WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

The current practice of Web application development treats the client and server components of the application as two separate pieces of software. Each component is written independently, usually in distinct programming languages and development platforms - a process known to be prone to errors when the client and server share application logic. When the client and server are out of sync, an âimpedance mismatchâ occurs, often leading to software vulnerabilities as demonstrated by recent work on parameter tampering. This paper outlines the groundwork for a new software development approach, WAVES, where developers author the server-side application logic and rely on tools to automatically synthesize the corresponding client-side application logic. WAVES employs program analysis techniques to extract a logical specification from the server, from which it synthesizes client code. WAVES also synthesizes interactive client interfaces that include asynchronous callbacks (AJAX) whose performance and coverage rival that of manually written clients while ensuring no new security vulnerabilities are introduced. The effectiveness of WAVES is demonstrated and evaluated on three real-world web applications.

[1]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[2]  Michael K. Reiter,et al.  Server-side verification of client behavior in online games , 2011, TSEC.

[3]  V. N. Venkatakrishnan,et al.  WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction , 2011, CCS '11.

[4]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[5]  V. N. Venkatakrishnan,et al.  NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications , 2010, CCS '10.

[6]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[7]  Alessandro Orso,et al.  ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies , 2012, ISSTA 2012.

[8]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[10]  Steve Hanna,et al.  FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications , 2010, NDSS.

[11]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Benjamin Livshits,et al.  Ripley: automatically securing web 2.0 applications through replicated execution , 2009, CCS.

[13]  M. Eliantonio,et al.  Private Parties and the Annulment Procedure: Can the Gap in the European System of Judicial Protection Be Closed? , 2010 .

[14]  Clodoaldo Robledo,et al.  Google Web Toolkit , 2012 .

[15]  R. Sekar,et al.  A server- and browser-transparent CSRF defense for web 2.0 applications , 2011, ACSAC '11.

[16]  Benjamin Livshits,et al.  Ripley: Automatically Securing Distributed Web Applications Through Replicated Execution , 2008 .

[17]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[18]  Timothy L. Hinrichs Plato: A Compiler for Interactive Web Forms , 2011, PADL.

[19]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[20]  Rui Wang,et al.  How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores , 2011, 2011 IEEE Symposium on Security and Privacy.

[21]  Yasuhiko Minamide,et al.  Static approximation of dynamically generated Web pages , 2005, WWW '05.

[22]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[23]  Michael Bächle,et al.  Ruby on Rails , 2006, Softwaretechnik-Trends.