An Integrated Environment for Analyzing Web Application Security

• Main Authors: Chih-Pin Tai, 戴智斌
• Other Authors: 蔡益坤
• Format: Others
• Language: en_US
• Published: 2010
• Online Access: http://ndltd.ncl.edu.tw/handle/90166127063998671631

碩士 === 臺灣大學 === 資訊管理學研究所 === 98 === Web application security has become more and more important in recent years. There are several analysis techniques and tools in industry helping Web application developers to detect a variety of security vulnerabilities, such as Cross-Site Scripting and SQL Injection. There are also several static analysis techniques and tools proposed by the academia for Web application security. By over approximation, these analysis techniques and tools can identify almost all security vulnerabilities, but produce excessive numbers of false positives. This causes a serious problem, as code reviewers will have to manually remove these false positives, which is very time-consuming. In this thesis, we focus on reducing false positives which result from incomplete dataflow analysis for two kinds of vulnerabilities, Cross-Site Scripting and SQL Injection. The main cause of incomplete dataflow analysis is that client-side programs including client-side scripts and HTML code are dynamically generated by server-side programs. The recent analysis techniques and tools do not trace dataflows across the boundary between the server-side and client-side programs. Moreover, the analysis techniques and tools do not trace dataflows across the database and do not take configuration files into consideration. To solve these problems, we propose to translate server-side programs, client-side programs, database and configuration files of Web applications into a one-language representation, namely CIL (C Intermediate Language). CIL comes with a library of analysis modules for C programs which we can leverage to perform different kinds of program analyses, including control ow analysis and dataflow analysis. We extract a client- side program for each webpage by static analysis and invoke it when the corresponding server-side program executes. Besides, we maintain structures in CIL that simulate the database and the HTML DOM. Finally, we define entry points of the Web application according to configuration files. Through analyzing the comprehensive suite of CIL programs translated from a website, we can identify Web application security vulnerabilities more precisely, and therefore solve the problem of false positives that come from incom- plete dataflow analysis.