Title: CIVD: detection of command injection vulnerabilities in web services through aspect-oriented programming

Authors: V. Shanmughaneethi; Ra. Yagna Praveen; S. Swamynathan

Addresses: Department of Information Science & Technology, College of Engineering Guindy, Anna University, Chennai, Tamil Nadu, India. ' Department of Information Science & Technology, College of Engineering Guindy, Anna University, Chennai, Tamil Nadu, India. ' Department of Information Science & Technology, College of Engineering Guindy, Anna University, Chennai, Tamil Nadu, India

Abstract: Most internet applications are providing facilities through the web services. Due to its wide usage, these web services are exposed to severe vulnerabilities that can be uncovered and exploited by hackers. In these vulnerabilities, command injection is the most frequent type of attack that can take advantage of improperly designed applications. These attacks inject and execute commands specified by the attacker, allowing unauthorised access to database schema and critical data stored in data logic. In this paper, a new approach is proposed to effectively detect the command injection vulnerabilities such as SQL injection attacks, by validating the dynamically generated query that is to be executed in the database server. This approach involves Aspect Oriented Programming (AOP) technique, which is used for separating cross cutting concerns such as security from applications. The approach is effective since it uses a XML schema instead of existing methods for validation.

Keywords: SQL injection attacks; web application security; XML schema; web services; tautology; piggyback; parse tree; aspect oriented programming; command injection attacks; command injection vulnerabilities.

DOI: 10.1504/IJCAT.2012.050119

International Journal of Computer Applications in Technology, 2012 Vol.44 No.4, pp.312 - 320

Published online: 29 Oct 2012 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article