Input validation of client-server web applications through static analysis
نویسنده
چکیده
While early web applications were created with all data processing done on the server, the expansion in the use of scripting languages embedded in web browsers (specifically, dialects of ECMAscript JavaScript and JScript) in techniques such as AJAX have allowed for change in the design of web applications. They are no longer run solely on the server-side with a limited input interface of static boxes in an HTML form, but are combinations of two programs – a client program run by the web browser communicating with a server program. While new applications of this type bring benefits in usability, the additional complexity may introduce security problems. These new web applications designed with client and server components face the traditional problems of classic client-server programs, such as validating the input to the client or server program. However, the web applications’ server and client components are usually designed with ad-hoc application level protocols only to operate with its counterpart and no other programs. This may lead to dangerous assumptions about the internal state of the counterpart and any data being transmitted. For example, in some cases application writers attempt to handle input validation with JavaScript in the client browser. When the input is then transmitted to the server-side part of the application, the server code continues to operate on the data with the assumption that the client’s input validation had successfully completed. A malicious party could simply construct a client without these checks and submit input without validation, leading to security failures such as SQL injection attacks. With the client source code made accessible to attackers in script form, such vulnerabilities are event more easily exploited. Since the web application programmer had the intention of performing these checks on data to be transmitted to the server, input validation code done on the client should also be present in the server code.
منابع مشابه
eGovWDF:Validation – A new approach to input validation in Web based eGovernment applications
In this paper we introduce the topic input validation, analyze its great importance to Web applications and suggest a new comprehensive approach to input validation. The approach has been developed as a result of an evaluation of current input validation approaches that showed that no sufficient solution to common input validation requirements is available at present. The paper describes import...
متن کاملبهینهسازی اجرا و پاسخ صفحات وب در فضای ابری با روشهای پیشپردازش، مطالعه موردی سامانههای وارنیش و انجینکس
The response speed of Web pages is one of the necessities of information technology. In recent years, renowned companies such as Google and computer scientists focused on speeding up the web. Achievements such as Google Pagespeed, Nginx and varnish are the result of these researches. In Customer to Customer(C2C) business systems, such as chat systems, and in Business to Customer(B2C) systems, s...
متن کاملZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities
Modern web applications are increasingly moving program code to the client in the form of JavaScript. With the growing adoption of HTML5APIs such as postMessage, client-side validation (CSV) vulnerabilities are consequently becoming increasingly important to address as well. However, while detecting and preventing attacks against web applications is a well-studied topic on the server, considera...
متن کاملString Analysis for Vulnerability Detection and Repair
String manipulation errors in input validation and sanitization code are a common source for security vulnerabilities in web applications. This short survey summarizes the string analysis techniques we developed that can automatically identify and repair such vulnerabilities. Our approach (1) extracts clientand server-side input validation and sanitization functions, (2) models them as determin...
متن کاملFLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications
The complexity of the client-side components of web applications has exploded with the increase in popularity of web 2.0 applications. Today, traditional desktop applications, such as document viewers, presentation tools and chat applications are commonly available as online JavaScript applications. Previous research on web vulnerabilities has primarily concentrated on flaws in the server-side ...
متن کامل