Automatically Hardening Web Applications Using Precise Tainting

Abstract

Most web applications contain security vulnerabilities. The simple and natural ways of creating a web application are prone to SQL injection attacks and cross-site scripting attacks (among other less common vulnerabilities). In response, many tools have been developed for detecting or mitigating common web application vulnerabilities. Existing techniques either require effort from the site developer or are prone to false positives. This paper presents a fully automated approach to securely hardening web applications. It is based on precisely tracking taintedness of data and checking specifically for dangerous content in only in parts of commands and output that came from untrustworthy sources. Unlike previous work in which everything that is derived from tainted input is tainted, our approach precisely tracks taintedness within data values. We describe our results and prototype implementation on the predominant LAMP (Linux, Apache, MySQL, PHP) platform.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Dec 01, 2004
Accession Number
ADA436667

Entities

People

  • Anh Nguyen-tuong
  • David Evans
  • Doug Greene
  • Salvatore Guarnieri

Organizations

  • University of Virginia

Tags

DTIC Thesaurus Topics

  • Code Injection
  • Command Injection
  • Computer Programming
  • Computer Science
  • Computers
  • Computing System Architectures
  • Electronic Mail
  • Hardening
  • Information Operations
  • Language
  • Prototypes
  • Scripting Languages
  • Security
  • Standards
  • Vulnerability
  • Web Applications
  • Websites

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Database Systems and Applications