A Deliberately Insecure J2EE Semantic Web Application Framework: Injection Attacks and Defense Mechanisms for Web 3.0

Abstract

Semantic Web is an emerging technology that is increasing being employed across application and community boundaries to make the World Wide Web more easily interpretable and improve content sharing. Semantic Web uses Resource Description Framework (RDF), as a standardized logical data model to make its data machine-readable and RDF Query/Update (SPARQL/S- PARUL) as standard languages to manipulate RDF data. As Semantic Web applications grow increasingly popular, new challenges of protecting them against security threats emerge. Semantic query languages due to their ex- ible nature are prone to existing attacks such as command injection as well as attacks that exploit new vulnerabilities in these languages making it nec- essary for application developers to understand the security risks involved when deploying Semantic applications. In this research we have analyzed and categorized the possible injection attacks to which Semantic languages are vulnerable. We have developed a deliberately insecure J2EE Semantic Web application, called SemWebGoat-inspired by the open source vulnerable web application-WebGoat, that o ers a realistic teaching environment for ex- ploiting vulnerabilities in web applications. We have also implemented Web Application Firewall (WAF) protection mechanisms for mitigating SPAR- QL/SPAURL injection attacks. For the evaluation of SemWebGoat we con- ducted a user study as well as performed experimental evaluation in which we used di erent web application scanners and penetration testing tools to detect Semantic Web application vulnerabilities. In addition to these, we also carried out testing to evaluate the performance of SemWebGoat under various test scenarios and stress conditions. The results of the user study concludes that regular web developers are not normally familiar with the injection vulnerabilities demonstrated in SemWebGoat. Moreover web application scanners and penetration testing tools do support SPARQL/SPARUL grammar and are unable to detect its corresponding injection vulnerabilities. The performance testing validates that the use of our WAF rules negligibly e ect the performance of SemWe- bGoat, making it a suitable defense mechanism for vulnerable applications. ii iii We have implemented and evaluated WAF rules using the popular open- source rewall-ModSecurity as well as extended some existing penetration testing tools to support SPARQL/SPARUL injections with the aim of as- sisting both developers and web administrators in protecting their Semantic Web applications.