TY - GEN
T1 - ViewPoints
T2 - 21st International Symposium on Software Testing and Analysis, ISSTA 2012
AU - Alkhalaf, Muath
AU - Choudhary, Shauvik Roy
AU - Fazzini, Mattia
AU - Bultan, Tevfik
AU - Orso, Alessandro
AU - Kruegel, Christopher
PY - 2012
Y1 - 2012
N2 - Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a common target for attackers. In particular, attacks that focus on input validation vulnerabilities are extremely effective and dangerous. To address this problem, we developed ViewPoints - a technique that can identify erroneous or insufficient validation and sanitization of the user inputs by automatically discovering inconsistencies between client- and server-side input validation functions. Developers typically perform redundant input validation in both the front-end (client) and the back-end (server) components of a web application. Client- side validation is used to improve the responsiveness of the application, as it allows for responding without communicating with the server, whereas server-side validation is necessary for security reasons, as malicious users can easily circumvent client-side checks. ViewPoints (1) automatically extracts client- and server-side input validation functions, (2) models them as deterministic finite automata (DFAs), and (3) compares client- and server-side DFAs to identify and report the inconsistencies between the two sets of checks. Our initial evaluation of the technique is promising: when applied to a set of real-world web applications, ViewPoints was able to automatically identify a large number of inconsistencies in their input validation functions.
AB - Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a common target for attackers. In particular, attacks that focus on input validation vulnerabilities are extremely effective and dangerous. To address this problem, we developed ViewPoints - a technique that can identify erroneous or insufficient validation and sanitization of the user inputs by automatically discovering inconsistencies between client- and server-side input validation functions. Developers typically perform redundant input validation in both the front-end (client) and the back-end (server) components of a web application. Client- side validation is used to improve the responsiveness of the application, as it allows for responding without communicating with the server, whereas server-side validation is necessary for security reasons, as malicious users can easily circumvent client-side checks. ViewPoints (1) automatically extracts client- and server-side input validation functions, (2) models them as deterministic finite automata (DFAs), and (3) compares client- and server-side DFAs to identify and report the inconsistencies between the two sets of checks. Our initial evaluation of the technique is promising: when applied to a set of real-world web applications, ViewPoints was able to automatically identify a large number of inconsistencies in their input validation functions.
KW - Web security
KW - differential string analysis
KW - input validation
KW - web testing
UR - http://www.scopus.com/inward/record.url?scp=84865285607&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84865285607&partnerID=8YFLogxK
U2 - 10.1145/04000800.2336760
DO - 10.1145/04000800.2336760
M3 - Conference contribution
AN - SCOPUS:84865285607
SN - 9781450314541
T3 - 2012 International Symposium on Software Testing and Analysis, ISSTA 2012 - Proceedings
SP - 56
EP - 66
BT - 2012 International Symposium on Software Testing and Analysis, ISSTA 2012 - Proceedings
Y2 - 15 July 2012 through 20 July 2012
ER -