Security vulnerabilities in Web applications such as SQL injections, cross-site scripting, and HTTP splitting attacks often stem from unchecked input, and also due to the vulnerabilities residing in Java libraries. In the past, studies had focused on guarding against problems caused by the unsafe nature of C, such as buffer overruns and format string vulnerabilities. However, nowadays, Java has emerged as the language of choice of programmers for building large Web applications. It is more secure as it doesn’t allow direct memory access and also eliminate buffer overrun problem. In spite of Java’s secure nature, a simple programming mistake could leave a Web application vulnerable to unauthorized data access, and application crashes leading to DDOS attacks, which are very difficult to handle. Code reviews are often used to find vulnerabilities before running an application. However, they are often time consuming. Static Analysis can be performed for checking the untrustworthiness of the input. Eclipse supports SOOT that is used for performing Taint checking on Java Byte code. A Jimple i.e. Three Address Code representation of Java program is analysed statically using SOOT plugin of Eclipse. In Taint Analysis, input is considered to be tainted. Our aim is to find the propagation of taint i.e. we want to find all variables which are affected by the source variables. Finally, we check if the vulnerable functions are influenced. We refer to them as ‘sink’. Injecting malicious data is possible through Parameter Tampering, URL Tampering, Hidden Field Manipulation, HTTP Header Manipulation, and Cookie Poisoning. Once, malicious data has been injected it can be exploited through Cross-site Scripting Vulnerabilities, HTTP Response Splitting and Shell Script Injection.

SQL Injection Example:
1 HttpServletRequest request = …;
2 Statement s = …;
3 String client = request.getParameter(‘‘client’’);
4 StringBuffer s1 = …;
5 s1.append (”SELECT ∗ FROM Users WHERE name =”);
6 s1.append (user);
7 String query = s1.toString ();
8 s.executeQuery(query);

SQL injection is one of the vulnerabilities that can be expressed as tainted object propagation problems. An object is tainted if it is obtained by applying relation derived to a source object zero or more times. In our example, if a tainted object is passed as a parameter i.e. the return value of HttpServletRequest.getParameter() to Statement.executeQuery(String p) (the sink), then there is a security vulnerability. Datalogqueries gives user complete control. On other hand it exposes program’s internal representation. So it is considered less practical. Instead, we use PQL, a program query language. PQL serves as syntactic sugar for Datalog queries, allowing users to express vulnerability patterns in a familiar Java-like syntax; we can then easily translate tainted object propagation queries from PQL into Datalog.

Penetration testing and runtime monitoring integrated with static taint analysis seems to be a promising approach for finding vulnerabilities besides manual code reviews.

Niharika Gupta,
M.Tech, Computer Science Engineering
Indraprastha Institute of Information Technology, Delhi