Abstract
Web application programmers must be aware of a wide range of potential security risks. Although the most common pitfalls are well described and categorized in the literature, it remains a challenging task to ensure that all guidelines are followed. For this reason, it is desirable to construct automated tools that can assist the programmers in the application development process by detecting weaknesses. Many vulnerabilities are related to web application code that stores references to application state in the generated HTML documents to work around the statelessness of the HTTP protocol. In this paper, we show that such client-state manipulation vulnerabilities are amenable to tool supported detection. We present a static analysis for the widely used frameworks Java Servlets, JSP, and Struts. Given a web application archive as input, the analysis identifies occurrences of client state and infers the information flow between the client state and the shared application state on the server. This makes it possible to check how client-state manipulation performed by malicious users may affect the shared application state and cause leakage or modifications of sensitive information. The warnings produced by the tool help the application programmer identify vulnerabilities. Moreover, the inferred information can be applied to configure a security filter that automatically guards against attacks. Experiments on a collection of open source web applications indicate that the static analysis is able to effectively help the programmer prevent client-state manipulation vulnerabilities.
Original language | English |
---|---|
Title of host publication | 34th International Conference on Software Engineering (ICSE 2012) : Proceedings |
Editors | Martin Glinz, Gall Murphy, Mauro Pezzè |
Number of pages | 11 |
Publisher | IEEE Communications Society |
Publication date | 2012 |
Pages | 749 - 759 |
ISBN (Print) | 9781467310673 |
DOIs | |
Publication status | Published - 2012 |
Event | International Conference on Software Engineering - Zürich, Switzerland Duration: 5 Jun 2012 → 8 Jun 2012 |
Conference
Conference | International Conference on Software Engineering |
---|---|
Country/Territory | Switzerland |
City | Zürich |
Period | 05/06/2012 → 08/06/2012 |