Defending Against Injection Attacks Through Context-Sensitive String Evaluation

14 years 4 months ago

Download tadek.pietraszek.org

Abstract. Injection vulnerabilities pose a major threat to applicationlevel security. Some of the more common types are SQL injection, crosssite scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, that is, attacks exploiting these vulnerabilities, rely heavily on the application developers and are therefore error-prone. In this paper we introduce CSSE, a method to detect and prevent injection attacks. CSSE works by addressing the root cause why such attacks can succeed, namely the ad-hoc serialization of user-provided input. It provides a platform-enforced separation of channels, using a combination of assignment of metadata to user-provided input, metadata-preserving string operations and context-sensitive string evaluation. CSSE requires neither application developer interaction nor application source code modiﬁcations. Since only changes to the underlying platform are needed, it eﬀectively shifts the burden of implementing cou...

Tadeusz Pietraszek, Chris Vanden Berghe

Real-time Traffic

Application Developers | Injection Attacks | Injection Vulnerabilities | RAID 2005 |

claim paper

Post Info
More Details (n/a)

Added	28 Jun 2010
Updated	28 Jun 2010
Type	Conference
Year	2005
Where	RAID
Authors	Tadeusz Pietraszek, Chris Vanden Berghe

Comments (0)

Sciweavers

Defending Against Injection Attacks Through Context-Sensitive String Evaluation

Application Developers | Injection Attacks | Injection Vulnerabilities | RAID 2005 |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers