«

»

Tailored Shielding and Bypass Testing of Web Applications

by Tejedinne Mouelhi, Yves Le Traon, Erwan Abgrall, Benoit Baudry, Sylvain Gombault
Abstract:
User input validation is a technique to counter attacks on web applications. In typical client-server architectures, this validation is performed on the client side. This is inefficient because hackers bypass these checks and directly send malicious data to the server. User input validation thus has to be duplicated from the client-side (HTML pages) to the server-side (PHP or JSP etc.). We present a black-box approach for shielding and testing web application against bypass attacks. We automatically analyze HTML pages in order to extract all the constraints on user inputs in addition to the JavaScript validation code. Then, we leverage these constraints for an automated synthesis of a shield, a reverse-proxy tool that protects the server side. The originality and main contribution of this paper is to offer a solution specifically tailored to the web application, through a preliminary learning/analysis step. An experimental study on several open-source webapplications evaluates the effectiveness of the protection tool and the different flaws detected by the testing too and the impact of the shield on performance.
Reference:
Tailored Shielding and Bypass Testing of Web Applications (Tejedinne Mouelhi, Yves Le Traon, Erwan Abgrall, Benoit Baudry, Sylvain Gombault), In Proceedings of the International Conference on Software Testing, Verification and Validation (ICST), IEEE, 2011.
Bibtex Entry:
@inproceedings{Mouelhi2011,
	Abstract = {  
        User input validation is a technique to counter attacks
        on web applications. In typical client-server
        architectures, this validation is performed on the client
        side. This is inefficient because hackers bypass these
        checks and directly send malicious data to the server.
        User input validation thus has to be duplicated from
        the client-side (HTML pages) to the server-side (PHP
        or JSP etc.).
        We present a black-box approach for shielding and
        testing web application against bypass attacks. We
        automatically analyze HTML pages in order to extract
        all the constraints on user inputs in addition to the
        JavaScript validation code. Then, we leverage these
        constraints for an automated synthesis of a shield, a
        reverse-proxy tool that protects the server side. The
        originality and main contribution of this paper is to
        offer a solution specifically tailored to the web application,
        through a preliminary learning/analysis step.
        An experimental study on several open-source webapplications
        evaluates the effectiveness of the protection
        tool and the different flaws detected by the testing
        too and the impact of the shield on performance. },
	Address = {Berlin, Germany},
	keywords = {test, security},
	Author = {Mouelhi, Tejedinne and Le Traon, Yves and Abgrall, Erwan and Baudry, Benoit and Gombault, Sylvain},
	Booktitle = {Proceedings of the International Conference on Software Testing, Verification and Validation (ICST)},
	Month = {March},
	Publisher = {IEEE},
	Title = {Tailored Shielding and Bypass Testing of Web Applications},
	Url = {http://www.irisa.fr/triskell/perso_pro/bbaudry/publis/mouelhi11.pdf},
	X-International-Audience = {yes},
	X-Language = {EN},
	X-Proceedings = {yes},
	x-abbrv = {ICST},
	Year = {2011},
	pages = {210 - 219},
	Bdsk-Url-1 = {http://www.irisa.fr/triskell/perso_pro/bbaudry/publis/mouelhi11.pdf}}