TC: Small: Collaborative Research: Viewpoints: Discovering Client- and Server-side Input Validation Inconsistencies to Improve Web Application Security

TC：小型：协作研究：观点：发现客户端和服务器端输入验证不一致以提高 Web 应用程序安全性

• 批准号: 1116967
• 负责人: Tevfik Bultan
• 金额: $ 30万
• 依托单位: University of California-Santa Barbara
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-10-01 至 2014-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1116967&HistoricalAwards=false
• 关键词: TC; Small; Collaborative; Research; Viewpoints

Web applications are an increasingly important part of many aspects of the society, from social interactions to business transactions. Hence, security of web applications is an extremely important and urgent problem. Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a typical target for attackers. In particular, attacks that target input validation vulnerabilities are extremely common and effective. Some of these attacks exploit well-known vulnerabilities, such as cross-site scripting and SQL injection, whereas some others exploit application-specific vulnerabilities that are hard to identify because they depend on the particular input validation logic of the target application. In general, these attacks exploit erroneous or insufficient input validation and sanitization to inject malicious data that can result in execution of harmful commands and access to sensitive information.This research aims to identify and mitigate these vulnerabilities in web applications by performing automatic checking of input validation and sanitization operations. The key insight for this work comes from the observation that developers often introduce redundant checks in both the front-end (client) and the back-end (server) component of a web application. Client-side checks are fast and can improve performance and responsiveness of the application, but can be easily circumvented; server-side checks are hard to circumvent, but require network round-trips and additional server-side processing. Our intuition is that the checks performed at the client and server sides should enforce the same set of constraints on the inputs: if client-side checks are more restrictive, the server may accept inputs that legitimate clients can never produce, as malicious users can easily bypass client-side checks. Conversely, if server-side checks are more restrictive, the client may produce requests that are subsequently rejected by the server, which is not ideal from a performance point of view. This research will develop new techniques based on program analysis, string analysis, and code synthesis that can identify, map, model, and compare the set of checks performed on the client and server sides. These techniques will be able to identify and report inconsistencies between the two sets of checks and (semi)automatically extend the checks to eliminate such inconsistencies. By making web applications more secure and efficient, this research has the potential to benefit the increasingly large part of the society that relies on the use of web applications for its daily activities.

Web应用程序是从社会互动到业务交易的社会许多方面越来越重要的部分。因此，Web应用程序的安全是一个极其重要和紧迫的问题。 由于Web应用程序很容易访问，并且经常存储大量敏感用户信息，因此它们是攻击者的典型目标。特别是，针对输入验证漏洞的攻击非常普遍且有效。其中一些攻击利用了众所周知的漏洞，例如跨站点脚本和SQL注入，而其他一些攻击则利用了特定于应用程序的特定漏洞，这些漏洞很难识别，因为它们取决于目标应用程序的特定输入验证逻辑。通常，这些攻击利用了错误或不足的输入验证和消毒来注入恶意数据，这些数据可能导致有害命令并访问敏感信息。这项研究旨在通过执行输入验证和消毒操作的自动检查Web应用程序中识别和减轻Web应用程序中的这些脆弱性。这项工作的关键洞察力来自于这样的观察结果，即开发人员经常在Web应用程序的前端（客户端）和后端（服务器）组件中引入冗余检查。 客户端检查很快，可以提高应用程序的性能和响应能力，但可以轻松规避；服务器端检查很难规避，但是需要网络往返和其他服务器端处理。 我们的直觉是，在客户端和服务器侧执行的检查应在输入上执行相同的约束集：如果客户端检查更具限制性，服务器可能会接受合法客户端无法产生的输入，因为恶意用户可以轻松绕过客户端检查。相反，如果服务器端检查更具限制性，则客户端可能会产生服务器随后拒绝的请求，从性能角度来看，这不是理想的选择。这项研究将基于程序分析，字符串分析和代码合成开发新技术，这些技术可以识别，映射，建模和比较在客户端和服务器侧面执行的检查集。这些技术将能够识别和报告两组检查之间的不一致之处，（半）自动扩展了检查以消除此类不一致之处。 通过使Web应用程序更加安全和高效，这项研究有可能使日常活动使用Web应用程序的社会越来越多的社会受益。