TY - JOUR
T1 - Securing native XML database-driven web applications from XQuery injection vulnerabilities
AU - Palsetia, Nushafreen
AU - Deepa, G.
AU - Ahmed Khan, Furqan
AU - Thilagam, P. Santhi
AU - Pais, Alwyn R.
N1 - Funding Information:
Furqan Ahmed Khan received his M.Tech. degree in Software Engineering from Galgotias University, Greater Noida, India in 2014. He is currently working as a project scientist in an R&D project supported by the Ministry of Communications and Information Technology, Government of India at National Institute of Technology Karnataka, Surathkal, India. His research interests include Web application security and Web application architecture.
Publisher Copyright:
© 2016 Elsevier Inc.
PY - 2016/12/1
Y1 - 2016/12/1
N2 - Database-driven web applications today are XML-based as they handle highly diverse information and favor integration of data with other applications. Web applications have become the most popular way to deliver essential services to customers, and the increasing dependency of individuals on web applications makes them an attractive target for adversaries. The adversaries exploit vulnerabilities in the database-driven applications to craft injection attacks which include SQL, XQuery and XPath injections. A large amount of work has been done on identification of SQL injection vulnerabilities resulting in several tools available for the purpose. However, a limited work has been done so far for the identification of XML injection vulnerabilities and the existing tools only identify XML injection vulnerabilities which could lead to a specific type of attack. Hence, this work proposes a black-box fuzzing approach to detect different types of XQuery injection vulnerabilities in web applications driven by native XML databases. A prototype XQueryFuzzer is developed and tested on various vulnerable applications developed with BaseX as the native XML database. An experimental evaluation demonstrates that the prototype is effective against detection of XQuery injection vulnerabilities. Three new categories of attacks specific to XQuery, but not listed in OWASP are identified during testing.
AB - Database-driven web applications today are XML-based as they handle highly diverse information and favor integration of data with other applications. Web applications have become the most popular way to deliver essential services to customers, and the increasing dependency of individuals on web applications makes them an attractive target for adversaries. The adversaries exploit vulnerabilities in the database-driven applications to craft injection attacks which include SQL, XQuery and XPath injections. A large amount of work has been done on identification of SQL injection vulnerabilities resulting in several tools available for the purpose. However, a limited work has been done so far for the identification of XML injection vulnerabilities and the existing tools only identify XML injection vulnerabilities which could lead to a specific type of attack. Hence, this work proposes a black-box fuzzing approach to detect different types of XQuery injection vulnerabilities in web applications driven by native XML databases. A prototype XQueryFuzzer is developed and tested on various vulnerable applications developed with BaseX as the native XML database. An experimental evaluation demonstrates that the prototype is effective against detection of XQuery injection vulnerabilities. Three new categories of attacks specific to XQuery, but not listed in OWASP are identified during testing.
UR - http://www.scopus.com/inward/record.url?scp=84986573073&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84986573073&partnerID=8YFLogxK
U2 - 10.1016/j.jss.2016.08.094
DO - 10.1016/j.jss.2016.08.094
M3 - Article
AN - SCOPUS:84986573073
SN - 0164-1212
VL - 122
SP - 93
EP - 109
JO - Journal of Systems and Software
JF - Journal of Systems and Software
ER -