利用XML驗證之網站安全防護架構

A Framework for Securing Web Applications by XML Validation

10.6382/JIM.200604.0033

陳彥錚(Yen-Cheng Chen)；林錦雲(Chin-Yun Lin)

電子商務安全 ； 資料隱碼攻擊 ； XML Schema ； 輸入驗證 ； E-Commerce Security ； SQL injection ； XML Schema ； Input validation

資訊管理學報

13卷2期（2006 / 04 / 01）

33 - 53

繁體中文

過去電子商務安全研究多注重資料通訊的私密性，然而許多電子商務網站即使採用SSL或SET電子安全交易機制，交易安全資料被竊取或篡改的情形仍時有所聞，主要原因不在於加密機制不夠安全，而是電子商務網站應用程式本身的安全漏洞所致。這些漏洞多由於網站應用程式並沒有從安全的角度嚴謹地．驗證網站輸入資料，使得惡意攻擊者能趁虛而入，竊取或篡改交易資料。資料隱碼攻擊為其典型的例子，類似的攻擊尚包括跨網站命令稿、更改標價攻擊、以及毒餅乾等。 每個網站應用程式設計目的不盡相同，很難使用一致的輸入檢查程式避免上述各式攻擊。本論文提出一個利用XML Schema驗證技術的網站安全防護架構，網站開發者只需使用標準的XML Schema文件作為網站應用程式的安全政策描述語言，用以描述網頁輸入資料的屬性，此防護機制便能自動對輸入資料進行驗證。位於Web伺服器與應用程式之間的防護機制會將輸入資料轉換為XML文件，然後利用XML程式本身的驗證功能判斷有無應用層級的安全攻擊。與先前相關研究比較，本論文所提網站安全防護機制，使用標準的XML Schema作為網站安全政策描述語言，容易學習且無需複雜的編譯器。此外，此安全防護機制不必改變網路組態及現有網站應用程式，均優於以往的作法，是一個簡易又有效的網站安全防護機制。

Many previous studies on web security focus on the data confidentiality issue. However, confidential data in web applications may be revealed even that security mechanisms like SSL or SET are adopted in web sites. This is because there exist potential security vulnerabilities in web applications themselves. Most of these vulnerabilities are caused by the lack of solid input validations for protecting web applications. SQL injection is a typical example of attacks based on the vulnerabilities. Cross-site Scripting (XSS), price changing attack, and poisoned cookie are other known security threats of web applications. It is a challenge to develop a unified method to validate web inputs for all web applications. In this paper, we propose a framework for protecting web applications based on the XML validation technology. We use the standard XML schema as a security policy description language (SPDL). Developers can use XML schema to specify the properties of web inputs. In the proposed framework, located between the web server and web applications, web inputs are first encapsulated in an XML document generated on the fly. Then, the XML document is validated by using XML schema. If no errors are found after the XML validation, the web inputs are valid for web applications. Hence, web applications can be protected effectively. Compared with previous approaches, our framework uses the standardized XML schema as the SPDL for web applications. Therefore, no any particular compiler is required. In addition, no any network configuration is needed in our framework. Legacy web applications can also be protected without any modifications. In summary, our framework provides a simpler and more effective mechanism for securing web applications.

1. Filters-Apache HTTP Server
2. The Java Web Service Tutorial
3. Brabrand, Claus,Møller, Anders,Schwartzbach, Michael I.(2002).The Project.ACM Transactions on Internet Technology,2(2),79-114.
4. The Cross site Scripting Faq
5. Evolution of Cross-Site Scripting Attacks
6. Krawczyk, H.,Bellare, M.,Canetti, R.(1997).HMAC: Keyed-Hashing for Message Authentication.Internet Request For Comments 2104.
7. ISAPI Extensions
8. ISAPI Filters
9. HOWTO: Prevent Cross-Site Scripting Security Issues
10. Web Application Security
11. The Ten Most Critical Web Application Security Vulnerabilities
12. Rivest, R.(1992).The MD5 Message Digest Algorithm.Internet Request For Comments 1321.
13. AppShield 4.0 White Paper
14. Scott, D.,Sharp, R.(2002).Abstracting Application-Level Web Security.Proc. 11th Int'l World Wide Web Conf.,New York:
15. Scott, D.,Sharp, R.(2002).Developing Secure Web Applications.IEEE Internet Computing,6(6),38-45.
16. Validating with XML Schema
17. XML Schema
18. 陳培德、賴溪松(2002)。資料隱碼(SQL Injection)原理與防範。Communication of the CCISA，9(1)，37-44。
19. SQL Injection（資料隱碼）－駭客的SQL填空遊戲
20. 資料隱碼SQL Injection源由與防範之道
21. SQL Injection
22. 钰松國際(2002)。SQL Injection攻擊法與安全模式。Communications of the CCISA，8(3)，4-7。