An Integrated Analyzer for Verifying Web Application Security

Date Issued
2011
Date
2011
Author(s)
Shih, Jen-Feng
URI
Abstract
More than two billion people accessed the Internet in 2010. With the rise of social networks, more and more Internet users put their personal information on Web applications. Consequently, the importance of Web application security has greatly increased in recent years. There are many techniques and tools for detecting Web application security vulnerabilities, both in industry and in academia. Though they can identify almost all vulnerabilities, their analysis results still contain excessive false positives that need to be veri ed by human experts. This problem may be attributed to several factors. One of these factors is that current analyzers cannot analyze the data flow of a Web application completely. The main difficulty is that Web applications are multi-staged programs. The rst-stage programs are server-side programs which execute on the server-side and dynamically generate client-side programs. These client-side programs are second-stage programs which run on the user''s browser and can interact with the users. Vulnerabilities may occur either on the client side or the server side. However, the client-side programs sometimes interact with the server, for example when using AJAX. Such data flows between the client and the server are usually not detected by current analyzers. In this thesis, we aim at analyzing the data flow of Web applications more completely. The major vulnerabilities that we focus on are Cross-Site Scripting and SQL Injection. They are the top two of the risks faced by businesses, according to the latest OWASP Top 10. Both of them are results from using tainted data without validation. To solve the problem of incomplete data flow analysis, we translate all the server-side and client-side programs into a one-language representation CIL (C Intermediate Language). We present an approach to simulating the actions of a Web application on the CIL representation. We then apply control flow analysis and data flow analysis on the representation. We show by experiments that our analyzer can cross the server and the client programs to provide more precise and complete analysis results.
Subjects
Data flow Analysis
Static Analysis
Security Vulnerability
Type
thesis
File(s)
Loading...
Thumbnail Image
Name

ntu-100-R98725050-1.pdf

Size

23.32 KB

Format

Adobe PDF

Checksum

(MD5):121defe751ed8d188806a917f42945f1

臺大位居世界頂尖大學之列,為永久珍藏及向國際展現本校豐碩的研究成果及學術能量,圖書館整合機構典藏(NTUR)與學術庫(AH)不同功能平台,成為臺大學術典藏NTU scholars。期能整合研究能量、促進交流合作、保存學術產出、推廣研究成果。

To permanently archive and promote researcher profiles and scholarly works, Library integrates the services of “NTU Repository” with “Academic Hub” to form NTU Scholars.

總館學科館員 (Main Library)
醫學圖書館學科館員 (Medical Library)
社會科學院辜振甫紀念圖書館學科館員 (Social Sciences Library)

開放取用是從使用者角度提升資訊取用性的社會運動,應用在學術研究上是透過將研究著作公開供使用者自由取閱,以促進學術傳播及因應期刊訂購費用逐年攀升。同時可加速研究發展、提升研究影響力,NTU Scholars即為本校的開放取用典藏(OA Archive)平台。(點選深入了解OA)

  • 請確認所上傳的全文是原創的內容,若該文件包含部分內容的版權非匯入者所有,或由第三方贊助與合作完成,請確認該版權所有者及第三方同意提供此授權。
    Please represent that the submission is your original work, and that you have the right to grant the rights to upload.
  • 若欲上傳已出版的全文電子檔,可使用Open policy finder網站查詢,以確認出版單位之版權政策。
    Please use Open policy finder to find a summary of permissions that are normally given as part of each publisher's copyright transfer agreement.

Built with DSpace-CRIS software - Extension maintained and optimized by 4Science