabilities
  Gary Wassermann, Zhendong Su, PLDI'07. (25%)
• Static Checking of Dynamically Generated Queries in Database Applications
  Gary Wassermann, Carl Gould, Zhendong Su, Premkumar Devanbu, TOSEM.
• The Essence of Command Injection Attacks in Web Applications
  Zhendong Su, Gary Wassermann, POPL'06.
• An Analysis Framework for Security in Web Applications
  Gary Wassermann, Zhendong Su, SAVCBS'04 with FSE'04.
• Static Checking of Dynamically Generated Queries in Database Applications
  Carl Gould, Zhendong Su, Prem Devanbu, ICSE'04

In addition to our own work, this page lists other related materials and includes a listing of other web application security papers in the research literature.

Research Papers

Resources

• Web goat - a deliberately insecure web application designed for hands-on learning about web application vulnerabilities.
• OWASP guide - an extensive guide to web application security vulnerabilities

Tools

• Lapse - a web application vulnerability scanner from Ben Livshits and Monica Lam
• Pixy - a static analysis tool for detecting XSS vulnerabilities from Nenad Jovanovic, Christopher Kruegel, and Engin Kirda
• Scando - a commercial web application vulnerability scanner
• Sandcat - a free XSS scanner
• N-Stalker - a free XSS scanner