Hunting Vulnerabilities In Networks Using Vulblocker Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The Rapid growth of internet resulted in feature rich and dynamic web applications. This increase in features also introduced completely under estimated attack vectors. Buffer Overflow Attack, SQL Injection are the most dominant classes of web vulnerabilities reported by OWASP 2011. These attacks make use of vulnerabilities in the code of web applications, resulting in serious consequences, such as theft of cookies, passwords and other personal credentials. It is caused by scripts, which do not sanitize user input. Several server-side counter measures for BOA attacks do exist, but such techniques have not been universally applied, because of their deployment overhead. The existing client-side solutions degrade the performance of client's system resulting in a poor web surfing experience. This paper presents automata-based symbolic string analyses called VulBlocker for automatic verification of string manipulating programs we compute the pre and post conditions of common string functions using deterministic finite automata (DFAs).Experiment result shows that this approach finds and prevents large number of malicious attacks in web application.


As the Growth of Internet increases rapidly the attack vectors also increases rapidly that can degrade the performance, by the process of hacking. Hacking means finding out weaknesses in a computer or computer network and exploiting them, though the term can also refer to someone with an advanced understanding of computers and computer networks. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge. The subculture that has evolved around hackers is often referred to as the computer underground but it is now an open community. While other uses of the word hacker exist that are not related to computer security, they are rarely used in mainstream context. They are subject to the long standing hacker definition controversy about the true meaning of the term hacker. In this controversy, the term hacker is reclaimed by computer programmers who argue that someone breaking into computers is better called a cracker, not making a difference between computer criminals (black hats) and computer security experts (white hats). Some white hat hackers claim that they also deserve the title hacker and that only black hats should be called crackers.

1.1 Dependable and Secure Computing

Dependable and Secure Computing focuses on achieving availability, reliability, confidentiality, integrity, safety and Maintainability. The problem domain of the project is vulnerabilities in web applications which have become one of the most important means of information communication between various kinds of users and service providers. CERT (Computer Emergency Response Team) published an advisory on newly identified security vulnerability affecting all web applications. There are three known variants of Buffer overflow attack: Reflected a page reflects user supplied data directly back to the user. Stored takes malicious data, stores it in a file, a database, or other back end system, and then at a later stage, displays the data to the user, unfiltered. DOM injection - the site's JavaScript code and variables are manipulated rather than HTML elements. Attacks are usually implemented in JavaScript, which is a powerful scripting language. Using JavaScript allows attackers to manipulate any feature of the rendered page, including adding new elements, manipulating any aspect of the internal DOM tree, and deleting or changing the page format. Initially it was possible that a browser window could steal data from another browser window when more than one browser windows were open simultaneously. To allow user-side customization of Web information, Cookies were implemented. They are pieces of information generated by a Web server and stored in the user's computer, ready for future access. Cookies are embedded in the HTML information flowing back and forth between the user's computer and the servers. Since the information in the cookies is easily accessible, the attackers popped them through buffer overflow attack, and used them to hijack sessions, and compromise accounts. The malware has evolved to make increased use of the web. The scope extends further than just malicious scripts embedded in web pages, for example: numerous downloader Trojans use the web as a simple file repository, downloading other malicious files via HTTP.

Fig 1.1 Web Site attack

Malicious scripts hosted on attack sites await the visit of vulnerable client browsers before they unleash exploit code in order to infect the victim. Compromised sites provide a convenient mechanism to expose huge number of victims to malicious code. Spammed email messages and enticing web sites are used to lure victims to malicious code. Malware may deliver a traffic redirection payload. Online advertising is a multibillion dollar business nowadays. Increasing web traffic to a site by directing or referring users provides a mechanism for organizations and individuals to make money through affiliate marketing. The class of applications that integrate with the browser in order to display targeted advertisements is generally referred to as adware. Such software is commonplace today, and is frequently bundled with other applications ("ad-supported software").The web provides the perfect framework for malware authors to blend together the techniques listed above. Today's threats cunningly incorporate spam and web "lures" with exploit scripts to efficiently infect unsuspecting victims. There are many web vulnerabilities do exist in web application, but according to the Report of OWASP in the Year 2012, they have reported the top most web Vulnerabilities which can effectively causes application to degrade its Performance, they are Buffer Overflow Attack, SQL Injection Attack . This Research is focused for eliminating those vulnerabilities. The Short Description of those attacks has been illustrated in upcoming sections. Buffer overflow attack is a type of computer security vulnerability in which data exceeding the bounds of an array are loaded into array .Buffer overflow attack typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. The buffer overflow vulnerability may be used by attackers to bypass access controls such as the same origin policy. Buffer overflow is carried out on websites accounted for roughly 80% of all security vulnerabilities documented by Symantec as of 2009.Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. There is no single, standardized classification of buffer overflow flaws, but most experts distinguish between at least two primary flavours non-persistent and persistent buffer overflows. Some sources further divide these two groups into traditional (caused by server-side code flaws) and DOM-based (in client-side code).Buffer overflow is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within Win Amp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. Buffer overflow vulnerabilities have been reported and exploited since the 1990s. Prominent sites affected in the past include the social-networking sites Twitter, Facebook, MySpace, and Orkut. In recent years, buffer overflows to become the most common publicly reported security vulnerability, with some researchers viewing as many as 68% of websites as likely open to buffer overflow attacks. A buffer overflow attacked user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Buffer overflow attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed. The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malfactors terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.Using SQL injections, attackers can: Add new data to the database-Could be embarrassing to find yourself selling politically incorrect items on an ecommerce site. Perform an INSERT in the injected SQL, Modify data currently in the database. It could be very costly to have an expensive item suddenly be deeply 'discounted'. Perform an UPDATE in the injected SQL.It often can gain access to other user's system capabilities by obtaining their password. The main objective of our contribution is to detect the malicious codes entered in a website and eliminate them from entering in to the administrator's database. The efficiency of the past works reports that 46% of the attacks are only avoided but double the percentage, nearly 90% of the attacks can be avoided by the tool.

Fig 1.2 SQL Injections

This prevention module can be implemented in all the web servers to prevent the scripting attacks. Acts faster and time consuming in checking the data that is to be delivered. Provides protection against malicious attacks where the attacker may target sensitive information such as cookies and session IDs.

2. Related Work

The buffer overflow attack is the data exceeding bounds of an array are loaded into the array. Buffer Overflows can cause security problems. During program execution buffer overflows can occur in three different areas of process memory: the data area, the stack and the heap. A data buffer overflow attack occurs when input overwrites existing data, causing the program to act in a manner that violates security policy. An executable buffer overflow occurs when executable code is loaded into buffer and some quantity is altered to cause that code to be executed. Buffer overflow attacks are caused by input strings. The malicious input strings are usually java scripts in web applications. A format string attack occurs when an input string contains formatting commands. If a buffer overflow causes the program to crash, either the program jumps to non executable location or tries to access inaccessible data. A web server fails to check the length of a string read from the network. For the purposes, the policy of the site running the web server is that the web server may execute only a specified set of commands, and may only reveal the contents of the web pages it serves. The failure to check the bounds of the input string allows the attacker to supply an input string that corrupts the running web server process, causing it to violate the policy. The attacker usually inputs the string that is longer than the array. Range checking, Bound checking can be used to negate the input string longer than that of the array size. CRED, stack guard, memguard can be used to guard against buffer overflow attacks. But in web applications DFA can be used to detect and prevent buffer overflow attacks.[1]

The World Wide Web has evolved from a collection of static HTML pages to an assortment of Web 2.0 applications. Online social networking in particular is becoming more popular by the day since the establishment of SixDegrees in 1997. Millions of people use social networking web sites daily, such as Facebook, My-Space, Orkut, and LinkedIn. A side-effect of this growth is that possible exploits can turn OSNs into platforms for malicious and illegal activities, like DDoS attacks, privacy violations, disk compromise, and malware propagation. This article shows that social networking web sites have the ideal properties to become attack platforms. They introduced a new term, antisocial networks that refers to distributed systems based on social networking web sites which can be exploited to carry out network attacks. An adversary can take control of a visitor's session by remotely manipulating their browsers through legitimate web control functionality such as image-loading HTML tags, JavaScript instructions, and Java applets. This Paper shows that social networking websites have the ideal properties to become attack platforms. They introduced the new term; antisocial networks that refer to distributed systems based social networking web sites which can be exploited to carry out network attacks. This paper is study about many attack vectors but this paper doesn't deal about detection/prevention mechanism. This paper studies about the behaviour of malicious applications that causes the remote user to hack legitimate users data.[2]

Ensuring users with a safe web experience has become a critical problem recently as fraud and privacy infringement on the Internet are becoming current. Web-scripting-based malware is also intensively used to carry out longer-term exploitation such as XSS worms or botnets, and server-side countermeasures are often ineffective against such threats while client-side ones seldom deal with the problem of obfuscation. In order to provide a sounder and more complete analysis, this paper proposes a carry out deobfuscation of web-scripting-language-based malware. This paper, studies the possibility of automating the deobfuscation process using a term rewriting system based on automated deduction. Such static approach intends to evade anti-analysis techniques and unknown obfuscation schemes. With some preliminary experiments in JavaScript, This paper shows evidence that this is actually possible and highlights several challenges needed to tackle in order to implement an effective script-based malware deobfuscator. This approach can be generalized to web scripting languages other than JavaScript such as Action Script or VBScript. Applications encompass script-based malware static analysis or malware distribution website crawling. This paper is included in a wider project that aims to provide a client-based defence against Web 2.0 malware. Term Rewriting System-The Input from the user is first checked for sinks if sinks exist then the sink data is rewritten. For example<script> alert("hacked");</script> is changed to &lt; script &gt; alert("hacked"); &lt; script &gt;. Two standard Tools are used, Encryption Technique is a Symmetric Encryption standard which convert every plaintext message into cipher text message using mono alphabetic cipher Term Rewriting System takes huge amount of time to rewrite the sinks (malicious data).Mono alphabetic cipher uses fixed substitution over the entire message .To prevent the vulnerability in the network a new tool called Automaton can be used to parse the Malicious sinks, Which is more efficient compared to the above Techniques.[3]

Web applications often use cookies for maintaining an authentication state between users and web applications, these cookies are typically sent to the users by the web applications after the users have been successfully authenticated. Every subsequent request that contains the valid cookies will be automatically allowed by the web applications without any further authentication. The cookies are used to both identify and authenticate the users; therefore they are an interesting target for potential attackers. Cross Site Scripting attack (XSS for short) is one of popular attacks which are often used to steal the cookies from a browser's database. This paper, introduces a new technique called "Dynamic Cookies Rewriting", this technique aims to render the cookies useless for XSS attacks. This technique is implemented in a web proxy where it will automatically rewrite the cookies that are sent back and forth between the users and the web applications. With this technique in place, the cookies at the browser's database now are not valid for the web applications; therefore the XSS attack will not be able to impersonate the users using stolen cookies. [4]

SQL Injection (SQLI) and cross-site scripting (XSS) attacks are widespread forms of attack in which the attacker crafts the input to the application to access or modify user data and execute malicious code. In the most serious attacks (called second-order, or persistent, XSS), an attacker can corrupt a database so as to cause subsequent users to execute malicious code. This paper presents a technique and an automated tool (ANDRILLA) for finding security vulnerabilities in Web Applications namely SQLI. These tools generate concrete inputs, execute the program under test with each input, and dynamically observe whether data flows from an input to a sensitive sink. If an input reaches a sensitive sinks this technique modifies the input by using a library of attack patters, in an attempt to pass malicious data through the program. Results shows that this tools found 68 attack vectors in five programs with few false positives. This paper is not universally accepted and implemented due to some false positive.[5]

Many Web sites such as MySpace, Face book and Twitter allow their users to upload files. However when a Web site's Content-Sniffing algorithm differs from a browser's Content-Sniffing algorithm, an attacker can often mount a Content-Sniffing XSS attack on the visitor. That is, by carefully embedding HTML code containing malicious script into a non HTML file and uploading this file to the Web site, an attacker can deceive the visitor's browser into assuming the file as HTML file and run the script code. This paper proposes a server-side ingress filter that aims to protect vulnerable browsers which may treat non-HTML files as HTML files. [6]

STRANGER is an automata-based string analysis tool for finding and eliminating string-related security vulnerabilities in PHP applications. STRANGER uses symbolic forward and backward reach ability analyses to compute the possible values that the string expressions can take during program execution. STRANGER can automatically (1) prove that an application is free from specified attacks or (2) generate vulnerability signatures that characterize all malicious inputs that can be used to generate attacks .This tool presented an automata-based symbolic string analyses for automatic verification of string manipulating programs. This Tool computes the pre- and post-conditions of common string functions using deterministic finite automata (DFAs).This computes DFAs that characterize all possible values that string expressions can take in any possible execution of a program using forward and backward symbolic analyses. This paper have been implemented for only preventing malicious attacks in PHP applications .This can be made platform independent by using VULBLOCKER.[7]

The Facebook Platform represents a powerful combination of social networking and third-party gadget aggregation. Officially released in May 2007, the Facebook API provides developers with millions of potential users and partial access to their information. The highly personal nature of Facebook data and the amplifying effects of the social network make it crucial that the Facebook Platform does not enable third-party attacks. This paper describes Facebook's security mechanisms and presents a cross-site scripting vulnerability in Facebook Markup Language that allows arbitrary JavaScript to be added to application users profiles. The profile in the code can then defeat their anti-request forging security measures and hijack the sessions of viewers.[8]

Web applications support many of our daily activities, but they often have security problems, and their accessibility makes them easy to exploit. In cross-site scripting (XSS), an attacker exploits the trust a web client (browser) has for a trusted server and executes injected script on the browser with the server's privileges. Web applications have XSS vulnerabilities because the validation they perform on un trusted input does not suffice to prevent that input from invoking a browser's JavaScript interpreter, and this validation is particularly difficult to get right if it must admit some HTML mark-up.This paper face some obstacle by checking for vulnerabilities statically, and they address it by formalizing a policy based on the W3C recommendation, the Firefox source code, and online tutorials about closed source browsers. They provide effective checking algorithms based on their policy.[9]

This paper proposes an approach for thorough auditing of code to defend against cross site scripting attack. Based on the possible methods of implementing defenses against cross site scripting attack, the approach extracts all such defenses implemented in code so that developers, testers or auditors could check the extracted output to examine its adequacy. Extract XSS defences through input validation and input filtering automatically from code. Examine the extracted output to determine its adequacy. The first step can be fully automated using inter procedural control flow and data flow between input nodes and html-o-nodes. The second step in the proposed approach examines whether the input validation and input filtering implemented for each html-o-statement is sufficient for defending it against XSS attack.[10]





External interactive content or plugin

<embed * src =


A media independent Link

<link * href =


Embedded image

<img * src =


Java applet

<applet * code src =


Sub window

<frame * src =


Inline sub window

<iframe * src =


Window subdivision

<frameset * (events) =


Script statements

<script *>*</script>


Define style information

<style *>*</style>


Generic meta information

<meta * http-equip=

Table 2.1 HTML elements

3. Implementation


The administrator deploy websites and display services of the webserver.The attacker cracks BOA attack and Vulblocker detects and prevent the application from the attack.


Fig 3.1 Overall Design


3.2.1 Server Module

In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients". The clients either run on the same computer or connect through the network. A Web Server is created and web application is deployed using Apache Tomcat Software Foundation using JSP Programs. The login module is where the user gives the input as the login details and the login details are authenticated before providing the service. In cas of incorrect login the user is asked to give in the details again in order to view the web services.User enters the username and password in welcome page of the site.The user details are validated with the Database for authentication.If the user authentication is correct then the services will be displayed.Else the user has to re enter their user name and password. Generally a Web Server is created by initially having a login page. <h1>, <h2> are the html tags used to display the headings in the main page. The main heading is kept on moving the marquee tag (<marquee>). The frame created on the right side is for login. The text boxes for the input of the user name and the passwords are created, with the submit and the sign up buttons.

3.2.2 Attacker Module

In this module malicious logic penetrate the web services cause malicious execution will resulting the poor web service and degrade the performance of the web server.The following cheat codes are tested in our web server are shown below

Attack 1(BOA)-Buffer overflow attack (BOA) is a attack in which data exceeding bounds of an array is loaded into the array.BOA found in Web applications, such as web browsers through breaches of browser security that enables attackers to inject client-side script into Web pages viewed by other users. A buffer overflow vulnerability may be used by attackers to bypass access controls such as the same origin policy. Buffer overflow carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007.[11] Their effect may

range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

<A HREF=<SCRIPT>malicious code</SCRIPT>>Click here</A>

When an unsuspecting user clicks on this link, the URL is sent to including the malicious code. If the legitimate server sends a page back to the user including the value of client profile, the malicious code will be executed on the client Web browser.

Caption for figure 2

Fig 3.5. BOA Attack via e-mail

Stealing users' cookies-If any part of the Web site uses cookies, then it may be possible to steal them from its users. In this scenario, the attacker files a page with malicious script to the part of the site that is vulnerable. When the page is displayed, the malicious script runs, collects the users' cookies, and sends a request to the attacker's Web site with the cookies gathered. Using this technique, the attacker can gain sensitive data such as passwords, credit card numbers, and any arbitrary information the user inputs .

Cookie theft and account hijacking

Fig 3.6. Cookie theft and account hijacking

Attack 2(SQLI)-SQL injection is a technique often used to attack databases through a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker). SQL injection is a code injection technique that exploits security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.Blind SQL Injection to throw an error to validate that encapsulation isn't working. The goal here is to throw an error to cause the application to show us that it is not encapsulating quotes correctly:

1 AND 1=1

' or '1'='1' -- '

' or '1'='1' ({ '

' or '1'='1' /* '

3.2.3 Blocker Module

The data's are directly sent to the database without undergoing any detection process. This also shows how the intruder sends invalid data (malicious code) in the network and how it executes both in server and other client system in that network. This malicious code helps the intruder to theft the session cookies, personal and confidential detail of both client and server system and also even have the dangerous of crashing the system.A BOA detector, which can differentiate the valid data from malicious coded data, is implemented in this phase of module. This detector is directly implemented in the server side system to carry on the detection process. So each and every data coming to the server will be processed by this detector before it is stored in a main database. Based on the detection process result, either the data will be stored or discarded.Since the detection process is carried out in the server system, the efficiency of the system may decrease. Whenever there is a multiple request from multiple clients, the process of detection may increase. Because of this, the server load may increase and there is a chance for system slow down. In this module, this detector is implemented in the Midware. This Midware will perform only the checking process whenever there is a data flow in the network. Since the Midware performs the checking process, the server performance won't be affected at any cost.When the web services are displayed to the user they are tested for the attacks in the web services by using the effective tool provided. The input from all the web pages is given to the parser first and the parser generates the CFG control flow graph. The CFG is given to the taint analyzer and the tainted dependency graph is produced by them. This graph is given as the input to the string analyzer.The automata Library and the automata package are used to provide the string analyser to perform all the string operations in the web page. The already stored vulnerability signatures in the string report are verified to check if there are any attacks present in the networks. The verified string is allowed to view the services otherwise the services are blocked.

3.2.4 Comparison And Performance Analysis

The Vulblocker tool is compared with existing algorithms of BOA ie, Term rewriting system, cookie rewriting system. Vulblocker is found to be very effective in detecting and preventing BOA in networks .


3.3.1 Deterministic Finite Automata

A deterministic finite state machine-also known as deterministic finite automaton (DFA)-is a finite state machine accepting finite strings of symbols. For each state, there is a transition arrow leading out to a next state for each symbol. Upon reading a symbol, a DFA jumps deterministically from a state to another by following the transition arrow. Deterministic means that there is only one outcome (i.e. move to next state when the symbol matches (S0 -> S1) or move back to the same state (S0 -> S0)). A DFA has a start state (denoted graphically by an arrow coming in from nowhere) where computations begin, and a set of accept states (denoted graphically by a double circle) which help define when a computation is successful.DFAs recognize exactly the set of regular languages which are, among other things, useful for doing lexical analysis and pattern matching. A DFA can be used in either an accepting mode to verify that an input string is indeed part of the language it represents, or a generating mode to create a list of all the strings in the language.A DFA is defined as an abstract mathematical concept, but due to the deterministic nature of a DFA, it is implementable in hardware and software for solving various specific problems. For example, a software state machine that decides whether or not online user-input such as phone numbers and email addresses are valid can be modeled as a DFA. Another example in hardware is the digital logic circuitry that controls whether an automatic door is open or closed, using input from motion sensors or pressure pads to decide whether or not to perform a state transition.A Deterministic finite automaton is a 5-tuple M= (Q, Σ,δ,q0,F),where,a finite set of states (Q),a finite set of input symbols called the alphabet (Σ),a transition function (δ : Q Ã- Σ → Q),a start state (q0 ∈ Q),a set of accept states (F ⊆ Q).The first condition says that the machine starts in the start state q0. The second condition says that given each character of string w, the machine will transition from state to state according to the transition function δ. The last condition says that the machine accepts w if the last input of w causes the machine to halt in one of the accepting states. Otherwise, it is said that the automaton rejects the string. The set of strings M accepts is the language recognized by M and this language is denoted by L(M).A DFA representing a regular language can be used either in an accepting mode to validate that an input string is part of the language, or in a generating mode to generate a list of all the strings in the language. In the accept mode an input string is provided which the automaton can read in left to right, one symbol at a time. The computation begins at the start state and proceeds by reading the first symbol from the input string and following the state transition corresponding to that symbol.The generating mode is similar except that rather than validating an input string its goal is to produce a list of all the strings in the language. Instead of following a single transition out of each state, it follows all of them. In practice this can be accomplished by massive parallelism (having the program branch into two or more processes each time it is faced with a decision) or through recursion. As before, the computation begins at the start state and then proceeds to follow each available transition, keeping track of which branches it took.

3.3.2 Algorithm Pseudo code


Get the data from the user

Tokenize the input and send the input to the parser


Attack -0 :

For all user data in the network


Construct CFG for the given data

Forward the result to taint analyser for finding sinks

If (sink -- null)

Return "no malicious attack found" :


Find sink and forward to string analyzer

If (sink* BOA)

Function _ BOA (userdata)

Else if (sink---sqlinjection) :

Function sqli (userdata) :


While (sink! = null)

End of main algorithm

Function _BOA (userdata)

// input : userdata

// output : vulnerability identification


Var pattern = ' / & (#) ? [a-zA-Z0-9] {0,} :/' ;

If (is _ array (var) )

{ // If variable is an array

out = array ( ) ;

//Set output as an array

Foreach (var as key => v )


Out [key ] = formspecialchars (v) ;

//Run form specialchars on every element of the

//array and return the result . Also maintains the keys.




Out = var ;

While (preg _match (pattern,out) > 0)


Sout = htmlspecialchars_decode (out,ENT_QUOTES) ;


Out = htmlspecialchars (stripslashes (trim(out) ),ENT_QUOTES,'UTF-8', true) ;

// Trim the variable, strip all slashes , and encode it


Return out ;


Function _sqli (userdata)


using ( var connection = new Sqlconnection (" . . . " )

Using (var command = new SQL Command ( " MySprocName" , connection) )


Command . CommandType . Storedprocedure ;

Command. Parameters. AddWithValue ( " @ Paraml" , paramlValue ) ;

Return command. ExecuteReader () ;



To generate vulnerability signatures using backward analysis A vulnerability signature is a characterization that includes all malicious inputs that can be used to generate attack strings.Use backward analysis starting from the sink nodes and traverse the dependency graph backwards to find out malicious inputs [9]. Both forward and backward analyses use an automata-based widening operator to accelerate fix point computations.

4. Performance analysis

The approach is tested on 2.0 GHz Intel Core2duo machine, with 1 GB RAM. Each browser's speed response was logged by putting them through a number of tests. The page load time can be calculated by writing a small script on a locally hosted webpage, or freely available website load time and speed checker. The number of attacks found by Vulblocker is compared with other existing tools, the result is shown below.


5. Conclusions and Future Work

Large amount of websites are vulnerable to BOA attacks. The proposed solution is found to be very effective by the experimental results. The solution is platform independent and has been implemented on a platform independent browser, so it can be used with other operating systems with a few changes. Buffer overflow vulnerability exists on all the platforms, so it is a big advantage over other solutions. We use automata based string analysis techniques (Vulblocker) that we mentioned above for vulnerability analysis and vulnerability signature generation. Our analysis takes an attack pattern specified as a regular expression and a JSP program as input and 1) identifies if there is any vulnerability based on the given attack pattern, 2) generates a DFA characterizing the set of all user inputs that may exploit the vulnerability. The solution can be further extended to cover other pernicious vulnerabilities and attacks. It can be implemented as a Common solution to be used in all the web browsers.

Many of the techniques have problems handling attacks that take advantage of poorly-coded stored procedures and cannot handle attacks that disguise themselves using alternate encodings. We present a new Tool called Vulblocker that can be used to check the correctness of string manipulation operations in web applications Vulblocker implements automata based approach for automatic verification of string manipulating programs based on symbolic string analysis. This Research can be extended by placing Vulblocker as a Midware that is in between client and server.