DOCSLIB.ORG

ZAP Efficient Scanner for Server Side Template Injection Using Polyglots

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ZAP-ESUP: ZAP Efficient Scanner for Server Side Template Injection Using Polyglots Diogo Miguel Reis Silva Thesis to obtain the Master of Science Degree in Information Systems and Computer Engineering Supervisor(s): Prof. Pedro Miguel dos Santos Alves Madeira Adão Examination Committee Chairperson: Prof. Luis Manuel Antunes Veiga Supervisor: Prof. Pedro Miguel dos Santos Alves Madeira Adão Member of the Committee: Prof. Miguel Nuno Dias Alves Pupo Correia October 2018 ii Dedicado ao meu avoˆ Antonio´ e a` minha avo´ Luzita. iii iv Acknowledgments Primeiro de tudo queria agradecer aos meus pais por todo o suporte, ajuda, e amor que me deram. Tambem´ queria agradecer pelo apoio e carinho do meu irmao,˜ da minha namorada, dos meus avos´ e toda a fam´ılia. A qualidade deste documento nunca teria sido tao˜ boa caso nao˜ tivesse sido revisto varias´ vezes pelo meu orientador, a Rafaela, o Vasco, e o Filipe aos quais agradec¸o o grande trabalho e paciencia.ˆ Durante o desenvolvimento do meu scanner sempre que necessario´ tive a ajuda da equipa do ZAP thc202, Simon Bennetts e kingthorin pelo qual agradec¸o o tempo gasto e paciencia.ˆ Os ultimos´ dois anos da minha vida foram feitos de grandes amizades, felicidades e feitos grac¸as a toda a equipa dos STT, mas especialmente grac¸as ao Madlebro, ao Jofra, ao Jcfg, ao Majo, ao Xtrm0, ao NCA, ao Sabino e ao LordCommander. A equipa STT so´ e´ poss´ıvel grac¸as ao professor Adao˜ e ao seu incansavel´ empenho, consegui realizar o meu sonho de crianc¸a de me tornar um Hacker e no futuro trabalhar em algo que eu faria nos meus tempos livres, pelo qual lhe agradec¸o imensamente. Finalmente gostaria de agradecer aos meus amigos que me acompanharam durante todo o meu percurso academico´ e com os quais adorei trabalhar, o Nuno, o Alexandre e o Gonc¸alo. v vi Resumo Recentemente, Kettle [1] exposˆ a descoberta de um novo tipo de vulnerabilidade a` qual chamou Server Side Template Injection (SSTI). Esta vulnerabilidade acontece em Template Engines, que sao˜ programas usados para combinar modelos de dados com templates. Estes templates contemˆ tanto Hypertext Markup Language (HTML) como codigo´ de Template, que define como o HTML dinamicoˆ e´ gerado dependendo do modelo de dados recebido. O codigo´ de alguns template engines permitem a execuc¸ao˜ de toda a funcionalidade da linguagem de programac¸ao.˜ Se o input do utilizador for incorrectamente inserido no meio do template em vez de ser usado como modelo de dados, um atacante pode executar codigo´ no servidor. SSTI pode ser considerada uma vulnerabilidade da classe A1-Injection que e´ a classe de vulnerabilidade com o maior risco de seguranc¸a segundo o Open Web Application Security Project (OWASP) Top 10 2017 [2]. Pelo que sei so´ existem dois varredores de vulnerabilidades que detetam e exploram SSTI, Burp Suite e Tplmap. Estas soluc¸oes˜ ou sao˜ software proprietario´ (Burp Suite), ou temˆ uma quantidade limitada de payloads fixos e consequentemente restrito a um numero´ limitado de template engines (Tplmap). Nenhum deles consegue encontrar vulnerabilidades quando o input e´ guardado e usado depois em outras paginas (Stored SSTI). Neste trabalho, eu estudei as situac¸oes˜ onde SSTI pode estar presente, desenvolvi um varredor de vulnerabilidades que procura SSTI automaticamente num maior leque de situac¸oes˜ (reflected, stored, e blind), introduzi uma tecnica´ mais eficiente que usa payloads poliglotas para procurar SSTI com menos do que 25% dos pedidos feitos pelos outros varredores de vulnerabilidades, e conclui construindo e us- ando um conjunto de testes para comparar as soluc¸oes˜ existentes. Esta soluc¸ao˜ vai ser disponibilizada como um plug-in para o OWASP Zed Attack Proxy, que e´ uma ferramenta open-source para procurar vulnerabilidades em aplicac¸oes˜ web e que e´ usada por um grande numero´ de utilizadores. Palavras-chave: seguranc¸a, apllicac¸oes˜ web, SSTI, ingecc¸ao,˜ varredor de vulnerabilidades vii viii Abstract Recently, Kettle [1] exposed the discovery of a new type of vulnerability which he called SSTI. A Template engine is software used to combine data models with templates which contain both static HTML and template code. This template code defines how the dynamic HTML is generated depending on the given data model, and some even allow full programming language functionality. If the user input is incorrectly inserted in the middle of the template instead of being used as the data model, an attacker can execute code in the server. SSTI can be considered an A1-Injection that is the class with the highest security risk according to OWASP Top 10 2017 [2]. To the best of my knowledge only 2 solutions have been developed to detect or exploit SSTI, Burp Suite and Tplmap. These solutions are either proprietary software (Burp Suite), or have a limited amount of (fixed) payloads and consequently restricted to a limited number of template engines (Tplmap). None of them can find vulnerabilities when the input is stored and used in other pages (Stored SSTI). In this work, I studied the situations where SSTI may be present, developed a scanner that au- tomatically detects SSTI vulnerabilities in a broader range of situations (reflected, stored, and blind), introduced an efficient technique that uses polyglot payloads to detect SSTI with less than 25% of the requests made by the other scanners, and concluded by constructing and using a set of tests to com- pare with the existent solutions. The solution will be made available as a plug-in for OWASP Zed Attack Proxy, a widely used open-source penetration testing tool to find vulnerabilities in web applications. Keywords: security, web application, SSTI, injection, vulnerability scanner, polyglot ix x Contents Acknowledgments...........................................v Resumo................................................. vii Abstract................................................. ix List of Tables.............................................. xiii List of Figures............................................. xv Nomenclature..............................................1 Glossary................................................1 1 Introduction 1 1.1 Motivation.............................................1 1.2 Solution..............................................3 1.3 Objectives.............................................3 1.4 Thesis Outline..........................................4 2 Background 5 2.1 Web Applications.........................................5 2.2 Vulnerabilities Detection.....................................5 2.3 Server Side Template Injection.................................9 2.3.1 Relation of SSTI with other types of vulnerabilities.................. 11 2.3.2 Exploiting Server Side Template Injection....................... 12 2.3.3 Real cases of SSTI................................... 15 2.3.4 Analysis of situations where the vulnerability can happen.............. 17 2.4 Web Scanners for Injection Vulnerabilities........................... 19 2.5 Vulnerability Scanners for Server Side Template Injection.................. 24 2.6 OWASP Zed Attack Proxy.................................... 27 3 Implementation 29 3.1 Architecture and Interactions.................................. 30 3.2 Components Description..................................... 32 3.2.1 Sink Manager....................................... 32 3.2.2 Efficient Vulnerability Detector............................. 32 3.2.3 Message Comparator.................................. 37 xi 3.2.4 Arithmetic Evaluation Detector............................. 41 3.2.5 Blind Vulnerability Detector............................... 42 3.2.6 Syntax Fixer....................................... 42 4 Experiemental Evaluation 45 4.1 Simple Tests - Reflected Results................................ 46 4.2 Stored and Blind SSTI Test Cases............................... 47 4.3 Injection inside template code tests............................... 49 4.4 Real Example Test........................................ 50 4.5 Performance Tests........................................ 50 4.6 Generalisation Capacity Tests.................................. 52 5 Conclusions 55 5.1 Achievements........................................... 55 5.2 Future Work............................................ 56 Bibliography 57 xii List of Tables 2.1 Possible test result classification.................................6 2.2 Probe pairs from Backslash Powered Scanner [37]...................... 21 3.1 Capabilities depending on the ZAP Strength configuration.................. 29 3.2 Tests to discover the best way of causing errors........................ 35 3.3 Tests to polyglots......................................... 36 3.4 Specific tests to Django, DustJs and Go............................ 42 4.1 Simple Vulnerabilities Detection Table. yes - found vulnerability; ybne - found vulnerability but says that is not exploitable; the column RCE says if I found an exploit for rce in some source or by myself........................................ 47 4.2 Stored and Blind SSTI tests results............................... 48 4.3 Injection inside template code tests results.......................... 49 4.4 Performance Tests Table..................................... 51 4.5 Generalisation capacity tests results.............................. 52 xiii xiv List of Figures 2.1 Process of rendering a template................................. 10 2.2 Reflected SSTI timeline...................................... 17 2.3 Stored SSTI with posterior injection and rendering timeline.................. 18 2.4
Recommended publications
  • Jinja Documentation (3.0.X) Release 3.0.0

    Jinja Documentation (3.0.X) Release 3.0.0

    Jinja Documentation (3.0.x) Release 3.0.0 Pallets May 11, 2021 CONTENTS: 1 Introduction 3 1.1 Prerequisites...............................................3 1.2 Installation................................................3 1.3 Basic API Usage.............................................4 2 API 5 2.1 Basics...................................................5 2.2 Unicode..................................................6 2.3 High Level API..............................................6 2.4 Autoescaping............................................... 13 2.5 Notes on Identifiers............................................ 14 2.6 Undefined Types............................................. 14 2.7 The Context............................................... 17 2.8 Loaders.................................................. 18 2.9 Bytecode Cache............................................. 21 2.10 Async Support.............................................. 23 2.11 Policies.................................................. 23 2.12 Utilities.................................................. 24 2.13 Exceptions................................................ 25 2.14 Custom Filters.............................................. 26 2.15 Evaluation Context............................................ 27 2.16 Custom Tests............................................... 28 2.17 The Global Namespace.......................................... 28 2.18 Low Level API.............................................. 29 2.19 The Meta API.............................................
  • Minimal Perl for UNIX and Linux People

    Minimal Perl for UNIX and Linux People

    Minimal Perl For UNIX and Linux People BY TIM MAHER MANNING Greenwich (74° w. long.) For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact: Special Sales Department Manning Publications Co. Cherokee Station PO Box 20386 Fax: (609) 877-8256 New York, NY 10021 email: [email protected] ©2007 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Manning Publications Co. Copyeditor: Tiffany Taylor 209 Bruce Park Avenue Typesetters: Denis Dalinnik, Dottie Marsico Greenwich, CT 06830 Cover designer: Leslie Haimes ISBN 1-932394-50-8 Printed in the United States of America 12345678910–VHG–1009080706 To Yeshe Dolma Sherpa, whose fortitude, endurance, and many sacrifices made this book possible. To my parents, Gloria Grady Washington and William N. Maher, who indulged my early interests in literature. To my limbic system, with gratitude for all the good times we’ve had together.
  • C DEFINES and C++ TEMPLATES Professor Ken Birman

    C DEFINES and C++ TEMPLATES Professor Ken Birman

    Professor Ken Birman C DEFINES AND C++ TEMPLATES CS4414 Lecture 10 CORNELL CS4414 - FALL 2020. 1 COMPILE TIME “COMPUTING” In lecture 9 we learned about const, constexpr and saw that C++ really depends heavily on these Ken’s solution to homework 2 runs about 10% faster with extensive use of these annotations Constexpr underlies the “auto” keyword and can sometimes eliminate entire functions by precomputing their results at compile time. Parallel C++ code would look ugly without normal code structuring. Const and constexpr allow the compiler to see “beyond” that and recognize parallelizable code paths. CORNELL CS4414 - FALL 2020. 2 … BUT HOW FAR CAN WE TAKE THIS IDEA? Today we will look at the concept of programming the compiler using the templating layer of C++ We will see that it is a powerful tool! There are also programmable aspects of Linux, and of the modern hardware we use. By controlling the whole system, we gain speed and predictability while writing elegant, clean code. CORNELL CS4414 - FALL 2020. 3 IDEA MAP FOR TODAY History of generics: #define in C Templates are easy to create, if you stick to basics The big benefit compared to Java is that a template We have seen a number of parameterized is a compile-time construct, whereas in Java a generic types in C++, like std::vector and std::map is a run-time construct. The template language is Turing-complete, but computes These are examples of “templates”. only on types, not data from the program (even when They are like generics in Java constants are provided).
  • Cherrypy Documentation Release 10.0.1.Dev0+Ng4134282.D20170207

    Cherrypy Documentation Release 10.0.1.Dev0+Ng4134282.D20170207

    CherryPy Documentation Release 10.0.1.dev0+ng4134282.d20170207 CherryPy Team February 07, 2017 Contents 1 Foreword 1 1.1 Why CherryPy?.............................................1 1.2 Success Stories..............................................2 2 Installation 5 2.1 Requirements...............................................5 2.2 Supported python version........................................5 2.3 Installing.................................................5 2.4 Run it...................................................6 3 Tutorials 9 3.1 Tutorial 1: A basic web application...................................9 3.2 Tutorial 2: Different URLs lead to different functions.......................... 10 3.3 Tutorial 3: My URLs have parameters.................................. 11 3.4 Tutorial 4: Submit this form....................................... 12 3.5 Tutorial 5: Track my end-user’s activity................................. 12 3.6 Tutorial 6: What about my javascripts, CSS and images?........................ 13 3.7 Tutorial 7: Give us a REST....................................... 15 3.8 Tutorial 8: Make it smoother with Ajax................................. 17 3.9 Tutorial 9: Data is all my life...................................... 19 3.10 Tutorial 10: Make it a modern single-page application with React.js.................. 22 3.11 Tutorial 11: Organize my code...................................... 25 4 Basics 27 4.1 The one-minute application example.................................. 28 4.2 Hosting one or more applications...................................
  • Php, Template Et Http

    Php, Template Et Http

    EPAI, Jérôme Frossard (2016) PHP, TEMPLATE ET HTTP Développer des application Web Notion de template 1 ¨ Un template est modèle de document, c’est-à-dire un document dont la forme est définie, mais dont une partie du contenu est variable. ¨ Pour réaliser les parties variables, on insère dans le texte du document des instructions qui permettront au moteur de template de produire le texte variable. ¨ On utilise généralement des balises telles que <% et %>, pour séparer les instructions que le moteur de template doit interpréter, du texte qu’il doit copier sans changement dans le ou les documents résultants. EPAI, Jérôme Frossard (2016) Notion de moteur de template 2 ¨ Un moteur de templates (template processor) est un programme qui combine un template (modèle) et des données pour produire un ou plusieurs documents. Données ... <html> <body> <h1> Moteur de Documents <?=$titre?> templates résultants </h1> ... Template (patron) ¨ Quelques exemples : ASP.NET, JSP, Apache Velocity EPAI, Jérôme Frossard (2016) PHP, un langage de template ? 3 ¨ Le code PHP peut être intégré dans n’importe quel fichier de texte grâce aux balises PHP (<?php et ?>) ¨ À l’exécution, les balises PHP sont remplacées par le texte affiché par le code. ¨ PHP peut donc être utiliser comme un langage de template et son interpréteur comme un moteur de template. EPAI, Jérôme Frossard (2016) Exemple de template PHP 4 <!DOCTYPE html> <html> Fichier guestbook.php <head> <?php <title>Livre d'or</title> // inclut le fichier autoload.php qui contient <link rel="stylesheet" href="guestbook.css"> // les fonctions nécessaires au chargement des </head> // classes utilisée dans le script.
  • Jinja2 Documentation Release 2.9.6 September 29, 2017

    Jinja2 Documentation Release 2.9.6 September 29, 2017

    Jinja2 Documentation Release 2.9.6 September 29, 2017 Contents I Jinja2 Documentation1 1 Introduction3 2 API 7 3 Sandbox 39 4 Template Designer Documentation 45 5 Extensions 85 6 Integration 103 7 Switching from other Template Engines 105 8 Tips and Tricks 111 II Additional Information 115 9 Frequently Asked Questions 117 10 Jinja2 Changelog 121 i ii Part I JINJA2 DOCUMENTATION 1 2 CHAPTER 1 Introduction This is the documentation for the Jinja2 general purpose templating language. Jinja2 is a library for Python that is designed to be flexible, fast and secure. If you have any exposure to other text-based template languages, such as Smarty or Django, you should feel right at home with Jinja2. It’s both designer and developer friendly by sticking to Python’s principles and adding functionality useful for tem- plating environments. Prerequisites Jinja2 works with Python 2.6.x, 2.7.x and >= 3.3. If you are using Python 3.2 you can use an older release of Jinja2 (2.6) as support for Python 3.2 was dropped in Jinja2 version 2.7. If you wish to use the PackageLoader class, you will also need setuptools or distribute installed at runtime. Installation You have multiple ways to install Jinja2. If you are unsure what to do, go with the Python egg or tarball. 3 As a Python egg (via easy_install) You can install the most recent Jinja2 version using easy_install or pip: easy_install Jinja2 pip install Jinja2 This will install a Jinja2 egg in your Python installation’s site-packages directory.
  • Cherrypy Documentation Release 3.2.4

    Cherrypy Documentation Release 3.2.4

    CherryPy Documentation Release 3.2.4 CherryPy Team Jun 30, 2017 Contents 1 Foreword 1 1.1 Why CherryPy?.............................................1 1.2 Success Stories..............................................2 2 Installation 5 2.1 Requirements...............................................5 2.2 Supported python version........................................6 2.3 Installing.................................................6 2.4 Run it...................................................6 3 Tutorials 9 3.1 Tutorial 1: A basic web application................................... 10 3.2 Tutorial 2: Different URLs lead to different functions.......................... 10 3.3 Tutorial 3: My URLs have parameters.................................. 11 3.4 Tutorial 4: Submit this form....................................... 12 3.5 Tutorial 5: Track my end-user’s activity................................. 13 3.6 Tutorial 6: What about my javascripts, CSS and images?........................ 14 3.7 Tutorial 7: Give us a REST....................................... 15 3.8 Tutorial 8: Make it smoother with Ajax................................. 17 3.9 Tutorial 9: Data is all my life...................................... 19 3.10 Tutorial 10: Organize my code...................................... 22 4 Basics 23 4.1 The one-minute application example.................................. 24 4.2 Hosting one or more applications.................................... 25 4.3 Logging.................................................. 26 4.4 Configuring...............................................
  • Xround : a Reversible Template Language and Its Application in Model-Based Security Analysis

    Xround : a Reversible Template Language and Its Application in Model-Based Security Analysis

    This is a repository copy of XRound : A reversible template language and its application in model-based security analysis. White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/54730/ Version: Submitted Version Article: Chivers, Howard Robert orcid.org/0000-0001-7057-9650 and Paige, Richard F. orcid.org/0000-0002-1978-9852 (2009) XRound : A reversible template language and its application in model-based security analysis. Information and Software Technology. pp. 876-893. https://doi.org/10.1016/j.infsof.2008.05.006 Reuse Items deposited in White Rose Research Online are protected by copyright, with all rights reserved unless indicated otherwise. They may be downloaded and/or printed for private study, or other acts as permitted by national copyright laws. The publisher or other rights holders may allow further reproduction and re-use of the full text version. This is indicated by the licence information on the White Rose Research Online record for the item. Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing [email protected] including the URL of the record and the reason for the withdrawal request. [email protected] https://eprints.whiterose.ac.uk/ XRound: A Reversible Template Language and its application in Model-Based Security Analysis Howard Chivers and Richard F. Paige Department of Information Systems, Cranfield University, Shrivenham, UK. Department of Computer Science, University of York, UK. [email protected], [email protected] Limited tool support currently exists for bidirectional Abstract Successful analysis of the models used in Model- transformations; key state of the art is summarised in Driven Development requires the ability to synthesise the Section 2.
  • 7X9 Word Template

    7X9 Word Template

    Apache Wink User Guide Software Version: 0.1 The Apache Wink User Guide document is a broad scope document that provides detailed information about the Apache Wink 0.1 design and implementation. Apache Wink 0.1 User Guide Table of Contents Apache Wink User Guide............................................................. 1 Table of Contents ......................................................................... 2 List of Tables ............................................................................... 8 1. Introduction .......................................................................... 9 1.1.1. Important Note ................................................................................................... 9 1.2. Target Audience .................................................................................................... 10 1.3. JAX-RS Compliancy .............................................................................................. 10 2. Apache Wink Architecture ................................................... 11 2.1. Wink Runtime Architecture Overview .................................................................. 11 2.2. Request Processor ................................................................................................. 12 2.3. Deployment Configuration .................................................................................... 13 2.3.1. Customization ................................................................................................... 13 2.4. Handler Chains ....................................................................................................
  • Tutorials Table of Contents

    Tutorials Table of Contents

    Tutorials Table of Contents: Tutorials mod_perl related tutorials, teaching you things not only about mod_perl, but also about any related topics of great interest to mod_perl programmers. Last modified Sun Feb 16 01:37:13 2014 GMT 15 Feb 2014 1 Table of Contents: Part I: Application Design - 1. Building a Large-Scale E-commerce site with Apache and mod_perl mod_perl’s speed and Perl’s flexibility make them very attractive for large-scale sites. Through careful planning from the start, powerful application servers can be created for sites requiring excel- lent response times for dynamic content, such as eToys.com, all by using mod_perl. Part II: Templating - 2. Choosing a Templating System Everything you wanted to know about templating systems and didn’t dare to ask. Well, not every- thing.... Part III: Tips and Tricks - 3. Cute Tricks With Perl and Apache Perl and Apache play very well together, both for administration and coding. However, adding mod_perl to the mix creates a heaven for an administrator/programmer wanting to do cool things in no time! Part IV: Client side facts and bugs - 4. Workarounds for some known bugs in browsers. Unfortunately for web programmers, browser bugs are not uncommon, and sometimes we have to deal with them; refer to this chapter for some known bugs and how you can work around them. - 5. Web Content Compression FAQ Everything you wanted to know about web content compression 2 15 Feb 2014 Building a Large-Scale E-commerce site with Apache and mod_perl 1 Building a Large-Scale E-commerce site with Apache and mod_perl 1 Building a Large-Scale E-commerce site with Apache and mod_perl 15 Feb 2014 3 1.1 Description 1.1 Description mod_perl’s speed and Perl’s flexibility make them very attractive for large-scale sites.
  • Comparative Study on Python Web Frameworks: Flask and Django

    Comparative Study on Python Web Frameworks: Flask and Django

    Devndra Ghimire Comparative study on Python web frameworks: Flask and Django Metropolia University of Applied Sciences Bachelor of Engineering Media Engineering Bachelor’s Thesis 5 May 2020 Abstract Devndra Ghimire Author(s) Comparative study on Python web frameworks: Flask and Title Django. Number of Pages 37 pages + 0 appendices Date 5 May 2010 Degree Bachelor of Engineering Degree Programme Media Engineering Specialisation option Software Engineering Instructor(s) Kari Salo, Senior Lecturer The purpose of the thesis was to the study the various features, advantages, and the limita- tion of two web development frameworks for Python programming language. It aims to com- pare the usage of Django and Flask frameworks from a novice point of view. The theoretical part of the thesis presents the various types of programming languages and web technolo- gies. In the practical part, however, the study is divided into two parts, each part observing the respective web application framework. In order to perform the comparison, a social network and eCommerce like application was built for Flask and Django respectively. The comparison was started by developing the social network application first with Flask and finished with the e-commerce application using Django. Python programing language, SQLite database for the backend and HTML, JavaS- cript, and Ajax were used for the frontend technology. At the end of the project, both appli- cations were deployed to the cloud platform called Heroku. After the comparison, it was found that the most significant advantages of Flask were that it provides simplicity, flexibility, fine-grained control and quick and easy to learn. On the other hand, Django was easy to work with because of its extensive features and support for librar- ies.
  • A Transformation Language for RDF Based on SPARQL Olivier Corby, Catherine Faron Zucker

    A Transformation Language for RDF Based on SPARQL Olivier Corby, Catherine Faron Zucker

    A Transformation Language for RDF based on SPARQL Olivier Corby, Catherine Faron Zucker To cite this version: Olivier Corby, Catherine Faron Zucker. A Transformation Language for RDF based on SPARQL. van der Aalst, W.; Mylopoulos, J.; Rosemann, M.; Shaw, M.J.; Szyperski, C. Web Informa- tion Systems and Technologies, Springer, 2015, Lecture Notes in Business Information Processing, 10.5220/0005450604660476. hal-01186048 HAL Id: hal-01186048 https://hal.inria.fr/hal-01186048 Submitted on 24 Aug 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. A Transformation Language for RDF based on SPARQL Olivier Corby1 and Catherine Faron-Zucker2 1 Inria, France 2 Univ. Nice Sophia Antipolis, CNRS, I3S, France Abstract. XSLT is a language for transforming XML documents into other XML documents. Despite its 16 years long life, the RDF Semantic Web language still waits its transformation language. Some propositions have been done, relying on and extending XSLT, but none of them be- came widely used. In this paper, we present a radically new transforma- tion language for RDF, called STTL. It enables to transform RDF into RDF as well as any other text format.