An Automatic Mechanism for Sanitizing Malicious Injection

摘要

According to OWASP Top 10 2007, top 1-5 critical Web application security vulnerabilities caused by unchecked input [1]. Unvalidated Input may lead hacker to inject code to bypass or modify the originally intended functionality of the program to gain information, privilege escalation or unauthorized access to a system. Examples of such vulnerabilities are SQL injection, Shell injection and Cross Site Scripting (XSS). Proper input validation is an effective countermeasure to act as a defense against input attacks but it may induce false negative or false positive. We develop a defense system consisting of a testing framework and a sanitizing mechanism on a security gateway. The security gateway is allocated in front of application server to mitigate malicious injection. To verify the efficiency of the sanitizing mechanism, we focus on whether the filter rules have better detection rate to sanitize input data. Among our experiments, different fields may be automatically injected proper validation rules made up of some sub-rules. By means of the mechanism, we reduce false rate and prove that the hybrid method is more ideal than any traditional input handling.