Automated Detection of Client-State Manipulation Vulnerabilities

Research output: Contribution to book/anthology/report/proceedingArticle in proceedingsResearchpeer-review

Web application programmers must be aware of a wide range of potential security risks. Although the most common pitfalls are well described and categorized in the literature, it remains a challenging task to ensure that all guidelines are followed. For this reason, it is desirable to construct automated tools that can assist the programmers in the application development process by detecting weaknesses. Many vulnerabilities are related to web application code that stores references to application state in the generated HTML documents to work around the statelessness of the HTTP protocol. In this paper, we show that such client-state manipulation vulnerabilities are amenable to tool supported detection. We present a static analysis for the widely used frameworks Java Servlets, JSP, and Struts. Given a web application archive as input, the analysis identifies occurrences of client state and infers the information flow between the client state and the shared application state on the server. This makes it possible to check how client-state manipulation performed by malicious users may affect the shared application state and cause leakage or modifications of sensitive information. The warnings produced by the tool help the application programmer identify vulnerabilities. Moreover, the inferred information can be applied to configure a security filter that automatically guards against attacks. Experiments on a collection of open source web applications indicate that the static analysis is able to effectively help the programmer prevent client-state manipulation vulnerabilities.
Original languageEnglish
Title of host publication34th International Conference on Software Engineering (ICSE 2012) : Proceedings
EditorsMartin Glinz, Gall Murphy, Mauro Pezzè
Number of pages11
PublisherIEEE Communications Society
Publication year2012
Pages749 - 759
ISBN (print)9781467310673
DOIs
Publication statusPublished - 2012
EventInternational Conference on Software Engineering - Zürich, Switzerland
Duration: 5 Jun 20128 Jun 2012

Conference

ConferenceInternational Conference on Software Engineering
LandSwitzerland
ByZürich
Periode05/06/201208/06/2012

See relations at Aarhus University Citationformats

ID: 51724936