A Web Application Security System Based On Precise Staining And Whitelist

In this article, we focus on four different attacks:the Shell injection attack, the cross-site scripting attack, the SQL injection attack, Webshell attack. For Web application security enhancements, we propose a novel system which is a access-control system based on the PHP core to protect the Web application. Combined with the information flow of Web application and the control flow of PHP, we use precise staining mechanism mark external input data taint and then track the flow of taint data on the call of the key APIs;before these key APIs are executed, we do a plenty kinds of checking to ensure that the operand of this function is Non-malicious; we also check the script’s behavior to access the server-side file, applications, network with user-defined whitelist to avoid destructing server-side file, executing malicious programs, monitoring network port, hijacking servers by Webshell.Our system is divided into six parts:the taint Data Dissemination module, SQL injection attack protection module, the Shell injection attack protection module, the XSS attack protection module, file access control module and application access control module.In this article, our innovation and contributions include:1) Marking the external input data taint with precious staining mechanism and with dynamic taint tracking we can intuitively distinguish the untrusted data from external input; to know that whether it is malicious data or not is the key to detect XSS and Injection Attacks.2) Auditing the script’s behavior of accessing the server-side files, applications, network with user-defined whitelist can effectively protect Webserver from huge damage triggered by Webshell. For some Web application based on cloud platform, it is difficult to make sure that the application has malicious scripts whether or not, but our system can help it prevent such a potential threat.3) We raise the concept of risking APIs in PHP and implement mandatory access-control based on the PHP core; the behavior of calling risking APIs will be checked with the security rule by Hooking the opcode handler of the PHP core, it seems that we just implemented a security manager for PHP. 4) Our system offers comprehensive protection for Web application, both protect it from XSS/Injection Attacks and Webshell. The system do not ask the developers to make any changes to the source code and the run-time overhead is low; it is simple to deploy accomanied without obvious performance degradation. The proposed solution is also applicable for the Python, Perl.In the first chapter we describes the background and organizational structure of this article;we do some study of the four mainstream Web security threats include detailed analysis,enum instances. After we summarizes some existing Web application security protection methods and their disadvantage; then we propose our new system and describes the detailed framework,modules, technical principles, workflow,and experimental results.