Tutorial T6 – Web Injection Attacks

Dr. V. N. Venkatakrishnan, University of Illinois at Chicago

Tuesday, December 9th, Half Day

In September 2007, MITRE Corp., a corporation that runs three federally funded research and development centers, reported that Cross-Site Scripting and SQL Injection Attacks (SQLIA) were the two most common forms of web injection attacks in 2006. MITRE Corp. came to this conclusion after studying a list of more than 20,000 common vulnerability and exposures (CVE) for that year. This tutorial will focus on Web injection attacks and defenses. We will focus on Cross Site Scripting (XSS) attacks and SQL injection attacks, while briefly discussing other forms of injection attacks.

Our discussion of web injection attack defense will include both vulnerability identification approaches and m attack prevention approaches. The former category consists of techniques that identify vulnerable locations in a web application that may lead to injection attacks. The latter category includes prevention mechanisms around a (possibly vulnerable) deployed application to prevent attacks. Some of the actual techniques covered will include static and dynamic analysis for vulnerability identification and taint-based runtime defenses for attack prevention.

This tutorial is designed as an introductory survey of research on web injection attacks. It is targeted towards researchers, students, and practitioners wishing to develop solutions that build on the current state-of-art research in this area.

Outline

  1. Introduction
  2. Vulnerability identification mechanisms
  3. Attack Detection Mechanisms
  4. More advanced attacks
  5. Q & A

Prerequisites

Some basic introduction in computer security is required.

About the Instructor

Dr. V. N. Venkatakrishnan is an Assistant Professor of Computer Science at the University of Illinois at Chicago. He is currently co-director of the Center for Research and Instruction in Technologies for Electronic Security (RITES) at UIC. His main research interests are in web security, mobile code security, techniques for enforcing confidentiality and integrity policies in applications. He received his Ph.D degree from Stony Brook University in 2004. He has won numerous awards including the best paper award at ACSAC 2003.