Downloaded 13 times
![NodeList nl = xpath.evaluate(q,
doc, XPathConstants.NODESET);
String q = "/users/user[@nick='" +
account + "' and @password='" +
password + "']";
Sink](https://image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-12-2048.jpg)
![password = "test' or '1'='1";
NodeList nl = xpath.evaluate(q,
doc, XPathConstants.NODESET);
String q = "/users/user[@nick='" +
account + "' and @password='" +
password + "']";
XPath Injection](https://image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-16-2048.jpg)
![NodeList nl = xpath.evaluate(q,
doc, XPathConstants.NODESET);
String q = "/users/user[@nick='" +
account + "' and @password='" +
password + "']";
password = "test' or '1'='1";
XPath Injection](https://image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-17-2048.jpg)
![NodeList nl = xpath.evaluate(q,
doc, XPathConstants.NODESET);
String q = "/users/user[@nick=''
and @password='test' or '1'='1']";
password = "test' or '1'='1";
XPath Injection](https://image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-18-2048.jpg)
![NodeList nl = xpath.evaluate(q,
doc, XPathConstants.NODESET);
String q = "/users/user[@nick=''
and @password='test' or '1'='1']";
XPath Injection](https://image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-19-2048.jpg)
![NodeList nl = xpath.evaluate(
"/users/user[@nick='' and
@password='test' or
'1'='1']",doc,
XPathConstants.NODESET);
XPath Injection](https://image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-20-2048.jpg)
![// …
allowUser(req.getParameter(“account”), req.getParameter(“password”));
// …
protected boolean allowUser(String account, String password) {
// …
org.w3c.dom.Document doc = builder.parse("db.xml");
// …
XPath xpath = xPathfactory.newXPath();
String q = "/database/table[@name='customers']/entry[@nick='"
+ account + "' and @password='" + password + "']";
// …
NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);
// …
}](https://image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-38-2048.jpg)
![protected boolean allowUser(String account, String password) {
account = ESAPI.encoder().encodeForXPath(account);
password = ESAPI.encoder().encodeForXPath(password);
// …
org.w3c.dom.Document doc = builder.parse("db.xml");
// …
XPath xpath = xPathfactory.newXPath();
String q = "/database/table[@name='customers']/entry[@nick='"
+ account + "' and @password='" + password + "']";
// …
NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);
// …
}](https://image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-56-2048.jpg)
![protected boolean allowUser(String account, String password) {
// …
org.w3c.dom.Document doc = builder.parse("db.xml");
// …
XPath xpath = xPathfactory.newXPath();
String q = "/database/table[@name='customers']/entry[@nick='"
+ account + "' and @password='" + password + "']";
// …
NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);
// …
}](https://image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-66-2048.jpg)
![protected boolean allowUser(String account, String password) {
// …
org.w3c.dom.Document doc = builder.parse("db.xml");
// …
XPath xpath = xPathfactory.newXPath();
String q = "/database/table[@name=‘customers’]/entry[@nick='" +
ESAPI.encoder().encodeForXPath(account) +
"' and @password='" +
ESAPI.encoder().encodeForXPath(password) +
"']";
// …
NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);
// …
}](https://image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-68-2048.jpg)
![NodeList nl = xpath.evaluate(q,
doc, XPathConstants.NODESET);
String q = "/users/user[@nick='" +
account + "' and @password='" +
password + "']";
Sink](https://crownmelresort.com/image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-12-2048.jpg)
![password = "test' or '1'='1";
NodeList nl = xpath.evaluate(q,
doc, XPathConstants.NODESET);
String q = "/users/user[@nick='" +
account + "' and @password='" +
password + "']";
XPath Injection](https://crownmelresort.com/image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-16-2048.jpg)
![NodeList nl = xpath.evaluate(q,
doc, XPathConstants.NODESET);
String q = "/users/user[@nick='" +
account + "' and @password='" +
password + "']";
password = "test' or '1'='1";
XPath Injection](https://crownmelresort.com/image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-17-2048.jpg)
![NodeList nl = xpath.evaluate(q,
doc, XPathConstants.NODESET);
String q = "/users/user[@nick=''
and @password='test' or '1'='1']";
password = "test' or '1'='1";
XPath Injection](https://crownmelresort.com/image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-18-2048.jpg)
![NodeList nl = xpath.evaluate(q,
doc, XPathConstants.NODESET);
String q = "/users/user[@nick=''
and @password='test' or '1'='1']";
XPath Injection](https://crownmelresort.com/image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-19-2048.jpg)
![NodeList nl = xpath.evaluate(
"/users/user[@nick='' and
@password='test' or
'1'='1']",doc,
XPathConstants.NODESET);
XPath Injection](https://crownmelresort.com/image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-20-2048.jpg)
![// …
allowUser(req.getParameter(“account”), req.getParameter(“password”));
// …
protected boolean allowUser(String account, String password) {
// …
org.w3c.dom.Document doc = builder.parse("db.xml");
// …
XPath xpath = xPathfactory.newXPath();
String q = "/database/table[@name='customers']/entry[@nick='"
+ account + "' and @password='" + password + "']";
// …
NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);
// …
}](https://crownmelresort.com/image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-38-2048.jpg)
![protected boolean allowUser(String account, String password) {
account = ESAPI.encoder().encodeForXPath(account);
password = ESAPI.encoder().encodeForXPath(password);
// …
org.w3c.dom.Document doc = builder.parse("db.xml");
// …
XPath xpath = xPathfactory.newXPath();
String q = "/database/table[@name='customers']/entry[@nick='"
+ account + "' and @password='" + password + "']";
// …
NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);
// …
}](https://crownmelresort.com/image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-56-2048.jpg)
![protected boolean allowUser(String account, String password) {
// …
org.w3c.dom.Document doc = builder.parse("db.xml");
// …
XPath xpath = xPathfactory.newXPath();
String q = "/database/table[@name='customers']/entry[@nick='"
+ account + "' and @password='" + password + "']";
// …
NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);
// …
}](https://crownmelresort.com/image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-66-2048.jpg)
![protected boolean allowUser(String account, String password) {
// …
org.w3c.dom.Document doc = builder.parse("db.xml");
// …
XPath xpath = xPathfactory.newXPath();
String q = "/database/table[@name=‘customers’]/entry[@nick='" +
ESAPI.encoder().encodeForXPath(account) +
"' and @password='" +
ESAPI.encoder().encodeForXPath(password) +
"']";
// …
NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);
// …
}](https://crownmelresort.com/image.slidesharecdn.com/julian-issre2015final-151106171218-lva1-app6892/75/Security-Slicing-for-Auditing-XML-XPath-and-SQL-Injection-Vulnerabilities-68-2048.jpg)
Uploaded byLionel Briand
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
This document discusses security slicing for auditing XML, XPath, and SQL injection vulnerabilities. It presents an approach using taint analysis and system dependence graph construction to extract security-relevant program slices. These slices can then be filtered and chopped to aid security auditing. The approach was evaluated on several test subjects and was shown to significantly reduce the number of slices that need to be examined compared to traditional chopping. Future work areas include handling more complex string operations and integrating with constraint solvers.
More Related Content
Similar to Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
- 1. .lusoftware verification &validation VVS Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities Julian Thomé, Lwin Khin Shar and Lionel Briand 1
- 9.
- 10.
- 11.
- 12. NodeList nl =xpath.evaluate(q, doc, XPathConstants.NODESET); String q = "/users/user[@nick='" + account + "' and @password='" + password + "']"; Sink
- 13. password = req.getParameter("password"); Account: Password: Submit XPath Injection
- 14. password = req.getParameter("password"); Account: Password: Submit test' or '1'='1 XPath Injection
- 15. Account : Password: Submit test' or'1'='1 password = "test' or '1'='1"; XPath Injection
- 16. password = "test'or '1'='1"; NodeList nl = xpath.evaluate(q, doc, XPathConstants.NODESET); String q = "/users/user[@nick='" + account + "' and @password='" + password + "']"; XPath Injection
- 17. NodeList nl =xpath.evaluate(q, doc, XPathConstants.NODESET); String q = "/users/user[@nick='" + account + "' and @password='" + password + "']"; password = "test' or '1'='1"; XPath Injection
- 18. NodeList nl =xpath.evaluate(q, doc, XPathConstants.NODESET); String q = "/users/user[@nick='' and @password='test' or '1'='1']"; password = "test' or '1'='1"; XPath Injection
- 19. NodeList nl =xpath.evaluate(q, doc, XPathConstants.NODESET); String q = "/users/user[@nick='' and @password='test' or '1'='1']"; XPath Injection
- 20. NodeList nl =xpath.evaluate( "/users/user[@nick='' and @password='test' or '1'='1']",doc, XPathConstants.NODESET); XPath Injection
- 30.
- 31. Taint Analysis Focus onIntegrity No Filtering False Positives
- 32.
- 34.
- 35.
- 36.
- 38. // … allowUser(req.getParameter(“account”), req.getParameter(“password”)); //… protected boolean allowUser(String account, String password) { // … org.w3c.dom.Document doc = builder.parse("db.xml"); // … XPath xpath = xPathfactory.newXPath(); String q = "/database/table[@name='customers']/entry[@nick='" + account + "' and @password='" + password + "']"; // … NodeList nl = (NodeList) xpath.evaluate(q,doc, XPathConstants.NODESET); // … }
- 39.
- 40. “account” getParameter() account = getParameter() fpar0 …ret account password = getParameter() allowUser() account password password … q= … nl = xpath.evaluate() … evaluate() apar0 … fpar0 … ret
- 41. “account” getParameter() account = getParameter() fpar0 …ret account password = getParameter() allowUser() account password password … q= … nl = xpath.evaluate() … evaluate() apar0 … fpar0 … ret account account password password q= … apar0
- 42.
- 43.
- 45.
- 46.
- 47. HH LL HL LH High Confidentiality High Integrity LowConfidentiality High Integrity Low Confidentiality Low Integrity High Confidentiality Low Integrity HH LL HL LH
- 48.
- 49.
- 50.
- 51.
- 52.
- 53. account account password password q= … apar0 HLHL HH HH LL HL LH
- 54. account account password password q= … apar0 HLHL HH HH LL HL LH
- 56. protected boolean allowUser(Stringaccount, String password) { account = ESAPI.encoder().encodeForXPath(account); password = ESAPI.encoder().encodeForXPath(password); // … org.w3c.dom.Document doc = builder.parse("db.xml"); // … XPath xpath = xPathfactory.newXPath(); String q = "/database/table[@name='customers']/entry[@nick='" + account + "' and @password='" + password + "']"; // … NodeList nl = (NodeList) xpath.evaluate(q,doc, XPathConstants.NODESET); // … }
- 57. “account” getParameter() account = getParameter() fpar0 …ret account password = getParameter() allowUser() account password password … q= … nl = xpath.evaluate() … encodeForXpath() apar0 … ret evaluate() apar0 … fpar0 … ret … … HL HL HH HL HH account account password password q= … apar0 … ret apar0 HL HL HH HL HH
- 58. HH LL HL LH account account password password q=… apar0 … ret apar0 HL HL HH HL HH
- 59. account account password password q= … apar0… ret apar0 HL HL HH HL HH HH LL HL LH
- 60.
- 65.
- 66. protected boolean allowUser(Stringaccount, String password) { // … org.w3c.dom.Document doc = builder.parse("db.xml"); // … XPath xpath = xPathfactory.newXPath(); String q = "/database/table[@name='customers']/entry[@nick='" + account + "' and @password='" + password + "']"; // … NodeList nl = (NodeList) xpath.evaluate(q,doc, XPathConstants.NODESET); // … }
- 67.
- 68. protected boolean allowUser(Stringaccount, String password) { // … org.w3c.dom.Document doc = builder.parse("db.xml"); // … XPath xpath = xPathfactory.newXPath(); String q = "/database/table[@name=‘customers’]/entry[@nick='" + ESAPI.encoder().encodeForXPath(account) + "' and @password='" + ESAPI.encoder().encodeForXPath(password) + "']"; // … NodeList nl = (NodeList) xpath.evaluate(q,doc, XPathConstants.NODESET); // … }
- 70.
- 71.
- 72.
- 73. Automatic detection of sources,sinks and declassifiers Extensive library of sources, sinks and declassifiers
- 74.
- 75. Extraction of pathconditions, control dependencies, data dependencies Threat Categorisation Automatic annotation of sources, sinks and declassifiers
- 76.
- 77.
- 78.
- 79.
- 80. Test Subjects Subject KLOC#Servlets #Sources #Sinks #Declassifiers XML XPath SQL XML XPath SQL WebGoat 24.6 14 40 3 1 29 0 0 25 Roller 52.4 3 14 13 0 0 11 0 0 Pebble 36.5 3 6 7 0 0 3 0 0 Regain 23.1 1 1 1 0 0 3 0 0 PubSub 1.9 4 16 3 4 0 4 0 0
- 81. Comparison between Choppingand Security Slicing #SDGNodes 1 10 100 1000 10000 100000 1000000 WebGoat Roller Pebble Regain PubSub SDG Construction Chopping Security Slicing
- 82. Comparison between Choppingand Security Slicing #SDGNodes 1 10 100 1000 10000 100000 1000000 SDG Construction Chopping Security Slicing Total Mean Median
- 83. Chopping SecSlicing #Chops to beaudited 0 20 40 60 80 21 73
- 84. Execution Time inms Subject SDG Generation Source/Sink Identification Chopping Filtering Total WebGoat 124,301 504 12,266 694 137,765 Roller 23,815 56 763 69 24,703 Pebble 4,570 20 128 53 4,771 Regain 44,311 40 285 30 44,666 PubSub 39,213 85 965 153 40,416
- 85.
- 87. String Operations + PathConditions
- 88. Threat Models String Operations+ Path Conditions
- 89. Threat Models Constraint Solver StringOperations + Path Conditions