论文信息 - CAVEAT: Facilitating interactive and secure client-side validators for ruby on rails applications

CAVEAT: Facilitating interactive and secure client-side validators for ruby on rails applications

Modern web applications validate user-supplied data in two places: the server (to protect against attacks such as parameter tampering) and the client (to give the user a rich, interactive data-entry experience). However, today’s web development frameworks provide little support for ensuring that clientand server-side validation is kept in sync. In this paper, we introduce CAVEAT† , a tool that automatically creates clientside input validation for Ruby on Rails applications by analyzing server-side validation routines. The effectiveness of CAVEAT for new applications is demonstrated by developing three custom apps, and its applicability to existing applications is demonstrated by examining 25 open-source applications. Keywords—Web applications, Data validation, Frameworks

[1] V. N. Venkatakrishnan,et al. WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications , 2012, 2012 International Conference on Cyber Security.

[2] Alessandro Orso,et al. ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies , 2012, ISSTA 2012.

[3] Clodoaldo Robledo,et al. Google Web Toolkit , 2012 .

[4] V. N. Venkatakrishnan,et al. WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction , 2011, CCS '11.

[5] Rui Wang,et al. How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores , 2011, 2011 IEEE Symposium on Security and Privacy.

[6] Timothy L. Hinrichs. Plato: A Compiler for Interactive Web Forms , 2011, PADL.

[7] V. N. Venkatakrishnan,et al. NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications , 2010, CCS '10.

[8] Michael K. Reiter,et al. Server-side verification of client behavior in online games , 2011, TSEC.

[9] Benjamin Livshits,et al. Ripley: Automatically Securing Distributed Web Applications Through Replicated Execution , 2008 .

[10] Michael Bächle,et al. Ruby on Rails , 2006, Softwaretechnik-Trends.