ViewPoints: Differential string analysis for discovering client- and server-side input validation inconsistencies

Muath Alkhalaf, Shauvik Roy Choudhary, Mattia Fazzini, Tevfik Bultan, Alessandro Orso, Christopher Kruegel

Research output: Chapter in Book/Report/Conference proceedingConference contribution

17 Scopus citations

Abstract

Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a common target for attackers. In particular, attacks that focus on input validation vulnerabilities are extremely effective and dangerous. To address this problem, we developed ViewPoints - a technique that can identify erroneous or insufficient validation and sanitization of the user inputs by automatically discovering inconsistencies between client- and server-side input validation functions. Developers typically perform redundant input validation in both the front-end (client) and the back-end (server) components of a web application. Client- side validation is used to improve the responsiveness of the application, as it allows for responding without communicating with the server, whereas server-side validation is necessary for security reasons, as malicious users can easily circumvent client-side checks. ViewPoints (1) automatically extracts client- and server-side input validation functions, (2) models them as deterministic finite automata (DFAs), and (3) compares client- and server-side DFAs to identify and report the inconsistencies between the two sets of checks. Our initial evaluation of the technique is promising: when applied to a set of real-world web applications, ViewPoints was able to automatically identify a large number of inconsistencies in their input validation functions.

Original languageEnglish (US)
Title of host publication2012 International Symposium on Software Testing and Analysis, ISSTA 2012 - Proceedings
Pages56-66
Number of pages11
DOIs
StatePublished - Aug 28 2012
Externally publishedYes
Event21st International Symposium on Software Testing and Analysis, ISSTA 2012 - Minneapolis, MN, United States
Duration: Jul 15 2012Jul 20 2012

Publication series

Name2012 International Symposium on Software Testing and Analysis, ISSTA 2012 - Proceedings

Conference

Conference21st International Symposium on Software Testing and Analysis, ISSTA 2012
Country/TerritoryUnited States
CityMinneapolis, MN
Period7/15/127/20/12

Keywords

  • Web security
  • differential string analysis
  • input validation
  • web testing

Fingerprint

Dive into the research topics of 'ViewPoints: Differential string analysis for discovering client- and server-side input validation inconsistencies'. Together they form a unique fingerprint.

Cite this