Visible to the public Runtime Input Validation for Java Web Applications Using Static Bytecode Instrumentation

TitleRuntime Input Validation for Java Web Applications Using Static Bytecode Instrumentation
Publication TypeConference Paper
Year of Publication2016
AuthorsCho, Sangwook, Kim, Gyoosik, Cho, Seong-je, Choi, Jongmoo, Park, Minkyu, Han, Sangchul
Conference NameProceedings of the International Conference on Research in Adaptive and Convergent Systems
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4455-5
Keywordsbytecode instrumentation, data privacy, Human Behavior, input validation, Java web application, Metrics, path traversal, privacy, pubcrawl, Resiliency, SQL Injection, SQL injection attack
Abstract

As web applications is becoming more prominent due to the ubiquity of web services, web applications have become main targets for attackers. In order to steal or leak sensitive user data managed by web applications, attackers exploit a wide range of input validation vulnerabilities such as SQL injection, path traversal (or directory traversal), cross-site scripting (XSS), etc. This paper propose a technique that can verify input values of Java-based web applications using static bytecode instrumentation and runtime input validation. The technique searches for target methods or object constructors in compiled Java class files, and statically inserts bytecode modules. At runtime, the instrumented bytecode modules validate input values of the targets, and take countermeasure against malicious inputs. The proposed technique can mitigate the input validation vulnerabilities in Java-based web applications without source codes. To evaluate the effectiveness of the proposed technique, experiments are carried out with an insecure web application maintained by OWASP WebGoat Project. The experimental results show that the proposed technique successfully mitigates input validation vulnerabilities such as SQL injection and path traversal.

URLhttp://doi.acm.org/10.1145/2987386.2987432
DOI10.1145/2987386.2987432
Citation Keycho_runtime_2016