Protecting Database Centric Web Services against
SQL/XPath Injection Attacks
Nuno Laranjeiro, Marco Vieira, and Henrique Madeira
CISUC, Department of Informatics Engineering
University of Coimbra, Portugal
{cnl, mvieira, henrique}@dei.uc.pt
Internal Report, 2009
Protecting Database Centric Web Services against
SQL/XPath Injection Attacks
Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal {cnl, mvieira, henrique}@dei.uc.ptAbstract. Web services represent a powerful interface for backend database
systems and are increasingly being used in business critical applications. How ever, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been proposed, developing nonvulnerable web services is still a difficult task. In fact, security related concerns are hard to apply as they involve adding complexity to already complex code. This paper proposes an approach to secure web services against SQL and XPath Injection attacks, by transparently detecting and aborting ser vice invocations that try to take advantage of potential vulnerabilities. Our me chanism was applied to secure several web services specified by the TPCApp benchmark, showing to be 100% effective in stopping attacks, nonintrusive and very easy to use.
Keywords: Web services, vulnerabilities, security attacks, SQL Injection,
XPath Injection, code instrumentation.
1 Introduction
Web services are now widely used to support many businesses, linking suppliers and clients in sectors such as banking and financial services, transportation, or automotive manufacturing, among others. Web services are selfdescribing components that can be used by other software across the web in a platformindependent manner, and are supported by standard protocols such as SOAP (Simple Object Access Protocol), WSDL (Web Services Description Language) and UDDI (Universal Description, Discovery, and Integration) [6].In a servicebased environment, providers offer a set of services that frequently access a backend database and can be explored and used by service consumers. The web service technology provides a clear service interface for consumers, and this is frequently used to enable the aggregation of services in compositions. These composi tions, frequently designated as businessprocesses, are essentially a collection of ser vices working together towards an objective [8]. The composition workflow (i.e., the sequencing and coordination of calls to component services) obviously introduces a degree of dependency between services, where a security failure in a component may compromise the whole composition.
2
A recent McKinsey report indicates web services and SOA as one of the most im portant trends in modern software development [20]. However, the wide use and exposure of web services results in any existing security vulnerability being most probably uncovered and exploited by hackers. In fact, command injection attacks (e.g., SQL or XPath injection) are frequent types of attacks in the web environment [24]. These attacks take advantage of improperly coded applications to change queries sent to a database, enabling, for instance, access to critical data. Vulnerabilities allowing SQL Injection and XPath injection attacks are particularly relevant in web services [30], as their exposure is high and they frequently use a data persistence solution [29] based either in a traditional relational database or in a XML database. Currently major database vendors and several opensource efforts provide XML databases (e.g., Oracle XML DB, SQL Server 2008, Apache Xindice, etc.) and typically, the access to this type of databases uses XPath expressions. While the goal of XPath Injection is to maliciously explore any existing vulnerabilities in XPath expressions used by an application (for instance to access an XML database), SQL Injection tries to change the SQL statements in a similar manner [24].
Different techniques for the identification of security vulnerabilities have been proposed in the past [24], namely:
– Static vulnerability scanning: consists in analyzing the source code of the application looking for potential vulnerabilities. It is a “whitebox” approach that can be done manually or by using automated code analysis.
– Penetration testing: widely used technique that tries to disclose security vulnerabilities in web applications (including web services). The testing tool stresses the application from the point of view of the attacker (“blackbox” approach) and tries to penetrate it by issuing a huge amount of interactions.
Although web services are increasingly being used in complex businesscritical systems, current development support tools do not provide practical ways to protect applications against security attacks. In this paper, we present a phased approach that is able to: 1) learn the profile of regular client requests by transforming requests into invariant statements; 2) protect web service applications from SQL/XPath injection attacks by matching incoming requests with the valid set of codes previously learned. Note that this work focuses on source code vulnerabilities and not any specific securi ty mechanisms, such as authentication and data encryption. In summary, our approach consists of the following major phases:
– Service assessment: An optional phase that characterizes the web service code in terms of security vulnerabilities. Penetration testing and static code analysis are used to identify any existing security vulnerabilities (e.g., web services code prone to SQL/XPath Injection);
– Statement learning: Consists of learning the profile of valid, nonmalicious data access statements. We provide automatable workload generation ap proach to create a set of invocations able to exercise the web service code, reaching as much data access statements as possible, and enriching the set of invariant statements learned by our framework;
– Service protection: The generation of a protective service wrapper that uses the outcome of the learning phase (a set of valid statements) to prevent the success of SQL/XPath injection attacks. All incoming requests are hashed
domains. As expected, no problem was identified, providing a strong indicator that our framework did not change the application’s normal behavior.
Additionally, we executed a final test to assess the performance impact related to the execution of the security system. As we were expecting small values, for the secu rity improvement, we tested the worst case scenario found in the TPCApp services and executed 100000 invocations using that worstcase scenario. The security me chanism took on average 0,052 ms (± 0,029) to execute, less than 0,3% of the total time for the fastest executing service. In order to obtain such low measurements we used a Java method that provides nanosecond precision (but however does not guarantee nanosecond accuracy).
In summary, our learning mechanism was able to stop all security attacks with a negligible overhead. This is a very significant result, as besides effectively securing the target application, it implied absolutely no extraeffort from the developers that implemented the original services.
5 Conclusion
Previous works on web application security have shown that SQL/XPath Injection attacks are extremely relevant in web service applications. This paper presents an approach for improving web services security. The proposed approach consists of learning the profile of valid data access statements (SQL and XPath) and using this profile to later prevent the execution of malicious client requests. The approach was illustrated using two different TPCApp implementations. Various security issues were disclosed and corrected without additional development effort. In fact, while introducing an extremely low performance overhead, our approach proved to be 100% effective, as it was able to abort all attacks attempted in our experiments.
During the whole experimental process, no extra complexity was added to the source code. In fact, as source code is not needed, the mechanism can also be used to easily protect legacy services, which would otherwise require a difficult to implement and hard to maintain procedure. These facts make it an extremely useful tool for de velopers and service administrators.
References
1. Acunetix Web Vulnerability Scanner, http://www.acunetix.com/vulnerabilityscanner/ 2. Atlassian Clover Code Coverage Analysis, http://www.atlassian.com/software/clover/. 3. Bravenboer, M., Dolstra, E., Visser, E.: Preventing injection attacks with syntax embed dings. Proceedings of the 6th international conference on Generative programming and compo nent engineering, Salzburg, Austria: ACM, pp. 312 (2007) 4. BrupSuite, http://portswigger.net/suite/ 5. Cobertura, http://cobertura.sourceforge.net/. 6. Curbera, F. et al.: Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI. Internet Computing, IEEE, vol. 6, pp. 8693 (2002) 7. Databene benerator, http://databene.org/databenebenerator15
8. Erl, T.: ServiceOriented Architecture: Concepts, Technology, and Design, Prentice Hall Professional Technical Reference (2005) 9. Fagan, M.: Design and code inspections to reduce errors in program development. Soft ware pioneers: contributions to software engineering, SpringerVerlag, Inc., pp. 575607 (2002) 10. FORTIFY – http://www.fortifysoftware.com/ 11. Gamja, http://lastlog.com/p4ssion/ 12. Halfond, W., Orso, A.: Preventing SQL injection attacks using AMNESIA. 28th interna tional conference on Software engineering, Shanghai, China: ACM, pp. 795798: 2006 13. Hovemeyer, D., Pugh, W. : Finding bugs is easy. ACM SIGPLAN Notices, vol. 39, pp. 92 106 (2004) 14. HP WebInspect, http://www.hp.com 15. IBM Rational AppScan, http://www01.ibm.com/software/awdtools/appscan/
16. Kiczales, G. et al.: AspectOriented Programming. 11th European Conf. on Object oriented Programming (1997)
17. Laranjeiro, N., Vieira, M., Madeira, H.: EDEL and Security Improvement for Web Servic es. http://eden.dei.uc.pt/~cnl/papers/edelsecuritytool.zip (2009)
18. Laranjeiro, N., Vieira, M.: Improving Web Services Robustness. Technical Report, http://eden.dei.uc.pt/~cnl/papers/2009icwsrobustnesssubmitted.pdf (2009)
19. Livshits, V., Lam, M.: Finding security vulnerabilities in java applications with static analysis. Proceedings of the 14th conference on USENIX Security Symposium Volume 14, Baltimore, MD: USENIX Association, pp. 1818 (2005)
20. McKinsey&Company: Enterprise Software Customer Survey (2008) 21. Ounce, http://www.ouncelabs.com/
22. Pixy, http://pixybox.seclab.tuwien.ac.at/pixy/
23. Red Hat Middleware: JBoss Application Server, http://www.jboss.org/jbossas/
24. Stuttard, D., Pinto, M.: The Web Application Hacker's Handbook: Discovering and Ex ploiting Security Flaws. Wiley, ISBN10: 0470170778, (2007) 25. Sun Microsystems Inc.: JAXWS Reference Implementation, https://jaxws.dev.java.net/ 26. The Eclipse Foundation: The AspectJ Project. http://www.eclipse.org/aspectj/ (2008) 27. Thomas, S., Williams, L., Xie, T.: On automated prepared statement generation to remove SQL injection vulnerabilities. Information and Software Technology, v. 51, pp. 589598 (2009) 28. Thomas, S., Williams, L.: “Using Automated Fix Generation to Secure SQL Statements,” Third International Workshop on Software Engineering for Secure Systems (2007)
29. Transaction Processing Performance Council: TPC BenchmarkTM App (Application Server) Standard Specification, Version 1.1, http://www.tpc.org/tpc_app/ (2005) 30. Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabili ties in Web Services. Intl. Conf. on Dependable Systems and Networks, Estoril, Lisbon (2009) 31. W3C: W3C XML Schema, http://www.w3.org/XML/Schema (2008) 32. W3C: XQuery 1.0 and XPath 2.0 Functions and Operators, http://www.w3.org/TR/xquery operators/ (2008)
