Securing native XML database-driven web applications from XQuery injection vulnerabilities

Database-driven web applications today are XML-based as they handle highly diverse information and favor integration of data with other applications. Web applications have become the most popular way to deliver essential services to customers, and the increasing dependency of individuals on web applications makes them an attractive target for adversaries. The adversaries exploit vulnerabilities in the database-driven applications to craft injection attacks which include SQL, XQuery and XPath injections. A large amount of work has been done on identification of SQL injection vulnerabilities resulting in several tools available for the purpose. However, a limited work has been done so far for the identification of XML injection vulnerabilities and the existing tools only identify XML injection vulnerabilities which could lead to a specific type of attack. Hence, this work proposes a black-box fuzzing approach to detect different types of XQuery injection vulnerabilities in web applications driven by native XML databases. A prototype XQueryFuzzer is developed and tested on various vulnerable applications developed with BaseX as the native XML database. An experimental evaluation demonstrates that the prototype is effective against detection of XQuery injection vulnerabilities. Three new categories of attacks specific to XQuery, but not listed in OWASP are identified during testing.