A Web Application Runtime Application Self-protection Scheme against Script Injection Attacks

被引:4
|
作者
Yin, Zhongxu [1 ]
Li, Zhufeng [2 ]
Cao, Yan [1 ]
机构
[1] State Key Lab Math Engn & Adv Comp, Zhengzhou 450001, Henan, Peoples R China
[2] Zhengzhou Informat Sci & Technol Inst, Zhengzhou 450002, Henan, Peoples R China
来源
CLOUD COMPUTING AND SECURITY, PT II | 2018年 / 11064卷
基金
中国国家自然科学基金;
关键词
Script injection; Program analyzing; Dataflow analyzing; Runtime application self-protection;
D O I
10.1007/978-3-030-00009-7_51
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
Script injection vulnerabilities are popular vulnerabilities in dynamic web applications. Necessary conditions were analyzed for the generation and exploitation of script injection vulnerabilities to provide protection against different injection types. Combined with the analysis of the host language and the object language, the statements were located with their types in the HTML statements. Based on the control flow graph, the data dependency relation subgraph containing source points and sink points was built. A filter insertion algorithm is designed for this sub-graph to define different input data type filtering strategies. Then a solution was implemented based on data flow analysis and automatic insertion of filters before relevant sink statements.
引用
收藏
页码:566 / 577
页数:12
相关论文
共 50 条
  • [1] The Framework of Runtime Application Self-Protection Technology
    Cisar, Petar
    Cisar, Sanja Maravie
    2016 17TH IEEE INTERNATIONAL SYMPOSIUM ON COMPUTATIONAL INTELLIGENCE AND INFORMATICS (CINTI 2016), 2016, : 81 - 85
  • [2] Practical and Accurate Runtime Application Protection Against DoS Attacks
    Elsabagh, Mohamed
    Fleck, Dan
    Stavrou, Angelos
    Kaplan, Michael
    Bowen, Thomas
    RESEARCH IN ATTACKS, INTRUSIONS, AND DEFENSES (RAID 2017), 2017, 10453 : 450 - 471
  • [3] Robust Self-Protection Against Application-Layer (D)DoS Attacks in SDN Environment
    Benzaid, Chafika
    Boukhalfa, Mohammed
    Taleb, Tarik
    2020 IEEE WIRELESS COMMUNICATIONS AND NETWORKING CONFERENCE (WCNC), 2020,
  • [4] A comparative analysis and performance evaluation of web application protection techniques against injection attacks
    Ali, Nabeel Salih
    Bin Shibghatullah, Abdul Samad
    Alhilali, Ahmed Hazim
    Al-Khammasi, Salam
    Kadhim, Mohammed Falih
    Fatlawi, Hayder K.
    INTERNATIONAL JOURNAL OF MOBILE COMMUNICATIONS, 2020, 18 (02) : 196 - 228
  • [5] Online monitoring and analysis for self-protection against network attacks
    Qu, GZ
    Hariri, S
    Jangiti, S
    Rudraraju, J
    Oh, S
    Fayssal, S
    Zhang, GS
    Parashar, M
    INTERNATIONAL CONFERENCE ON AUTONOMIC COMPUTING, PROCEEDINGS, 2004, : 324 - 325
  • [6] The embedded SCR NMOS and low capacitance ESD protection device for self-protection scheme and RF application
    Lee, JH
    Wu, YH
    Peng, K
    Chang, RY
    Yu, TL
    Ong, TC
    PROCEEDINGS OF THE IEEE 2002 CUSTOM INTEGRATED CIRCUITS CONFERENCE, 2002, : 93 - 96
  • [7] A Metamodel for Web Application Injection Attacks and Countermeasures
    Holm, Hannes
    Ekstedt, Mathias
    TRENDS IN ENTERPRISE ARCHITECTURE RESEARCH AND PRACTICE-DRIVEN RESEARCH ON ENTERPRISE TRANSFORMATION, 2012, 131 : 198 - 217
  • [8] Using Web Application Construction Frameworks to Protect Against Code Injection Attacks
    Livshits, Benjamin
    Erlingsson, Ulfar
    PLAS'07: PROCEEDINGS OF THE 2007 ACM SIGPLAN WORKSHOP ON PROGRAMMING LANGUAGES AND ANALYSIS FOR SECURITY, 2007, : 95 - 103
  • [9] A Self-protection Mechanism against Stepping-stone Attacks for IaaS Clouds
    Kourai, Kenichi
    Azumi, Takeshi
    Chiba, Shigeru
    2012 9TH INTERNATIONAL CONFERENCE ON UBIQUITOUS INTELLIGENCE & COMPUTING AND 9TH INTERNATIONAL CONFERENCE ON AUTONOMIC & TRUSTED COMPUTING (UIC/ATC), 2012, : 539 - 546
  • [10] Semantic security against web application attacks
    Razzaq, Abdul
    Latif, Khalid
    Ahmad, H. Farooq
    Hur, Ali
    Anwar, Zahid
    Bloodsworth, Peter Charles
    INFORMATION SCIENCES, 2014, 254 : 19 - 38
12345