Spinner: Automated Dynamic Command Subsystem Perturbation

05/02/2021
by   Meng Wang, et al.
0

Injection attacks have been a major threat to web applications. Despite the significant effort in thwarting injection attacks, protection against injection attacks remains challenging due to the sophisticated attacks that exploit the existing protection techniques' design and implementation flaws. In this paper, we develop Spinner, a system that provides general protection against input injection attacks, including OS/shell command, SQL, and XXE injection. Instead of focusing on detecting malicious inputs, Spinner constantly randomizes underlying subsystems so that injected inputs (e.g., commands or SQL queries) that are not properly randomized will not be executed, hence prevented. We revisit the design and implementation choices of previous randomization-based techniques and develop a more robust and practical protection against various sophisticated input injection attacks. To handle complex real-world applications, we develop a bidirectional analysis that combines forward and backward static analysis techniques to identify intended commands or SQL queries to ensure the correct execution of the randomized target program. We implement Spinner for the shell command processor and two different database engines (MySQL and SQLite) and in diverse programming languages including C/C++, PHP, JavaScript and Lua. Our evaluation results on 42 real-world applications including 27 vulnerable ones show that it effectively prevents a variety of input injection attacks with low runtime overhead (around 5

READ FULL TEXT

page 7

page 9

research
06/22/2020

You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications

SQL injection (SQLi) attacks pose a significant threat to the security o...
research
08/03/2023

From Prompt Injections to SQL Injection Attacks: How Protected is Your LLM-Integrated Web Application?

Large Language Models (LLMs) have found widespread applications in vario...
research
06/12/2022

Evolutionary Multi-Task Injection Testing on Web Application Firewalls

Web application firewall (WAF) plays an integral role nowadays to protec...
research
09/29/2020

Intrusion Detection Framework for SQL Injection

In this era of internet, E-Business and e-commerce applications are usin...
research
01/09/2019

Fuzzy neural networks to create an expert system for detecting attacks by SQL Injection

Its constant technological evolution characterizes the contemporary worl...
research
02/11/2023

High Recovery with Fewer Injections: Practical Binary Volumetric Injection Attacks against Dynamic Searchable Encryption

Searchable symmetric encryption enables private queries over an encrypte...
research
05/14/2020

DjangoChecker: Applying Extended Taint Tracking and Server Side Parsing for Detection of Context-Sensitive XSS Flaws

Cross-site scripting (XSS) flaws are a class of security flaws that perm...

Please sign up or login with your details

Forgot password? Click here to reset