Automated detection of client-state manipulation vulnerabilities

Web application programmers must be aware of a wide range of potential security risks. Although the most common pitfalls are well described and categorized in the literature, it remains a challenging task to ensure that all guidelines are followed. For this reason, it is desirable to construct automated tools that can assist the programmers in the application development process by detecting weaknesses. Many vulnerabilities are related to web application code that stores references to application state in the generated HTML documents to work around the statelessness of the HTTP protocol. In this paper, we show that such client-state manipulation vulnerabilities are amenable to tool supported detection. We present a static analysis for the widely used frameworks Java Servlets, JSP, and Struts. Given a web application archive as input, the analysis identifies occurrences of client state and infers the information flow between the client state and the shared application state on the server. This makes it possible to check how client-state manipulation performed by malicious users may affect the shared application state and cause leakage or modifications of sensitive information. The warnings produced by the tool help the application programmer identify vulnerabilities. Moreover, the inferred information can be applied to configure a security filter that automatically guards against attacks. Experiments on a collection of open source web applications indicate that the static analysis is able to effectively help the programmer prevent client-state manipulation vulnerabilities.

[1]  Shay Artzi,et al.  F4F: taint analysis of framework-based web applications , 2011, OOPSLA '11.

[2]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[3]  Benjamin Livshits Defining a Set of Common Benchmarks for Web Application Security , 2005 .

[4]  Giovanni Denaro,et al.  ACM Transactions on Software Engineering and Methodology : Volume 22, Nomor 4, 2013 , 2014 .

[5]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[6]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[7]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[8]  V. N. Venkatakrishnan,et al.  WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction , 2011, CCS '11.

[9]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[10]  V. N. Venkatakrishnan,et al.  TamperProof: a server-agnostic defense for parameter tampering attacks on web applications , 2013, CODASPY '13.

[11]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[12]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[13]  Christian Kirkegaard,et al.  Static Analysis for Java Servlets and JSP , 2006, SAS.

[14]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[15]  Zhendong Su,et al.  Static Detection of Access Control Vulnerabilities in Web Applications , 2011, USENIX Security Symposium.

[16]  Laurie Hendren,et al.  Soot---a java optimization framework , 1999 .

[17]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[18]  Christopher Krügel,et al.  Static analysis for detecting taint-style vulnerabilities in web applications , 2010, J. Comput. Secur..

[19]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.

[20]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[21]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[22]  V. N. Venkatakrishnan,et al.  NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications , 2010, CCS '10.

[23]  Alessandro Orso,et al.  Improving penetration testing through static and dynamic analysis , 2011, Softw. Test. Verification Reliab..

[24]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[25]  Benjamin Livshits,et al.  Securing web applications with static and dynamic information flow tracking , 2008, PEPM '08.

[26]  Alessandro Orso,et al.  Automated identification of parameter mismatches in web applications , 2008, SIGSOFT '08/FSE-16.

[27]  Dirk Fox,et al.  Open Web Application Security Project , 2006, Datenschutz und Datensicherheit - DuD.

[28]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[29]  William G. J. Halfond Automated Checking of Web Application Invocations , 2012, 2012 IEEE 23rd International Symposium on Software Reliability Engineering.

[30]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[31]  MøllerAnders,et al.  Automated Detection of Client-State Manipulation Vulnerabilities , 2014 .

[32]  Anders Møller,et al.  HTML Validation of Context-Free Languages , 2011, FoSSaCS.

[33]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[34]  Monica S. Lam,et al.  Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking , 2008, USENIX Security Symposium.

[35]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[36]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[37]  Engin Kirda,et al.  Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications , 2011, Financial Cryptography.

[38]  Alessandro Orso,et al.  Precise interface identification to improve testing and analysis of web applications , 2009, ISSTA.

[39]  Alessandro Orso,et al.  WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation , 2008, IEEE Transactions on Software Engineering.