research-article

Open access

Spinner: Automated Dynamic Command Subsystem Perturbation

Authors:

Yonghwi KwonAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 1839 - 1860

https://doi.org/10.1145/3460120.3484577

Published: 13 November 2021 Publication History

Abstract

Injection attacks have been a major threat to web applications. Despite the significant effort in thwarting injection attacks, protection against injection attacks remains challenging due to the sophisticated attacks that exploit the existing protection techniques' design and implementation flaws. In this paper, we develop Spinner, a system that provides general protection against input injection attacks, including OS/shell command, SQL, and XXE injection. Instead of focusing on detecting malicious inputs, Spinner constantly randomizes underlying subsystems so that injected inputs (e.g., commands or SQL queries) that are not properly randomized will not be executed, hence prevented. We revisit the design and implementation choices of previous randomization-based techniques and develop a more robust and practical protection against various sophisticated input injection attacks. To handle complex real-world applications, we develop a bidirectional analysis that combines forward and backward static analysis techniques to identify in-tended commands or SQL queries to ensure the correct execution of the randomized target program. We implement Spinner for the shell command processor and two different database engines(MySQL and SQLite) and in diverse programming languages including C/C++, PHP, JavaScript and Lua. Our evaluation results on 42real-world applications including 27 vulnerable ones show that it effectively prevents a variety of input injection attacks with low runtime overhead (around 5%).

References

[1]

2018. Online Shopping Website Framework. https://gitee.com/koyshe/phpshe.

[2]

2020. Dependency Manager for PHP. https://github.com/composer/composer.

[3]

2020. GitHub - vimeo/psalm: A static analysis tool for finding errors in PHP applications. https://github.com/vimeo/psalm.

[4]

2021. TED Ideas worth spreading. https://www.ted.com/talks.

[5]

2021. The LLVM Compiler Infrastructure Project. https://llvm.org/.

[6]

abiusx. 2015. Taint Tracking and Inference analysis and breaking tool. https://github.com/abiusx/taintless/.

[7]

Adriano D.Giovanni. 2020. A cross-platform Node.js wrapper around the standard Unix program df. https://github.com/adriano-di-giovanni/node-df.

[8]

Salman Ahmed, Ya Xiao, Kevin Z Snow, Gang Tan, Fabian Monrose, and Danfeng Yao. 2020. Methodologies for quantifying (Re-) randomization security and timing under JIT-ROP. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1803--1820.

Digital Library

[9]

Alibaba. 2020. Generic SQL engine for Web and Big-data. https://github.com/alibaba/nquery.

[10]

Muath Alkhalaf. 2014. Automatic Detection and Repair of Input Validation and Sanitization Bugs. Ph.D. Dissertation. University of Californida, Santa Barbara.

[11]

Anastasionico. 2019. Good Practices: how to sanitize, validate and escape in PHP. https://dev.to/anastasionico/good-practices-how-to-sanitize-validateand-escape-in-php-3-methods-139b.

[12]

Andi Albrecht. 2020. Multiple parsing failures identifying Comment Tokens. https://github.com/andialbrecht/sqlparse/issues/558.

[13]

Apache. 2019. Apache Web Server. https://httpd.apache.org/.

[14]

Automattic. 2020. Automatically checks all comments and filters out the ones that look like spam. https://wordpress.org/plugins/akismet/.

[15]

Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. 2019. Less is More: Quantifying the Security Benefits of Debloating Web Applications. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1697--1714. https://www.usenix.org/conference/usenixsecurity19/presentation/azad

[16]

D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. 2008. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In 2008 IEEE Symposium on Security and Privacy (S&P 2008). 387--401. https://doi.org/10.1109/SP.2008.22

Digital Library

[17]

Elena Gabriela Barrantes, David H. Ackley, Stephanie Forrest, Trek S. Palmer, Darko Stefanovic, and Dino Dai Zovi. 2003. Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (Washington D.C., USA) (CCS '03). Association for Computing Machinery, New York, NY, USA, 281--289.

Digital Library

[18]

J. Bau, E. Bursztein, D. Gupta, and J. Mitchell. 2010. State of the Art: Automated Black-Box Web Application Vulnerability Testing. In 2010 IEEE Symposium on Security and Privacy. 332--345. https://doi.org/10.1109/SP.2010.27

Digital Library

[19]

Joe Becher. 2019. Codecov NodeJS Uploader. https://www.npmjs.com/package/codecov.

[20]

Bernardo Damele A. G. and Miroslav Stampar. 2020. sqlmap. https://github.com/sqlmapproject/sqlmap.

[21]

Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. 2010. CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Trans. Inf. Syst. Secur. 13, 2, Article 14 (March 2010), 39 pages. https://doi.org/10.1145/1698750.1698754

Digital Library

[22]

BitDegree. 2017. Learn PHP Sanitize Input: Example of Input Sanitization Included. https://www.bitdegree.org/learn/php-sanitize-input.

[23]

Dan Bloomberg. 2020. Leptonica. http://www.leptonica.org/.

[24]

John Bodley. 2020. A non-validating SQL parser module for Python. https://github.com/andialbrecht/sqlparse.

[25]

BorseGo AG. 2019. Parse SQL (select) statements into abstract syntax tree (AST) and convert ASTs back to SQL. https://github.com/godmodelabs/flora-sqlparser/.

[26]

Stephen W. Boyd, Gaurav S. Kc, Michael E. Locasto, Angelos D. Keromytis, and Vassilis Prevelakis. 2010. On the General Applicability of Instruction-Set Randomization. IEEE Trans. Dependable Secur. Comput. 7, 3 (July 2010), 255--270.

Digital Library

[27]

Stephen W. Boyd and Angelos D. Keromytis. 2004. SQLrand: Preventing SQL Injection Attacks. In Applied Cryptography and Network Security, Markus Jakobsson, Moti Yung, and Jianying Zhou (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 292--302.

[28]

Frank Lyder Bredland. 2016. git-publish. https://www.npmjs.com/package/gitpublish.

[29]

Cherokee. 2019. Cherokee is an innovative, feature rich, lightning fast and easy to configure open source web server designed for the next generation of highly concurrent secured web applications. https://cherokee-project.com/.

[30]

Erika Chin and DavidWagner. 2009. Efficient Character-Level Taint Tracking for Java. In Proceedings of the 2009 ACM Workshop on Secure Web Services (Chicago, Illinois, USA) (SWS '09). Association for Computing Machinery, New York, NY, USA, 3--12.

Digital Library

[31]

Commix Project. 2020. Automated All-in-One OS command injection and exploitation tool. https://github.com/commixproject/commix.

[32]

Andrei Costin. 2017. Lua Code: Security Overview and Practical Approaches to Static Analysis. In 38th IEEE Symposium on Security and Privacy Workshops (SPW). IEEE. https://doi.org/10.1109/spw.2017.38

[33]

cPanel. 2021. Hosting Platform of Choice. https://cpanel.net/.

[34]

CVE 2014. CVE-2014--2323. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--2323.

[35]

CVE. 2016. CVE-2016--10033. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016--10033.

[36]

CVE. 2017. CVE-2017--10004. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017--10004.

[37]

CVE. 2017. CVE-2017--1000451. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017--1000451.

[38]

CVE. 2017. CVE-2017--17562. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017--17562.

[39]

CVE. 2018. CVE-2018--10969. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018--10969.

[40]

CVE. 2018. CVE-2018--15877. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018--15877.

[41]

CVE. 2018. CVE-2018--16461. https://nvd.nist.gov/vuln/detail/CVE-2018--16461.

[42]

CVE. 2018. CVE-2018--3746. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018--3746.

[43]

CVE. 2018. CVE-2018--3757. https://www.cvedetails.com/cve/CVE-2018--3757/.

[44]

CVE. 2018. CVE-2018--3786. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018--3786.

[45]

CVE. 2018. CVE-2018--3836. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018--3836.

[46]

CVE. 2019. CVE-2019--10061. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019--10061.

[47]

CVE. 2019. CVE-2019--10783. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019--10783.

[48]

CVE. 2019. CVE-2019--12272. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019--12272.

[49]

CVE. 2019. CVE-2019--13638. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019--13638.

[50]

CVE. 2019. CVE-2019--976. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019--976.

[51]

CVE. 2020. CVE-2020--7597. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020--7597.

[52]

CVE. 2020. CVE-2020--8149. https://nvd.nist.gov/vuln/detail/CVE-2020--8149.

[53]

CVE. 2020. CVE-2020--8178. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020--8178.

[54]

Dav Glass. 2015. lsof. https://www.npmjs.com/package/lsof.

[55]

Djellel Eddine Difallah, Andrew Pavlo, Carlo Curino, and Philippe Cudre-Mauroux. 2013. Oltp-bench: An extensible testbed for benchmarking relational databases. Proceedings of the VLDB Endowment 7, 4 (2013), 277--288.

Digital Library

[56]

Adam Doupé, Bryce Boe, Christopher Kruegel, and Giovanni Vigna. 2011. Fear the EAR: Discovering and Mitigating Execution after Redirect Vulnerabilities. In Proceedings of the 18th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA) (CCS '11). ACM, New York, NY, USA, 251--262.

Digital Library

[57]

Edward. 2018. Plain View Activity Monitor. https://wordpress.org/plugins/plainview-activity-monitor.

[58]

Egg. 2019. eggscripts. https://www.npmjs.com/package/egg-scripts.

[59]

Elementor. 2020. A website builder that delivers high-end page designs and advanced capabilities. https://wordpress.org/plugins/elementor/.

[60]

Embedthis. 2019. GoAhead. https://www.embedthis.com/goahead/.

[61]

Fabien Potencier. 2020. free feature-rich PHP mailer. https://packagist.org/packages/swiftmailer/swiftmailer.

[62]

Fabien Potencier. 2020. Symfony Console Component. https://packagist.org/packages/symfony/console.

[63]

Fagbokforlaget V&B AS. 2018. pdfinfojs. https://www.npmjs.com/package/pdfinfojs.

[64]

Apache Software Foundation. 2019. Apache JMeter. https://jmeter.apache.org/.

[65]

WordPress Foundation. 2019. WordPress. https://wordpress.com/.

[66]

GNU. 2018. Patch. https://savannah.gnu.org/projects/patch/.

[67]

PostgreSQL Global Development Group. 2020. PostgreSQL: The World's Most Advanced Open Source Relational Database. https://www.postgresql.org/docs/9.4/functions-bitstring.html.

[68]

Vivek Haldar, Deepak Chandra, and Michael Franz. 2005. Dynamic Taint Propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC '05). IEEE Computer Society, USA, 303--311.

Digital Library

[69]

William G.J. Halfond and Alessandro Orso. 2005. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the International Conference on Automated Software Engineering. Long Beach, California, USA.

[70]

William G. J. Halfond, Alessandro Orso, and Panagiotis Manolios. 2006. Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. In Proceedings of the Symposium on the Foundations of Software Engineering.

Digital Library

[71]

William G. J. Halfond, Alessandro Orso, and Panagiotis Manolios. 2008. WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. Transactions on Software Engineering 34, 1 (2008), 65--81.

Digital Library

[72]

Mary Jean Harrold and Mary Lou Soffa. 1994. Efficient Computation of Interprocedural Definition-Use Chains. ACM Trans. Program. Lang. Syst. 16, 2 (March 1994), 175--204.

Digital Library

[73]

Daniel Hillmann. 2019. kill-port-processes. https://www.npmjs.com/package/kill-port-process.

[74]

Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai. 2003. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proceedings of the 12th International Conference on World Wide Web (Budapest, Hungary) (WWW '03). Association for Computing Machinery, New York, NY, USA, 148--159.

Digital Library

[75]

Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. 2004. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 13th International Conference on World Wide Web (New York, NY, USA) (WWW '04). ACM, New York, NY, USA, 40--52.

Digital Library

[76]

HYRISE. 2020. SQL Parser for C++. Building C++ object structure from SQL statements. https://github.com/hyrise/sql-parser.

[77]

Intel. 2019. Software Guard Extensions. https://software.intel.com/en-us/sgx.

[78]

Isaac Bennetch. 2020. SQL Parser. https://github.com/phpmyadmin/sql-parser.

[79]

Jason Gerfen. 2019. NPM API to access nmap from node.js. https://www.npmjs.com/package/libnmap.

[80]

Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P '06). IEEE Computer Society, USA, 258--263. https://doi.org/10.1109/S&P.2006.29

[81]

Justin Swanhart. 2019. A pure PHP SQL (non validating) parser w/ focus on MySQL dialect of SQL. https://github.com/greenlion/PHP-SQL-Parser.

[82]

Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. 2003. Countering Code-Injection Attacks with Instruction-Set Randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security (Washington D.C., USA) (CCS '03). Association for Computing Machinery, New York, NY, USA, 272--280.

Digital Library

[83]

Adam Kieyzun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. 2009. Automatic Creation of SQL Injection and Cross-Site Scripting Attacks. In Proceedings of the 31st International Conference on Software Engineering (ICSE '09). IEEE Computer Society, USA, 199--209. https://doi.org/10.1109/ICSE.2009.5070521

Digital Library

[84]

Engin Kirda, Christopher Krugel, Giovanni Vigna, and Nenad Jovanovic. 2006. Noxes: A client-side solution for mitigating cross-site scripting attacks. In SAC'06.

Digital Library

[85]

Kevin E. Kline and Daniel Kline. 2001. SQL in a Nutshell. O'Reilly.

[86]

Lerna. 2020. A tool for managing JavaScript projects with multiple packages. https://github.com/lerna/lerna.

[87]

Jinyuan Li, Maxwell N Krohn, David Mazieres, and Dennis E Shasha. 2004. Secure Untrusted Data Repository (SUNDR). In Osdi, Vol. 4. 9--9.

[88]

Lighttpd. 2019. Lighttpd Web Server. https://www.lighttpd.net/.

[89]

LinuxConfig.org. 2015. Internal vs External Linux shell commands - LinuxConfig.org. https://linuxconfig.org/internal-vs-external-linux-shell-commands.

[90]

LuaExpat. 2020. XML Expat parsing for the Lua programming language. https://matthewwild.co.uk/projects/luaexpat/.

[91]

Margaret Brewster. 2019. Parses Sql to an AST and re-stringifies SQL ASTs. https://www.npmjs.com/package/druid-sql-parser.

[92]

Marijn Haverbeke. 2020. A small, fast, JavaScript-based JavaScript parser. https://github.com/acornjs/acorn.

[93]

Michael Martin and Monica S. Lam. 2008. Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking. In Proceedings of the 17th Conference on Security Symposium (San Jose, CA) (SS'08). USENIX Association, USA, 31--43.

[94]

Masafumi Oyamada. 2018. NPM Provides an interface to convert PDF's pages to png files in Node.js. https://www.npmjs.com/package/pdf-image.

[95]

Masahiro Wakame. 2017. fs-git. https://www.npmjs.com/package/fs-git.

[96]

Matthew Gonzalez. 2017. listening-processes. https://www.npmjs.com/package/listening-processes.

[97]

Sean McAllister, Engin Kirda, and Christopher Kruegel. 2008. Leveraging User Interactions for In-Depth Testing of Web Applications. In Recent Advances in Intrusion Detection, Richard Lippmann, Engin Kirda, and Ari Trachtenberg (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 191--210.

[98]

Michele Romano. 2019. Hackerone-728040. https://hackerone.com/reports/728040.

[99]

Michele Romano. 2020. Hackerone-730121. https://hackerone.com/reports/730121.

[100]

Gerome Miklau. 2019. xmldata. http://aiweb.cs.washington.edu/research/projects/xmltk/xmldata/.

[101]

Yasuhiko Minamide. 2005. Static Approximation of Dynamically Generated Web Pages. In Proceedings of the 14th International Conference on World Wide Web (Chiba, Japan) (WWW '05). ACM, New York, NY, USA, 432--441.

Digital Library

[102]

Mozilla. 2020. Moz SQL Parser. https://github.com/mozilla/moz-sql-parser.

[103]

MySQLTUTORIAL 2020. MySQL Prepared Statement. https://www.mysqltutorial.org/mysql-prepared-statement.aspx/.

[104]

National Vulnerability Database. 2019. CVE-2019--15597. https://nvd.nist.gov/vuln/detail/CVE-2019--15597.

[105]

Trent Nelson. 2020. Technically-oriented PDF Collection. https://github.com/tpn/pdfs.

[106]

Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. 2005. Automatically HardeningWeb Applications Using Precise Tainting. In Security and Privacy in the Age of Ubiquitous Computing. Springer, 295--307.

[107]

Nick Galbreath. 2018. SQL / SQLI tokenizer parser analyzer. https://github.com/client9/libinjection.

[108]

Nikita Popov. 2020. Extension exposing PHP 7 abstract syntax tree. https://github.com/nikic/php-ast.

[109]

notpwnguy. 2018. Hackerone-511459. https://hackerone.com/reports/511459.

[110]

NVD. 2019. CVE Details: CVE-2019--5127. https://nvd.nist.gov/vuln/detail/CVE-2019--5127.

[111]

OpenLiteSpeed. 2019. OpenLiteSpeed is the Open Source edition of LiteSpeed Web Server Enterprise. https://openlitespeed.org/.

[112]

OpenWrt. 2019. LuCI. https://openwrt.org/docs/guide-user/luci/start.

[113]

OpenWrt. 2019. uHTTPd. https://openwrt.org/docs/guide-user/services/webserver/uhttpd.

[114]

OpenWrt 2020. OpenWrt Project. https://openwrt.org/.

[115]

Oracle. 2019. Mysql. https://www.mysql.com/.

[116]

OWASP. 2019. OWASP Top Ten. https://owasp.org/www-project-top-ten/.

[117]

Packagist. 2020. The PHP Package Repository. https://packagist.org.

[118]

Pawel Trysla. 2020. Display pretty Android and iOS logs without Android Studio or Console.app, with intuitive Command Line Interface. https://github.com/zamotany/logkitty.

[119]

PECL. 2021. PECL :: Package :: taint. https://pecl.php.net/package/taint.

[120]

Jeff Perkins, Jordan Eikenberry, Alessandro Coglio, Daniel Willenson, Stelios Sidiroglou-Douskos, and Martin Rinard. 2016. AutoRand: Automatic Keyword Randomization to Prevent Injection Attacks. In Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9721 (San Sebastián, Spain) (DIMVA'16). Springer-Verlag, Berlin, Heidelberg, 37--57.

Digital Library

[121]

Peter Braden. 2019. OpenCV. https://www.npmjs.com/package/opencv.

[122]

PHP. 2019. SimpleXML Extension. https://www.php.net/manual/en/book.simplexml.php.

[123]

Tadeusz Pietraszek and Chris Vanden Berghe. 2005. Defending against injection attacks through context-sensitive string evaluation. In International Workshop on Recent Advances in Intrusion Detection. Springer, 124--145.

[124]

QEMU. 2019. Generic and open source machine emulator and virtualizer. https://www.qemu.org/.

[125]

Quan Yang. 2019. Taint'em-All: a taint analysis tool for the PHP language. https://github.com/quanyang/Taint-em-All.

[126]

Rafal Janicki. 2019. Hackerone-633364. https://hackerone.com/reports/633364.

[127]

Sazzadur Rahaman, Gang Wang, and Danfeng Yao. 2019. Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS '19). ACM, New York, NY, USA, 481--498.

Digital Library

[128]

RaymondDesign. 2012. Advanced-XML-Reader. https://wordpress.org/plugins/Advanced-XML-Reader/.

[129]

Renan Rocha. 2019. Hackerone-661959. https://hackerone.com/reports/661959.

[130]

Robbie Chipka. 2020. GitHub - libxmljs:libxml bindings for v8 javascript engine. https://github.com/libxmljs/libxmljs.

[131]

B. G. Ryder. 1979. Constructing the Call Graph of a Program. IEEE Trans. Softw. Eng. 5, 3 (May 1979), 216--226.

[132]

Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Xiaodong Song. 2010. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS.

[133]

Prateek Saxena, David Molnar, and Benjamin Livshits. 2011. SCRIPTGARD: Automatic Context-Sensitive Sanitization for Large-Scale LegacyWeb Applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA) (CCS '11). ACM, New York, NY, USA, 601--614.

Digital Library

[134]

Sebastian Bergmann. 2020. Library that helps with managing the version number of Git-hosted PHP projects. https://packagist.org/packages/sebastian/version.

[135]

Sebastian Bergmann. 2020. PHPUnit is a programmer-oriented testing framework for PHP. https://phpunit.de/.

[136]

Sebastian Bergmann. 2020. Provides functionality to handle HHVM/PHP environments. https://packagist.org/packages/sebastian/environment.

[137]

R. Sekar. 2009. An Efficient Black-box Technique for DefeatingWeb Application Attacks. In Network and Distributed System Security Symposium (NDSS'09).

[138]

Selenium. 2021. SeleniumHQ Browser Automation. https://www.selenium.dev/.

[139]

Genetech Solutions. 2020. Pie Register - Custom Registration Form, Invitation based Registrations and User Login WordPress Plugin. https://wordpress.org/plugins/pie-register/.

[140]

Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2013. Diglossia: Detecting Code Injection Attacks with Precision and Efficiency. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (Berlin, Germany) (CCS '13). Association for Computing Machinery, New York, NY, USA, 1181--1192.

Digital Library

[141]

Amie L. Souter and Lori L. Pollock. 2003. The Construction of Contextual Def-Use Associations for Object-Oriented Systems. IEEE Trans. Softw. Eng. 29, 11 (Nov. 2003), 1005--1018.

Digital Library

[142]

SQLite. 2019. What Is SQLite. https://www.sqlite.org/index.html.

[143]

Star Beam Rainbow Labs. 2020. Pepperminty-Wiki. https://github.com/sbrl/Pepperminty-Wiki.

[144]

Alexandre Strzelewicz. 2019. PM2. https://www.npmjs.com/package/pm2.

[145]

Zhendong Su and Gary Wassermann. 2006. The Essence of Command Injection Attacks in Web Applications. In Conference Record of the 33rd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages (Charleston, South Carolina, USA) (POPL '06). Association for Computing Machinery, New York, NY, USA, 372--382.

[146]

Spinner. 2020. Spinner Project Website. https://github.com/cmd-spinner/commandrandom-spinner-php.

[147]

Takayuki Miyoshi. 2020. Contact Form 7 can manage multiple contact forms. https://wordpress.org/plugins/contact-form-7/.

[148]

Tao Zhi. 2020. Nodejs SQL Parser. https://www.npmjs.com/package/node-sqlparser.

[149]

Theofilos Petsios. 2014. sqlrand-llvm. https://github.com/nettrino/SQLRand.

[150]

Tom Forbes. 2020. Github-orf/xcat:Automate XPath injection attacks to retrieve documents. https://github.com/orf/xcat.

[151]

Joe Topjian. 2009. Sanitize and Validate Data with PHP Filters. https://code.tutsplus.com/tutorials/sanitize-and-validate-data-with-php-filters--net-2595.

[152]

TryGhost. 2020. The #1 headless Node.js CMS for professional publishing. https://github.com/TryGhost/Ghost.

[153]

Daniel Veillard. 2019. libxml. http://xmlsoft.org/.

[154]

Vercel. 2020. Generate changelogs. https://github.com/vercel/release.

[155]

Veselin. 2020. Easy package.json exports. https://www.npmjs.com/package.

[156]

Voidcosmos. 2020. KILLO: List any node_modules directories in your system. https://github.com/voidcosmos/npkill.

[157]

Matt Walters. 2019. meta-git. https://www.npmjs.com/package/meta-git.

[158]

Gary Wassermann and Zhendong Su. 2007. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (San Diego, California, USA) (PLDI '07). Association for Computing Machinery, New York, NY, USA, 32--41.

Digital Library

[159]

Gary Wassermann and Zhendong Su. 2008. Static Detection of Cross-Site Scripting Vulnerabilities. In Proceedings of the 30th International Conference on Software Engineering (Leipzig, Germany) (ICSE '08). ACM, New York, NY, USA, 171--180.

Digital Library

[160]

Wenbin Xiao. 2018. SQL Parser implemented in Go. https://github.com/xwb1989/sqlparser.

[161]

WordPress. 2020. The WordPress Importer will import the content from a WordPress export file. https://wordpress.org/plugins/wordpress-importer/.

[162]

WordPress. 2020. WordPress Plugins. https://wordpress.org/plugins.

[163]

World Wide Broadcast Network. 2020. AVideo-Encoder. https://github.com/WWBN/AVideo-Encoder.

[164]

Yichen Xie and Alex Aiken. 2006. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the 15th Conference on USENIX Security Symposium (Vancouver, B.C., Canada) (Security'06). USENIX Association, USA, Article 13.

Digital Library

[165]

Yoast BV. 2020. Yoast SEO. https://yoast.com/wordpress/plugins/seo/.

[166]

Zach Carter. 2017. An API for creating parsers in JavaScript. https://www.npmjs.com/package/jison.

Cited By

Hulloowan BBekaroo G(2024)Defending Against XML External Entity (XXE) Attacks: A Review and Comparative Analysis of Prevention Mechanisms2024 International Conference on Next Generation Computing Applications (NextComp)10.1109/NextComp63004.2024.10779957(1-6)Online publication date: 24-Oct-2024
https://doi.org/10.1109/NextComp63004.2024.10779957
Paul ASharma VOlukoya O(2024)SQL injection attack: Detection, prioritization & preventionJournal of Information Security and Applications10.1016/j.jisa.2024.10387185(103871)Online publication date: Sep-2024
https://doi.org/10.1016/j.jisa.2024.103871
Yuan YLu YZhu KHuang HYu LZhao J(2023)A Static Detection Method for SQL Injection Vulnerability Based on Program TransformationApplied Sciences10.3390/app13211176313:21(11763)Online publication date: 27-Oct-2023
https://doi.org/10.3390/app132111763
Show More Cited By

Index Terms

Spinner: Automated Dynamic Command Subsystem Perturbation
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

Disrupting Deepfakes: A Survey on Adversarial Perturbation Techniques and Prevention Strategies
ICCAI '24: Proceedings of the 2024 10th International Conference on Computing and Artificial Intelligence

Ensuring digital integrity is paramount in our digitally connected world, and the escalating threat of deepfakes poses a substantial challenge amidst rapid technological advancements. The proliferation of sophisticated techniques for crafting highly ...
Repairing Adversarial Texts Through Perturbation
Theoretical Aspects of Software Engineering
Abstract
It is known that neural networks are subject to attacks through adversarial perturbations. Worse yet, such attacks are impossible to eliminate, i.e., the adversarial perturbation is still possible after applying mitigation methods such as ...
Attack analysis & bio-inspired security framework for IPMultimedia subsystem
GECCO '08: Proceedings of the 10th annual conference companion on Genetic and evolutionary computation

This paper analyzes the security vulnerabilities and requirements of IP Multimedia Subsystem (IMS), particularly the impact of Denial-of-Service (DoS) and Distributed DoS (DDoS)attacks on the IMS. We propose and develop an intelligent Bio-inspired, self-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
656
Total Downloads

Downloads (Last 12 months)215
Downloads (Last 6 weeks)53

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hulloowan BBekaroo G(2024)Defending Against XML External Entity (XXE) Attacks: A Review and Comparative Analysis of Prevention Mechanisms2024 International Conference on Next Generation Computing Applications (NextComp)10.1109/NextComp63004.2024.10779957(1-6)Online publication date: 24-Oct-2024
https://doi.org/10.1109/NextComp63004.2024.10779957
Paul ASharma VOlukoya O(2024)SQL injection attack: Detection, prioritization & preventionJournal of Information Security and Applications10.1016/j.jisa.2024.10387185(103871)Online publication date: Sep-2024
https://doi.org/10.1016/j.jisa.2024.103871
Yuan YLu YZhu KHuang HYu LZhao J(2023)A Static Detection Method for SQL Injection Vulnerability Based on Program TransformationApplied Sciences10.3390/app13211176313:21(11763)Online publication date: 27-Oct-2023
https://doi.org/10.3390/app132111763
Jagamogan RIsmail SHassan NAbas H(2022)Penetration Testing Procedure using Machine Learning2022 4th International Conference on Smart Sensors and Application (ICSSA)10.1109/ICSSA54161.2022.9870951(58-63)Online publication date: 26-Jul-2022
https://doi.org/10.1109/ICSSA54161.2022.9870951

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents