An Integrated Environment for Analyzing Web Application Security

Date Issued
2010
Date
2010
Author(s)
Tai, Chih-Pin
URI
Abstract
Web application security has become more and more important in recent years. There are several analysis techniques and tools in industry helping Web application developers to detect a variety of security vulnerabilities, such as Cross-Site Scripting and SQL Injection. There are also several static analysis techniques and tools proposed by the academia for Web application security. By over approximation, these analysis techniques and tools can identify almost all security vulnerabilities, but produce excessive numbers of false positives. This causes a serious problem, as code reviewers will have to manually remove these false positives, which is very time-consuming. In this thesis, we focus on reducing false positives which result from incomplete dataflow analysis for two kinds of vulnerabilities, Cross-Site Scripting and SQL Injection. The main cause of incomplete dataflow analysis is that client-side programs including client-side scripts and HTML code are dynamically generated by server-side programs. The recent analysis techniques and tools do not trace dataflows across the boundary between the server-side and client-side programs. Moreover, the analysis techniques and tools do not trace dataflows across the database and do not take configuration files into consideration. To solve these problems, we propose to translate server-side programs, client-side programs, database and configuration files of Web applications into a one-language representation, namely CIL (C Intermediate Language). CIL comes with a library of analysis modules for C programs which we can leverage to perform different kinds of program analyses, including control ow analysis and dataflow analysis. We extract a client- side program for each webpage by static analysis and invoke it when the corresponding server-side program executes. Besides, we maintain structures in CIL that simulate the database and the HTML DOM. Finally, we define entry points of the Web application according to configuration files. Through analyzing the comprehensive suite of CIL programs translated from a website, we can identify Web application security vulnerabilities more precisely, and therefore solve the problem of false positives that come from incom- plete dataflow analysis.
Subjects
Security Vulnerabilities
Web Applications
Dataflow
Integrated Environment
Static Analysis
Type
thesis
File(s)
Loading...
Thumbnail Image
Name

ntu-99-R97725024-1.pdf

Size

23.32 KB

Format

Adobe PDF

Checksum

(MD5):378f41d6a9e4bd1b03ba7767d35f3f4a

臺大位居世界頂尖大學之列,為永久珍藏及向國際展現本校豐碩的研究成果及學術能量,圖書館整合機構典藏(NTUR)與學術庫(AH)不同功能平台,成為臺大學術典藏NTU scholars。期能整合研究能量、促進交流合作、保存學術產出、推廣研究成果。

To permanently archive and promote researcher profiles and scholarly works, Library integrates the services of “NTU Repository” with “Academic Hub” to form NTU Scholars.

總館學科館員 (Main Library)
醫學圖書館學科館員 (Medical Library)
社會科學院辜振甫紀念圖書館學科館員 (Social Sciences Library)

開放取用是從使用者角度提升資訊取用性的社會運動,應用在學術研究上是透過將研究著作公開供使用者自由取閱,以促進學術傳播及因應期刊訂購費用逐年攀升。同時可加速研究發展、提升研究影響力,NTU Scholars即為本校的開放取用典藏(OA Archive)平台。(點選深入了解OA)

  • 請確認所上傳的全文是原創的內容,若該文件包含部分內容的版權非匯入者所有,或由第三方贊助與合作完成,請確認該版權所有者及第三方同意提供此授權。
    Please represent that the submission is your original work, and that you have the right to grant the rights to upload.
  • 若欲上傳已出版的全文電子檔,可使用Open policy finder網站查詢,以確認出版單位之版權政策。
    Please use Open policy finder to find a summary of permissions that are normally given as part of each publisher's copyright transfer agreement.

Built with DSpace-CRIS software - Extension maintained and optimized by 4Science