Web applications are an increasingly important part of many aspects of the society, from social interactions to business transactions. Hence, security of web applications is an extremely important and urgent problem. Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a typical target for attackers. In particular, attacks that target input validation vulnerabilities are extremely common and effective. Some of these attacks exploit well-known vulnerabilities, such as cross-site scripting and SQL injection, whereas some others exploit application-specific vulnerabilities that are hard to identify because they depend on the particular input validation logic of the target application. In general, these attacks exploit erroneous or insufficient input validation and sanitization to inject malicious data that can result in execution of harmful commands and access to sensitive information.

This research aims to identify and mitigate these vulnerabilities in web applications by performing automatic checking of input validation and sanitization operations. The key insight for this work comes from the observation that developers often introduce redundant checks in both the front-end (client) and the back-end (server) component of a web application. Client-side checks are fast and can improve performance and responsiveness of the application, but can be easily circumvented; server-side checks are hard to circumvent, but require network round-trips and additional server-side processing. Our intuition is that the checks performed at the client and server sides should enforce the same set of constraints on the inputs: if client-side checks are more restrictive, the server may accept inputs that legitimate clients can never produce, as malicious users can easily bypass client-side checks. Conversely, if server-side checks are more restrictive, the client may produce requests that are subsequently rejected by the server, which is not ideal from a performance point of view. This research will develop new techniques based on program analysis, string analysis, and code synthesis that can identify, map, model, and compare the set of checks performed on the client and server sides. These techniques will be able to identify and report inconsistencies between the two sets of checks and (semi)automatically extend the checks to eliminate such inconsistencies. By making web applications more secure and efficient, this research has the potential to benefit the increasingly large part of the society that relies on the use of web applications for its daily activities.

Project Report

Web applications are an increasingly prominent part of many aspects ofeverybody's life, from social interactions to business transactions. Hence,security and reliability of web applications are of fundamental importancetoday. Since web applications are easily accessible, and often store alarge amount of sensitive user information, they are a typical targetfor attackers. In particular, attacks that target input validationvulnerabilities are extremely common and effective. Some of these attacksexploit well-known vulnerabilities, such as cross-site scripting and SQLinjection, whereas some others exploit application-specific vulnerabilitiesthat are hard to identify because they depend on the particular inputvalidation logic of the target application. In many cases, these attacksexploit erroneous or insufficient input validation and sanitization toinject malicious data that can result in execution of harmful commandsand access to sensitive information. The overall goal of this project was to identify and mitigate thesevulnerabilities in web applications by performing automatic checking ofinput validation and sanitization operations. To accomplish this goal,during the lifetime of the project, we developed new techniques based onprogram analysis, string analysis, and code synthesis for identifying,understanding, and possibly repairing web application vulnerabilities. Inaddition, we also developed techniques for addressing another familyof issues that affect web applications, that is, cross-browser andcross-platform incompatibilities, which can cause serious reliability andusability problems for such applications. In the rest of this report, wesummarize some of the main results achieved within the project in termsof intellectual merit and broader impact of the research. Differential String Analysis for Discovering Client- and Server-Side Input Validation Inconsistencies: In web applications, it is not uncommonfor developers to perform either faulty or incomplete input checks,which can leave the web application susceptible to input validationvulnerabilities, such as cross-site scripting, which are among themost common and dangerous attacks for web applications. To address thesevulnerabilities, we defined ViewPoints, a novel approach for automaticallyidentifying input validation issues in web applications. ViewPoints isbased on the key insight that developers often introduce redundant checksboth in the front-end (client) and the back-end (server) component ofa web application. Based on this insight, ViewPoints compares the checksperformed at the client and server sides against each other, identifiesinconsistencies that indicate possible input validation vulnerabilities,and reports such inconsistencies to the user. Differential Automated Repair: In addition to identifying inconsistenciesbetween input validation at the client and server sides, we also developedtechniques for automatically generating additional validation codethat can be added to the server and/or the client to make their checksconsistent. By doing so, such code can increase both the security of theweb application, when it strengthens server-side input validation, and alsoits responsiveness, when it strengthens client-side input validation. Whenused on a set of real-world web applications, our repair technique wasable to automatically generate repairs for real issues in the applications,thus demonstrating the practical viability of the approach. Differential Analysis to Detect Cross-Browser and Cross-Platform Inconsistencies: In addition to input validation vulnerabilities, anotherissue with web applications is that they are susceptible to cross-browserand cross-platform incompatibilities. The former are discrepancies betweena web application's appearance, behavior, or both, when the application isrun on two different environments. The latter affects multi-platform webapplications--web applications that are developed in multiple versions,one for the desktop and one or more for mobile platforms. The effects ofcross-browser and cross-platform inconsistencies can range from poorusability to serious reliability issues, and it is therefore importantto address them. To do so, we developed techniques that, by observing thebehavior of a web application in different contexts, can detect and reportboth types of problems. Our evaluation on real web applications showedthat our techniques can help developers detect these issues and fix thembefore they affect the users. Broader impact of this research: Because of the widespread use of web applications, and the crucial role theyplay in many aspects of human society, it is of paramount importance thatthey behave reliably and securely. Recently, however, the problems with theonline health-insurance marketplace website HealthCare.gov demonstrated thedifficulty of building dependable web applications. The research conductedwithin this project resulted in techniques that have the potential to improvemany aspects of web applications’ dependability. These techniques, which wedeveloped, implemented, and made available through publications and tools,are therefore likely not only to have impact within the specific area ofthe project, but also to indirectly benefit and have a positive impact onthe increasingly large segment of society that relies on web applications.

Agency
National Science Foundation (NSF)
Institute
Division of Computer and Network Systems (CNS)
Type
Standard Grant (Standard)
Application #
1117167
Program Officer
Sol J. Greenspan
Project Start
Project End
Budget Start
2011-10-01
Budget End
2014-09-30
Support Year
Fiscal Year
2011
Total Cost
$199,994
Indirect Cost
Name
Georgia Tech Research Corporation
Department
Type
DUNS #
City
Atlanta
State
GA
Country
United States
Zip Code
30332