An Integrated Environment for Analyzing Web Application Security
碩士 === 臺灣大學 === 資訊管理學研究所 === 98 === Web application security has become more and more important in recent years. There are several analysis techniques and tools in industry helping Web application developers to detect a variety of security vulnerabilities, such as Cross-Site Scripting and SQL In...
Main Authors: | , |
---|---|
Other Authors: | |
Format: | Others |
Language: | en_US |
Published: |
2010
|
Online Access: | http://ndltd.ncl.edu.tw/handle/90166127063998671631 |
id |
ndltd-TW-098NTU05396034 |
---|---|
record_format |
oai_dc |
spelling |
ndltd-TW-098NTU053960342015-10-13T18:49:40Z http://ndltd.ncl.edu.tw/handle/90166127063998671631 An Integrated Environment for Analyzing Web Application Security 一個分析網站應用安全之整合環境 Chih-Pin Tai 戴智斌 碩士 臺灣大學 資訊管理學研究所 98 Web application security has become more and more important in recent years. There are several analysis techniques and tools in industry helping Web application developers to detect a variety of security vulnerabilities, such as Cross-Site Scripting and SQL Injection. There are also several static analysis techniques and tools proposed by the academia for Web application security. By over approximation, these analysis techniques and tools can identify almost all security vulnerabilities, but produce excessive numbers of false positives. This causes a serious problem, as code reviewers will have to manually remove these false positives, which is very time-consuming. In this thesis, we focus on reducing false positives which result from incomplete dataflow analysis for two kinds of vulnerabilities, Cross-Site Scripting and SQL Injection. The main cause of incomplete dataflow analysis is that client-side programs including client-side scripts and HTML code are dynamically generated by server-side programs. The recent analysis techniques and tools do not trace dataflows across the boundary between the server-side and client-side programs. Moreover, the analysis techniques and tools do not trace dataflows across the database and do not take configuration files into consideration. To solve these problems, we propose to translate server-side programs, client-side programs, database and configuration files of Web applications into a one-language representation, namely CIL (C Intermediate Language). CIL comes with a library of analysis modules for C programs which we can leverage to perform different kinds of program analyses, including control ow analysis and dataflow analysis. We extract a client- side program for each webpage by static analysis and invoke it when the corresponding server-side program executes. Besides, we maintain structures in CIL that simulate the database and the HTML DOM. Finally, we define entry points of the Web application according to configuration files. Through analyzing the comprehensive suite of CIL programs translated from a website, we can identify Web application security vulnerabilities more precisely, and therefore solve the problem of false positives that come from incom- plete dataflow analysis. 蔡益坤 2010 學位論文 ; thesis 87 en_US |
collection |
NDLTD |
language |
en_US |
format |
Others
|
sources |
NDLTD |
description |
碩士 === 臺灣大學 === 資訊管理學研究所 === 98 === Web application security has become more and more important in recent years. There are several analysis techniques and tools in industry helping Web application developers to detect a variety of security vulnerabilities, such as Cross-Site Scripting and SQL Injection. There are also several static analysis techniques and tools proposed by the academia for Web application security. By over approximation, these analysis techniques and tools can identify almost all security vulnerabilities, but produce excessive numbers of false positives. This causes a serious problem, as code reviewers will have to manually remove
these false positives, which is very time-consuming.
In this thesis, we focus on reducing false positives which result from incomplete dataflow analysis for two kinds of vulnerabilities, Cross-Site Scripting and SQL Injection. The main cause of incomplete dataflow analysis is that client-side programs including client-side scripts and HTML code are dynamically generated by server-side programs. The recent analysis techniques and tools do not trace dataflows across the boundary between the server-side and client-side programs. Moreover, the analysis techniques and tools do not trace dataflows across the database and do not take configuration files into consideration.
To solve these problems, we propose to translate server-side programs, client-side programs, database and configuration files of Web applications into a one-language representation, namely CIL (C Intermediate Language). CIL comes with a library of analysis
modules for C programs which we can leverage to perform different kinds of program analyses, including control
ow analysis and dataflow analysis. We extract a client-
side program for each webpage by static analysis and invoke it when the corresponding server-side program executes. Besides, we maintain structures in CIL that simulate the
database and the HTML DOM. Finally, we define entry points of the Web application according to configuration files. Through analyzing the comprehensive suite of CIL programs translated from a website, we can identify Web application security vulnerabilities more precisely, and therefore solve the problem of false positives that come from incom-
plete dataflow analysis.
|
author2 |
蔡益坤 |
author_facet |
蔡益坤 Chih-Pin Tai 戴智斌 |
author |
Chih-Pin Tai 戴智斌 |
spellingShingle |
Chih-Pin Tai 戴智斌 An Integrated Environment for Analyzing Web Application Security |
author_sort |
Chih-Pin Tai |
title |
An Integrated Environment for Analyzing Web Application Security |
title_short |
An Integrated Environment for Analyzing Web Application Security |
title_full |
An Integrated Environment for Analyzing Web Application Security |
title_fullStr |
An Integrated Environment for Analyzing Web Application Security |
title_full_unstemmed |
An Integrated Environment for Analyzing Web Application Security |
title_sort |
integrated environment for analyzing web application security |
publishDate |
2010 |
url |
http://ndltd.ncl.edu.tw/handle/90166127063998671631 |
work_keys_str_mv |
AT chihpintai anintegratedenvironmentforanalyzingwebapplicationsecurity AT dàizhìbīn anintegratedenvironmentforanalyzingwebapplicationsecurity AT chihpintai yīgèfēnxīwǎngzhànyīngyòngānquánzhīzhěnghéhuánjìng AT dàizhìbīn yīgèfēnxīwǎngzhànyīngyòngānquánzhīzhěnghéhuánjìng AT chihpintai integratedenvironmentforanalyzingwebapplicationsecurity AT dàizhìbīn integratedenvironmentforanalyzingwebapplicationsecurity |
_version_ |
1718038352216719360 |