Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications

As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended for interacting with the applications. Even though precautionary measures such as user-input sanitization is employed at the client side of the application, the attackers can disable the JavaScript at client side and still inject attacks through HTTP parameters. The injected parameters result in attacks due to improper server-side validation of user input. The injected parameters may either contain malicious SQL/XML commands leading to SQL/XPath/XQuery injection or be invalid input that intend to violate the expected behavior of the web application. The former is known as an injection attack, while the latter is called a parameter tampering attack. While SQL injection has been intensively examined by the research community, limited work has been done so far for identifying XML injection and parameter tampering vulnerabilities. Database-driven web applications today rely on XML databases, as XML has gained rapid acceptance due to the fact that it favors integration of data with other applications and handles diverse information. Hence, this work proposes a black-box fuzzing approach to detect XQuery injection and parameter tampering vulnerabilities in web applications driven by native XML databases. A prototype XiParam is developed and tested on vulnerable applications developed with a native XML database, BaseX, as the backend. The experimental evaluation clearly demonstrates that the prototype is effective against detection of both XQuery injection and parameter tampering vulnerabilities.