Fortifying Applications Against Xpath Injection Attacks

Authors

Dimitris Mitropoulos, Athens University of Economics and BusinessFollow
Vassilios Karakoidas, Athens Univeristy of Economics and BusinessFollow
Diomidis Spinellis, Athens Univeristy of Economics and BusinessFollow

Abstract

Code injection derives from a software vulnerability that allows a malicious user to inject custom code into the server engine. In recent years, there have been a great number of such exploits targeting web applications. In this paper we propose an approach that prevents a specific kind of code injection attacks known as xpath injection in a novel way. To detect an attack, our scheme uses location-specific identifiers to validate the executable xpath code. These identifiers represent all the unique fragments of this code along with their call sites within the application.

Recommended Citation

Mitropoulos, Dimitris; Karakoidas, Vassilios; and Spinellis, Diomidis, "Fortifying Applications Against Xpath Injection Attacks" (2009). MCIS 2009 Proceedings. 95.
https://aisel.aisnet.org/mcis2009/95