Working Effectively with Legacy Code
Working Effectively with Legacy Code
A model-based aspect-oriented framework for building intrusion-aware software systems
Information and Software Technology
SQL Injection Attacks and Defense
SQL Injection Attacks and Defense
| Hi-index | 0.00 |
Security vulnerabilities in the web applications that we use to shop, bank, and socialize online expose us to exploits that cost billions of dollars each year. This paper describes the design and implementation of AspectShield, a system designed to mitigate the most common web application vulnerabilities without requiring costly and potentially dangerous modifications to the source code of vulnerable web applications. AspectShield uses Aspect Oriented Programming (AOP) techniques to mitigate XSS and SQL Injection vulnerabilities in Java web applications. AOP is a programming paradigm designed to address cross-cutting concerns like logging that affect many modules of a program. AspectShield uses the Fortify Source Code Analyzer to identify vulnerabilities, then generates aspects that weave in code that mitigates Cross-Site Scripting and SQL Injection vulnerabilities. At runtime, the application executes the protective aspect code to mitigate security issues when a block of vulnerable code is executed. AspectShield was tested with three enterprise scale Java web applications. It successfully mitigated SQL Injection and Cross-Site Scripting vulnerabilities without significantly affecting performance. The use of AspectShield in these enterprise level applications shows that AOP can effectively mitigate the two top vulnerabilities of web applications in a cost and time effective manner.