Preventing web application injections with complementary character coding

Raymond Mui, Phyllis Frankl

    Research output: Chapter in Book/Report/Conference proceedingConference contribution


    Web application injection attacks, such as SQL injection and cross-site scripting (XSS) are major threats to the security of the Internet. Several recent research efforts have investigated the use of dynamic tainting to mitigate these threats. This paper presents complementary character coding, a new approach to character level dynamic tainting which allows efficient and precise taint propagation across the boundaries of server components, and also between servers and clients over HTTP. In this approach, each character has two encodings, which can be used to distinguish trusted and untrusted data. Small modifications to the lexical analyzers in components, such as the application code interpreter, the database management system, and (optionally) the web browser, allow them to become complement aware components, capable of using this alternative character coding scheme to enforce security policies aimed at preventing injection attacks, while continuing to function normally in other respects. This approach overcomes some weaknesses of previous dynamic tainting approaches. Notably, it offers a precise protection against persistent cross-site scripting attacks, as taint information is maintained when data is passed to a database and later retrieved by the application program. A prototype implementation with LAMP and Firefox is described. An empirical evaluation shows that the technique is effective on a group of vulnerable benchmarks and has low overhead.

    Original languageEnglish (US)
    Title of host publicationComputer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings
    PublisherSpringer Verlag
    Number of pages20
    ISBN (Print)9783642238215
    StatePublished - 2011
    Event16th European Symposium on Research in Computer Security, ESORICS 2011 - Leuven, Belgium
    Duration: Sep 12 2011Sep 14 2011

    Publication series

    NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    Volume6879 LNCS
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349


    Other16th European Symposium on Research in Computer Security, ESORICS 2011

    ASJC Scopus subject areas

    • Theoretical Computer Science
    • General Computer Science


    Dive into the research topics of 'Preventing web application injections with complementary character coding'. Together they form a unique fingerprint.

    Cite this