Web applications enable much of today's online business including banking, shopping, university admissions, and various governmental activities. Anyone with a web browser can access them, and the data they manage typically has significant value both to the users and to the service providers. Cross-site scripting (XSS) and SQL injection are classes of attacks in which an attacker interacts with a client or database, respectively, through vulnerabilities in the server thereby gaining the trust level of the server. These classes of attacks are pervasive: since 2005, they have been the most frequently reported classes of vulnerabilities. These vulnerabilities arise because web applications' layers (client, server, and database) communicate via unstructured strings, and validating untrusted input for use in these commands is error-prone and introduces a challenging software engineering problem.
In this talk, I will present a general characterization of these classes of input validation-based errors and a set of dynamic and static techniques to detect and prevent XSS and SQL injection attacks. Programmers usually do not specify their intentions explicitly regarding SQL query construction, but I will show how we can use principled techniques to characterize programmer intentions. We can then prevent attack queries from being sent to the database with a low-overhead, runtime check that precisely distinguishes legitimate queries from attacks. In order to help find bugs early in the software development process, I also pursued static analysis, and I will describe a sound and precise analysis that scales to large, real-world web applications and found known and unknown SQL injection vulnerabilities. I will further present how we extended this static analysis to the related but more difficult problem of XSS. I will conclude this talk by discussing future challenges in this domain.