Web applications are an increasingly important part of many aspects of the society, from social interactions to business transactions. Hence, security of web applications is an extremely important and urgent problem. Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a typical target for attackers. In particular, attacks that target input validation vulnerabilities are extremely common and effective. Some of these attacks exploit well-known vulnerabilities, such as cross-site scripting and SQL injection, whereas some others exploit application-specific vulnerabilities that are hard to identify because they depend on the particular input validation logic of the target application. In general, these attacks exploit erroneous or insufficient input validation and sanitization to inject malicious data that can result in execution of harmful commands and access to sensitive information.

This research aims to identify and mitigate these vulnerabilities in web applications by performing automatic checking of input validation and sanitization operations. The key insight for this work comes from the observation that developers often introduce redundant checks in both the front-end (client) and the back-end (server) component of a web application. Client-side checks are fast and can improve performance and responsiveness of the application, but can be easily circumvented; server-side checks are hard to circumvent, but require network round-trips and additional server-side processing. Our intuition is that the checks performed at the client and server sides should enforce the same set of constraints on the inputs: if client-side checks are more restrictive, the server may accept inputs that legitimate clients can never produce, as malicious users can easily bypass client-side checks. Conversely, if server-side checks are more restrictive, the client may produce requests that are subsequently rejected by the server, which is not ideal from a performance point of view. This research will develop new techniques based on program analysis, string analysis, and code synthesis that can identify, map, model, and compare the set of checks performed on the client and server sides. These techniques will be able to identify and report inconsistencies between the two sets of checks and (semi)automatically extend the checks to eliminate such inconsistencies. By making web applications more secure and efficient, this research has the potential to benefit the increasingly large part of the society that relies on the use of web applications for its daily activities.

Project Report

Web applications are an increasingly prominent part of many aspects of everybody's life, from social interactions to business transactions. Hence, security and reliability of web applications are of fundamental importance today. Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a typical target for attackers. In particular, attacks that target input validation vulnerabilities are extremely common and effective. Some of these attacks exploit well-known vulnerabilities, such as cross-site scripting and SQLinjection, whereas some others exploit application-specific vulnerabilities that are hard to identify because they depend on the particular input validation logic of the target application. In many cases, these attacks exploit erroneous or insufficient input validation and sanitization to inject malicious data that can result in execution of harmful commands and access to sensitive information. The overall goal of this project was to identify and mitigate these vulnerabilities in web applications by performing automatic checking of input validation and sanitization operations. To accomplish this goal, during the lifetime of the project, we developed new techniques based on program analysis, string analysis, and code synthesis for identifying, understanding, and possibly repairing web application vulnerabilities. In addition, we also developed techniques for addressing another familyof issues that affect web applications, that is, cross-browser and cross-platform incompatibilities, which can cause serious reliability and usability problems for such applications. In the rest of this report, we summarize some of the main results achieved within the project in terms of intellectual merit and broader impact of the research. Differential String Analysis for Discovering Client- and Server-Side Input Validation Inconsistencies: In web applications, it is not uncommon for developers to perform either faulty or incomplete input checks, which can leave the web application susceptible to input validation vulnerabilities, such as cross-site scripting, which are among the most common and dangerous attacks for web applications. To address these vulnerabilities, we defined ViewPoints, a novel approach for automatically identifying input validation issues in web applications. ViewPoints is based on the key insight that developers often introduce redundant checks both in the front-end (client) and the back-end (server) component of a web application. Based on this insight, ViewPoints compares the checks performed at the client and server sides against each other, identifies inconsistencies that indicate possible input validation vulnerabilities,and reports such inconsistencies to the user. Differential Automated Repair: In addition to identifying inconsistencies between input validation at the client and server sides, we also developed techniques for automatically generating additional validation code that can be added to the server and/or the client to make their checks consistent. By doing so, such code can increase both the security of the web application, when it strengthens server-side input validation, and also its responsiveness, when it strengthens client-side input validation. When used on a set of real-world web applications, our repair technique was able to automatically generate repairs for real issues in the applications, thus demonstrating the practical viability of the approach. Differential Analysis to Detect Cross-Browser and Cross-Platform Inconsistencies: In addition to input validation vulnerabilities, another issue with web applications is that they are susceptible to cross-browser and cross-platform incompatibilities. The former are discrepancies between a web application's appearance, behavior, or both, when the application is run on two different environments. The latter affects multi-platform web applications--web applications that are developed in multiple versions, one for the desktop and one or more for mobile platforms. The effects of cross-browser and cross-platform inconsistencies can range from poor usability to serious reliability issues, and it is therefore important to address them. To do so, we developed techniques that, by observing the behavior of a web application in different contexts, can detect and report both types of problems. Our evaluation on real web applications showed that our techniques can help developers detect these issues and fix them before they affect the users. Broader impact of this research: Because of the widespread use of web applications, and the crucial role they play in many aspects of human society, it is of paramount importance that they behave reliably and securely. Recently, however, the problems with the online health-insurance marketplace website HealthCare.gov demonstrated the difficulty of building dependable web applications. The research conducted within this project resulted in techniques that have the potential to improve many aspects of web applications’ dependability. These techniques, which we developed, implemented, and made available through publications and tools,are therefore likely not only to have impact within the specific area of the project, but also to indirectly benefit and have a positive impact on the increasingly large segment of the society that relies on web applications.

Agency
National Science Foundation (NSF)
Institute
Division of Computer and Network Systems (CNS)
Type
Standard Grant (Standard)
Application #
1116967
Program Officer
Sol J. Greenspan
Project Start
Project End
Budget Start
2011-10-01
Budget End
2014-09-30
Support Year
Fiscal Year
2011
Total Cost
$299,964
Indirect Cost
Name
University of California Santa Barbara
Department
Type
DUNS #
City
Santa Barbara
State
CA
Country
United States
Zip Code
93106