Effective filter for common injection attacks in online web applications

Abstract

Injection attacks against web applications are still frequent, and organizations like OWASP places them within the Top Ten of security risks to web applications. The main goal of this work is to contribute to the community with the design of an effective protection of web applications against common injection attacks. Our proposal is a validation filter of input fields that is based on OWASP Stinger, a set of regular expressions, and a sanitization process. It validates both fundamental characters (letters, numbers, dot, dash, question marks, and exclamation point) and complex statements (JSON and XML files) for each field. The procedure of deploying the proposed filter is detailed, specifying the sections and contents of the configuration file. In addition, the infrastructure for running the tests is described, including the setting of an attack tool, and the implementation of a controller. The attack tool is used as a security scanner for common injection attacks, and the controller is developed for routing the requests in two steps; first a request is addressed to the filter, and if it is valid, it will redirect to the web application itself. The proposal filter has been tested on three public as well as on a real private web application. An accuracy of 98,4% and an average processing time of 50 ms are achieved, based on wich it is possible to conclude the proposed filter is highly reliable and does not require additional computational resources.