Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
POPL
2006
ACM
2006
ACM
The essence of command injection attacks in web applications
Web applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by dynamically constructing query strings within a general-purpose programming language, such as Java. This low-level interaction is ad hoc because it does not take into account the structure of the output language. Accordingly, user inputs are treated as isolated lexical entities which, if not properly sanitized, can cause the web application to generate unintended output. This is called a command injection attack, which poses a serious threat to web application security. This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques. Our key observation is that, for...
Real-time TrafficCommand Injection Attacks | Low Runtime Overhead | POPL 2006 | Programming Languages | Web Applications |
Related Content
| Added | 03 Dec 2009 |
| Updated | 03 Dec 2009 |
| Type | Conference |
| Year | 2006 |
| Where | POPL |
| Authors | Zhendong Su, Gary Wassermann |
Comments (0)
Researcher Info
|
