Ezequiel D. Gutesman & Ariel Waissbein: A dynamic technique for enhancing the security and privacy of web applications

Summary: Several protection techniques based on run-time taint analysis have been proposed within the last 3 years. Some of them provide full-automated protection for existing web applications, others require human interaction, and yet others require source code modification and/or special tunning. We briefly discuss advantages and disadvantages of these approaches. Next, we introduce a new technique which permits to efficiently identify and block several attack vectors on the fly by augmenting the web application's execution environment to include tracking information. Most web-scripting languages including PHP, ASP, Python, Perl and Java can be protected with this technique. Typical exploitation methods such as database-injection attacks, shell injection attacks, cross-site scripting attacks and directory-transversal attacks are prevented. More generally, this solution to the injection vulnerability problem for web applications is based on a characterization of the injection attacks family -that we implemented. The execution environment includes instrumentation information to allow identification of syntactic alteration of a sentence in cross-language boundaries. This characterization allows us, furthermore, to enforce privacy: it protects from untrusted users that try to obtain private data that stored within the web application's network. Thus, putting off the theft of sensitive data, like credit card information, as well as averting information leakage.