Article

ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies

Authors:

Muath Alkhalaf,

Shauvik Roy Choudhary,

Mattia Fazzini,

Alessandro Orso,

Christopher KruegelAuthors Info & Claims

ISSTA 2012: Proceedings of the 2012 International Symposium on Software Testing and Analysis

Pages 56 - 66

https://doi.org/10.1145/2338965.2336760

Published: 15 July 2012 Publication History

Abstract

Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a common target for attackers. In particular, attacks that focus on input validation vulnerabilities are extremely effective and dangerous. To address this problem, we developed ViewPoints--a technique that can identify erroneous or insufficient validation and sanitization of the user inputs by automatically discovering inconsistencies between client- and server-side input validation functions. Developers typically perform redundant input validation in both the front-end (client) and the back-end (server) components of a web application. Client- side validation is used to improve the responsiveness of the application, as it allows for responding without communicating with the server, whereas server-side validation is necessary for security reasons, as malicious users can easily circumvent client-side checks. ViewPoints (1) automatically extracts client- and server-side input validation functions, (2) models them as deterministic finite automata (DFAs), and (3) compares client- and server-side DFAs to identify and report the inconsistencies between the two sets of checks. Our initial evaluation of the technique is promising: when applied to a set of real-world web applications, ViewPoints was able to automatically identify a large number of inconsistencies in their input validation functions.

References

[1]

M. Alkhalaf, T. Bultan, and J. L. Gallegos. Verifying client-side input validation functions using string analysis. In Proceedings of the 34th International Conference on Software Engineering (ICSE), 2012.

Digital Library

[2]

D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the Symposium on Security and Privacy (S&P), 2008.

Digital Library

[3]

C. Bartzis and T. Bultan. Widening arithmetic automata. In R. Alur and D. Peled, editors, Proceedings of the 16th International Conference on Computer Aided Verification (CAV 2004), volume 3114 of Lecture Notes in Computer Science, pages 321-333. Springer-Verlag, July 2004.

[4]

P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. Venkatakrishnan. NoTamper: Automatic, Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2010.

Digital Library

[5]

P. Bisht, T. Hinrichs, N. Skrupsky, and V. Venkatakrishnan. WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2011.

Digital Library

[6]

T.-H. Choi, O. Lee, H. Kim, and K.-G. Doh. A Practical String Analyzer by the Widening Approach. In Proceedings of the 4th Asian Symposium on Programming Languages and Systems (APLAS), pages 374-388, 2006.

Digital Library

[7]

N. Coward and Y. Yoshida. Java Servlet Specification Version 2.4. Technical report, Nov. 2003.

[8]

Gargoyle Software. HtmlUnit: headless browser for testing web applications. http://htmlunit.sourceforge.net/.

[9]

W. Halfond, S. Anand, and A. Orso. Precise Interface Identification to Improve Testing and Analysis of Web Applications. In Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), pages 285-296, 2009.

Digital Library

[10]

W. Halfond, A. Orso, and P. Manolios. WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. IEEE Transactions on Software Engineering (TSE), 34(1):65-81, 2008.

Digital Library

[11]

W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL Injection Attacks and Countermeasures. In Proceedings of the International Symposium on Secure Software Engineering, 2006.

[12]

P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and Precise Sanitizer Analysis with Bek. In Proceedings of the 20th Usenix Security Symposium, 2011.

Digital Library

[13]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In Proceedings of the IEEE Symposium on Security and Privacy, 2006.

Digital Library

[14]

Y. Minamide. Static approximation of dynamically generated web pages. In Proceedings of the 14th International World Wide Web Conference (WWW), pages 432-441, 2005.

Digital Library

[15]

Mozilla Foundation. Rhino: Javascript for Java. http://www.mozilla.org/rhino/.

[16]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the 20th IFIP International Information Security Conference (SEC), 2005.

[17]

G. Richards, S. Lebresne, B. Burg, and J. Vitek. An Analysis of the Dynamic Behavior of JavaScript Programs. In Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation (PLDI), pages 1-12, 2010.

Digital Library

[18]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A Symbolic Execution Framework for JavaScript. In Proceedings of the 31st IEEE Symposium on Security and Privacy (Oakland), 2010.

Digital Library

[19]

P. Saxena, S. Hanna, P. Poosankam, and D. Song. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2010.

[20]

D. Scott and R. Sharp. Abstracting Application-Level Web Security. In Proceedings of the 11th International World Wide Web Conference (WWW), 2002.

Digital Library

[21]

The OWASP Foundation. Data Validation, 2010. http:// www.owasp.org/index.php/Data_Validation.

[22]

The OWASP Foundation. Top Ten Most Critical Web Application Vulnerabilities, 2010. http://www.owasp. org/documentation/topten.html.

[23]

The OWASP Foundation. Validation Performed in Client, 2010. http://www.owasp.org/index.php/ Validation_performed_in_client.

[24]

F. Tip. A Survey of Program Slicing Techniques. Journal of Programming Languages, 3:121-189, 1995.

[25]

G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 32-41, 2007.

Digital Library

[26]

G. Wassermann and Z. Su. Static Detection of Cross-site Scripting Vulnerabilities. In Proceedings of the 30th International Conference on Software Engineering (ICSE), pages 171-180, 2008.

Digital Library

[27]

Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the 15th USENIX Security Symposium (USENIX-SS), 2006.

Digital Library

[28]

F. Yu, T. Bultan, M. Cova, and O. H. Ibarra. Symbolic String Verification: An Automata-based Approach. In Proceedings of the 15th International SPIN Workshop on Model Checking Software (SPIN), pages 306-324, 2008.

Digital Library

Cited By

Faisal Fadlalla FElshoush H(2023)Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-ArtIEEE Access10.1109/ACCESS.2023.326638511(40128-40161)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3266385
Eiers WSankaran GLi AO'Mahony EPrince BBultan TDwyer MDamian DZeller A(2022)Quantifying permissiveness of access control policiesProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510233(1805-1817)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510233
Xiang XZhang RWen HGong XLiu BKim YKim JVigna GShi E(2021)Ghost in the Binder: Binder Transaction Redirection Attacks in Android System ServicesProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484801(1581-1597)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484801
Show More Cited By

Index Terms

ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies

Recommendations

Verifying client-side input validation functions using string analysis
ICSE '12: Proceedings of the 34th International Conference on Software Engineering

Client-side computation in web applications is becoming increasingly common due to the popularity of powerful client-side programming languages such as JavaScript. Client-side computation is commonly used to improve an application's responsiveness by ...
Collaborative Client-Side DNS Cache Poisoning Attack
IEEE INFOCOM 2019 - IEEE Conference on Computer Communications
DNS poisoning attacks inject malicious entries into the DNS resolution system, allowing an attacker to redirect clients to malicious servers. These attacks typically target a DNS resolver allowing attackers to poison a DNS entry for all machines that use ...
Managing Client/Server: Includes Coverage of Network Management system Management Distributed Databases and Data Warehousing

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2012: Proceedings of the 2012 International Symposium on Software Testing and Analysis

July 2012

341 pages

ISBN:9781450314541

DOI:10.1145/2338965

General Chair:
Mats Heimdahl,
Program Chair:
Zhendong Su

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 July 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Conference

ISSTA '12

Sponsor:

SIGSOFT

ISSTA '12: International Symposium on Software Testing and Analysis

July 15 - 20, 2012

MN, Minneapolis, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
293
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)1

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Faisal Fadlalla FElshoush H(2023)Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-ArtIEEE Access10.1109/ACCESS.2023.326638511(40128-40161)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3266385
Eiers WSankaran GLi AO'Mahony EPrince BBultan TDwyer MDamian DZeller A(2022)Quantifying permissiveness of access control policiesProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510233(1805-1817)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510233
Xiang XZhang RWen HGong XLiu BKim YKim JVigna GShi E(2021)Ghost in the Binder: Binder Transaction Redirection Attacks in Android System ServicesProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484801(1581-1597)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484801
Yang JSethi UYan CCheung ALu SRothermel GBae D(2020)Managing data constraints in database-backed web applicationsProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380375(1098-1109)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380375
Ghorbanzadeh MReza Shahriari H(2020)ANOVUL: Detection of logic vulnerabilities in annotated programs via data and control flow analysisIET Information Security10.1049/iet-ifs.2018.561514:3(352-364)Online publication date: May-2020
https://doi.org/10.1049/iet-ifs.2018.5615
Deepa GThilagam PPraseed APais A(2018)DetLogicJournal of Network and Computer Applications10.1016/j.jnca.2018.01.008109:C(89-109)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.1016/j.jnca.2018.01.008
Deepa GThilagam PKhan FPraseed APais APalsetia N(2018)Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applicationsInternational Journal of Information Security10.1007/s10207-016-0359-417:1(105-120)Online publication date: 1-Feb-2018
https://dl.acm.org/doi/10.1007/s10207-016-0359-4
Bultan TYu FAlkhalaf MAydin ABultan TYu FAlkhalaf MAydin A(2017)Differential String Analysis and RepairString Analysis for Software Verification and Security10.1007/978-3-319-68670-7_9(123-147)Online publication date: 13-Dec-2017
https://doi.org/10.1007/978-3-319-68670-7_9
Bultan TYu FAlkhalaf MAydin ABultan TYu FAlkhalaf MAydin A(2017)A Brief Survey of Related WorkString Analysis for Software Verification and Security10.1007/978-3-319-68670-7_11(155-164)Online publication date: 13-Dec-2017
https://doi.org/10.1007/978-3-319-68670-7_11
Bultan TYu FAlkhalaf MAydin ABultan TYu FAlkhalaf MAydin A(2017)IntroductionString Analysis for Software Verification and Security10.1007/978-3-319-68670-7_1(1-13)Online publication date: 13-Dec-2017
https://doi.org/10.1007/978-3-319-68670-7_1
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents