Please use this identifier to cite or link to this item:
http://idr.nitk.ac.in/jspui/handle/123456789/10103
Title: | Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications |
Authors: | Deepa, G. Santhi Thilagam, P. Khan, F.A. Praseed, A. Pais, A.R. Palsetia, N. |
Issue Date: | 2018 |
Citation: | International Journal of Information Security, 2018, Vol.17, 1, pp.105-120 |
Abstract: | As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended for interacting with the applications. Even though precautionary measures such as user-input sanitization is employed at the client side of the application, the attackers can disable the JavaScript at client side and still inject attacks through HTTP parameters. The injected parameters result in attacks due to improper server-side validation of user input. The injected parameters may either contain malicious SQL/XML commands leading to SQL/XPath/XQuery injection or be invalid input that intend to violate the expected behavior of the web application. The former is known as an injection attack, while the latter is called a parameter tampering attack. While SQL injection has been intensively examined by the research community, limited work has been done so far for identifying XML injection and parameter tampering vulnerabilities. Database-driven web applications today rely on XML databases, as XML has gained rapid acceptance due to the fact that it favors integration of data with other applications and handles diverse information. Hence, this work proposes a black-box fuzzing approach to detect XQuery injection and parameter tampering vulnerabilities in web applications driven by native XML databases. A prototype XiParam is developed and tested on vulnerable applications developed with a native XML database, BaseX, as the backend. The experimental evaluation clearly demonstrates that the prototype is effective against detection of both XQuery injection and parameter tampering vulnerabilities. 2017, Springer-Verlag Berlin Heidelberg. |
URI: | https://idr.nitk.ac.in/jspui/handle/123456789/10103 |
Appears in Collections: | 1. Journal Articles |
Files in This Item:
There are no files associated with this item.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.