Literal Tainting Method for Preventing Code Injection Attack in Web Application

Wang Yi; Li Zhoujun; Guo Tao

Journal of Computer Research and Development > 2012 > 49(11): 2414-2423.

Wang Yi, Li Zhoujun, Guo Tao. Literal Tainting Method for Preventing Code Injection Attack in Web Application[J]. Journal of Computer Research and Development, 2012, 49(11): 2414-2423.

Citation:

Wang Yi, Li Zhoujun, Guo Tao. Literal Tainting Method for Preventing Code Injection Attack in Web Application[J]. Journal of Computer Research and Development, 2012, 49(11): 2414-2423.

Citation:

Wang Yi, Li Zhoujun, Guo Tao. Literal Tainting Method for Preventing Code Injection Attack in Web Application[J]. Journal of Computer Research and Development, 2012, 49(11): 2414-2423.

PDF (1995 KB)

Literal Tainting Method for Preventing Code Injection Attack in Web Application

1(School of Computer Science and Engineering, Beihang University, Beijing 100191) 2(China Information Technology Security Evaluation Center, Beijing 100085)

More Information

Published Date: November 14, 2012

Graphical Abstract

Abstract

Abstract

Nearly every Web application faces the threat of code injection such as XSS(cross-site scripting) and SQL injection. This flaw occurs when a Web application takes the data originated from a user without validating or encoding the content, and makes malicious input run as part of database query or script in response Web page, which causes destruction of data integrity or user privacy leakage. In order to counteract this trend, we present a literal tainting method for Web application and argue that it is an efficient and easy-to-deploy solution for preventing such attacks. This approach involves hardening the server-side script with customizable security filtering policy for full prevention of code injection attacks. Although instrumentation to the Web application is needed, we will show that the process is fully automated and sound so that the approach is practical even for large Web applications. After preliminary experiments of several real world PHP applications with prototype tool PHPHard system implementing the techniques, we find that the literal tainting method can prevent XSS successfully by removing the evil script injection code. In comparison with the traditional taint propagation methods. It shows many advantages both in precision and effectivity while only causing fairly acceptable overhead.
- code injection,
- literal tainting,
- Web application,
- vulnerability,
- cross-site scripting,
- taint propagation

FullText(HTML)

References (0)

[1]	Li Chen, Chen Yidong, Lu Zhonghua, Yang Xueying, Wang Zitian, Chi Xuebin. A Parallel Multi-Objective Dividing Rectangles Algorithm Based on Normalized Decomposition[J]. Journal of Computer Research and Development, 2024, 61(11): 2909-2922. DOI: 10.7544/issn1000-1239.202330093
[2]	Ding Chengcheng, Tao Wei, Tao Qing. A Unified Momentum Method with Triple-Parameters and Its Optimal Convergence Rate[J]. Journal of Computer Research and Development, 2020, 57(8): 1571-1580. DOI: 10.7544/issn1000-1239.2020.20200194
[3]	Bi Xiaojun, Zhang Lei, Xiao Jing. Constrained Multi-Objective Optimization Algorithm Based on Dual Populations[J]. Journal of Computer Research and Development, 2015, 52(12): 2813-2823. DOI: 10.7544/issn1000-1239.2015.20148025
[4]	Zhang Tiantian, Cui Lizhen, and Xu Meng. A Pareto-Based Data Placement Strategy in Database as a Service Model[J]. Journal of Computer Research and Development, 2014, 51(6): 1373-1382.
[5]	Zhang Shiwen, Li Zhiyong, Chen Shaomiao, and Li Renfa. Dynamic Multi-Objective Optimization Algorithm Based on Ecological Strategy[J]. Journal of Computer Research and Development, 2014, 51(6): 1313-1330.
[6]	Zhang Yushan, Hao Zhifeng, Huang Han. Global Convergence and Premature Convergence of Two-Membered Evolution Strategy[J]. Journal of Computer Research and Development, 2014, 51(4): 754-761.
[7]	Liu Hailin, Gu Fangqing, Cheung Yiuming. A Weight Design Method Based on Power Transformation for Multi-Objective Evolutionary Algorithm MOEA/D[J]. Journal of Computer Research and Development, 2012, 49(6): 1264-1271.
[8]	Xiong Jinzhi, Xu Jianmin, and Yuan Huaqiang. Convergenceness of a General Formulation for Polynomial Smooth Support Vector Regressions[J]. Journal of Computer Research and Development, 2011, 48(3): 464-470.
[9]	Shao Jie, Yang Jingyu, Wan Minghua, and Huang Chuanbo. Research on Cnvergence of Multi-Robots Path Planning Based on Learning Classifier System[J]. Journal of Computer Research and Development, 2010, 47(5): 948-955.
[10]	Qu Yanwen, Zhang Erhua, and Yang Jingyu. Convergence Property of a Generic Particle Filter Algorithm[J]. Journal of Computer Research and Development, 2010, 47(1): 130-139.