Print Email Facebook Twitter Preventing Injection Attacks with Syntax Embeddings: A Host and Guest Language Independent Approach Title Preventing Injection Attacks with Syntax Embeddings: A Host and Guest Language Independent Approach Author Bravenboer, M. Dolstra, E. Visser, E. Faculty Electrical Engineering, Mathematics and Computer Science Department Software Technology Date 2007-10-01 Abstract Software written in one language often needs to construct sentences in another language, such as SQL queries, XML output, or shell command invocations. This is almost always done using unhygienic string manipulation, the concatenation of constants and client-supplied strings. A client can then supply specially crafted input that causes the constructed sentence to be interpreted in an unintended way, leading to an injection attack. We describe a more natural style of programming that yields code that is impervious to injections by construction. Our approach embeds the grammars of the guest languages (e.g., SQL) into that of the host language (e.g., Java) and automatically generates code that maps the embedded language to constructs in the host language that reconstruct the embedded sentences, adding escaping functions where appropriate. This approach is generic, meaning that it can be applied with relative ease to any combination of host and guest languages. Preprint accepted for publiction in: Generative Programming and Component Engineering, 6th International Conference, GPCE 2007, Salzburg, Austria, October 1-3, 2007 To reference this document use: http://resolver.tudelft.nl/uuid:aab5f097-5662-447c-a216-f671c49fa965 Publisher Delft University of Technology, Software Engineering Research Group ISSN 1872-5392 Source Technical Report Series TUD-SERG-2007-003 Part of collection Institutional Repository Document type report Rights (c) 2007 The authors. Software Engineering Research Group, Department of Software Technology, Faculty of Electrical Engineering, Mathematics and Computer Science, Delft University of Technology. Files PDF TUD-SERG-2007-003.pdf 263.2 KB Close viewer /islandora/object/uuid:aab5f097-5662-447c-a216-f671c49fa965/datastream/OBJ/view