Download: PDF, slides (PDF), slides (PowerPoint), Experimental data.
“Automatic creation of SQL injection and cross-site scripting
attacks”
by
Adam Kieżun,
Philip J. Guo,
Karthick Jayaraman,
and
Michael D. Ernst.
In ICSE 2009, Proceedings of the 31st International Conference on
Software Engineering, (Vancouver, BC, Canada), May 2009, pp. 199-209.
A previous version appeared as MIT
Computer Science and Artificial Intelligence Laboratory technical
report MIT-CSAIL-TR-2008-054, (Cambridge, MA), September 10, 2008.
We present a technique for finding security vulnerabilities in Web applications. SQL Injection (SQLI) and cross-site scripting (XSS) attacks are widespread forms of attack in which the attacker crafts the input to the application to access or modify user data and execute malicious code. In the most serious attacks (called second-order, or persistent, XSS), an attacker can corrupt a database so as to cause subsequent users to execute malicious code.
This paper presents an automatic technique for creating inputs that expose SQLI and XSS vulnerabilities. The technique generates sample inputs, symbolically tracks taints through execution (including through database accesses), and mutates the inputs to produce concrete exploits. Ours is the first analysis of which we are aware that precisely addresses second-order XSS attacks.
Our technique creates real attack vectors, has few false positives, incurs no runtime overhead for the deployed application, works without requiring modification of application code, and handles dynamic programming-language constructs. We implemented the technique for PHP, in a tool Ardilla. We evaluated Ardilla on five PHP applications and found 68 previously unknown vulnerabilities (23 SQLI, 33 first-order XSS, and 12 second-order XSS).
Download: PDF, slides (PDF), slides (PowerPoint), Experimental data.
BibTeX entry:
@inproceedings{KiezunGJE2009, author = {Adam Kie{\.z}un and Philip J. Guo and Karthick Jayaraman and Michael D. Ernst}, title = {Automatic creation of {SQL} injection and cross-site scripting attacks}, booktitle = {ICSE 2009, Proceedings of the 31st International Conference on Software Engineering}, pages = {199--209}, address = {Vancouver, BC, Canada}, month = may, year = {2009} }
(This webpage was created with bibtex2web.)
Back to Michael Ernst's publications.