Static Identification of Injection Attacks in Java
Abstract
The most dangerous security-related software errors, according to the OWASP Top Ten 2017 list, affect web applications. They are potential injection attacks that exploit user-provided data to execute undesired operations: database access and updates ( SQL injection ); generation of malicious web pages ( cross-site scripting injection ); redirection to user-specified web pages ( redirect injection ); execution of OS commands and arbitrary scripts ( command injection ); loading of user-specified, possibly heavy or dangerous classes at run time ( reflection injection ); access to arbitrary files on the file system ( path-traversal ); and storing user-provided data into heap regions normally assumed to be shielded from the outside world ( trust boundary violation ). All these attacks exploit the same weakness: unconstrained propagation of data from sources that the user of a web application controls into sinks whose activation might trigger dangerous operations. Although web applications are written in a variety of languages, Java remains a frequent choice, in particular for banking applications, where security has tangible relevance.
Document Details
- Document Type
- Pub Defense Publication
- Publication Date
- Jul 02, 2019
- Source ID
- 10.1145/3332371
Entities
People
- Alberto Lovato
- Ciprian Spiridon
- Damiano Macedonio
- Elisa Burato
- Fausto Spoto
- Michael D. Ernst
- Pietro Ferrara
Organizations
- United States Air Force
- University of Verona
- University of Washington