2012 IEEE Symposium on Security and Privacy (2008)
May 18, 2008 to May 21, 2008
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/SP.2008.22
Web applications are ubiquitous, perform mission-critical tasks, and handle sensitive user data. Unfortunately, web applications are often implemented by developers with limited security skills, and, as a result, they contain vulnerabilities. Most of these vulnerabilities stem from the lack of input validation. That is, web applications use malicious input as part of a sensitive operation, without having properly checked or sanitized the input values prior to their use.Past research on vulnerability analysis has mostly focused on identifying cases in which a web application directly uses external input in critical operations. However, little research has been performed to analyze the correctness of the sanitization process. Thus, whenever a web application applies some sanitization routine to potentially malicious input, the vulnerability analysis assumes that the result is innocuous. Unfortunately, this might not be the case, as the sanitization process itself could be incorrect or incomplete.In this paper, we present a novel approach to the analysis of the sanitization process. More precisely, we combine static and dynamic analysis techniques to identify faultysanitization procedures that can be bypassed by an attacker. We implemented our approach in a tool, called Saner, and we applied it to a number of real-world applications. Our results demonstrate that we were able to identify several novel vulnerabilities that stem from erroneous sanitization procedures.
Engin Kirda, Vika Felmetsger, Nenad Jovanovic, Marco Cova, Davide Balzarotti, Giovanni Vigna, Christopher Kruegel, "Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications", 2012 IEEE Symposium on Security and Privacy, vol. 00, no. , pp. 387-401, 2008, doi:10.1109/SP.2008.22