Web Application Attack Prevention for Tiered Internet Services

Abstract

Because most Web application attacks exploit vulnerabilities that result from lack of input validation, a promising approach to thwarting these attacks is to apply validation checks on tainted portions of the operands used in security-sensitive operations, where a byte is tainted if it is data/control dependent on some network packet(s). This paper presents the design, implementation and evaluation of a dynamic checking compiler called WASC, which automatically adds checks into Web applications used in three-tier Internet services to protect them from the most common two types of Web application attacks: SQL- and script-injection attack. In addition to including a taint analysis infrastructure for multi-process and multi-language applications, WASC features the use of SQL and HTML parsers to defeat evasion techniques that exploit interpretation differences between attack detection engines and target applications. Experiments with a fully operational WASC prototype show that it can indeed stop all SQL/script injection attacks that we have tested. Moreover, the end-to-end latency penalty associated with the checks inserted by WASC is less than 30% for the test Web applications used in our performance study.