TC: Small: Collaborative Research: Viewpoints: Discovering Client- and Server-side Input Validation Inconsistencies to Improve Web Application Security

TC：小型：协作研究：观点：发现客户端和服务器端输入验证不一致以提高 Web 应用程序安全性

• 批准号: 1116967
• 负责人: Tevfik Bultan
• 金额: $ 30万
• 依托单位: University of California-Santa Barbara
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-10-01 至 2014-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1116967&HistoricalAwards=false
• 关键词: TC; Small; Collaborative; Research; Viewpoints

Web applications are an increasingly important part of many aspects of the society, from social interactions to business transactions. Hence, security of web applications is an extremely important and urgent problem. Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a typical target for attackers. In particular, attacks that target input validation vulnerabilities are extremely common and effective. Some of these attacks exploit well-known vulnerabilities, such as cross-site scripting and SQL injection, whereas some others exploit application-specific vulnerabilities that are hard to identify because they depend on the particular input validation logic of the target application. In general, these attacks exploit erroneous or insufficient input validation and sanitization to inject malicious data that can result in execution of harmful commands and access to sensitive information.This research aims to identify and mitigate these vulnerabilities in web applications by performing automatic checking of input validation and sanitization operations. The key insight for this work comes from the observation that developers often introduce redundant checks in both the front-end (client) and the back-end (server) component of a web application. Client-side checks are fast and can improve performance and responsiveness of the application, but can be easily circumvented; server-side checks are hard to circumvent, but require network round-trips and additional server-side processing. Our intuition is that the checks performed at the client and server sides should enforce the same set of constraints on the inputs: if client-side checks are more restrictive, the server may accept inputs that legitimate clients can never produce, as malicious users can easily bypass client-side checks. Conversely, if server-side checks are more restrictive, the client may produce requests that are subsequently rejected by the server, which is not ideal from a performance point of view. This research will develop new techniques based on program analysis, string analysis, and code synthesis that can identify, map, model, and compare the set of checks performed on the client and server sides. These techniques will be able to identify and report inconsistencies between the two sets of checks and (semi)automatically extend the checks to eliminate such inconsistencies. By making web applications more secure and efficient, this research has the potential to benefit the increasingly large part of the society that relies on the use of web applications for its daily activities.

Web 应用程序是社会许多方面（从社交互动到商业交易）中日益重要的组成部分。因此，Web应用的安全是一个极其重要和紧迫的问题。 由于Web应用程序易于访问，并且通常存储大量敏感的用户信息，因此它们是攻击者的典型目标。特别是，针对输入验证漏洞的攻击极其常见且有效。其中一些攻击利用众所周知的漏洞，例如跨站点脚本和 SQL 注入，而另一些攻击则利用难以识别的特定于应用程序的漏洞，因为它们依赖于目标应用程序的特定输入验证逻辑。一般来说，这些攻击利用错误或不充分的输入验证和清理来注入恶意数据，从而导致执行有害命令并访问敏感信息。本研究旨在通过执行输入验证的自动检查来识别和缓解 Web 应用程序中的这些漏洞和消毒操作。这项工作的关键见解来自于对开发人员经常在 Web 应用程序的前端（客户端）和后端（服务器）组件中引入冗余检查的观察。 客户端检查速度很快，可以提高应用程序的性能和响应能力，但很容易被规避；服务器端检查很难规避，但需要网络往返和额外的服务器端处理。 我们的直觉是，在客户端和服务器端执行的检查应该对输入强制执行相同的一组约束：如果客户端检查更具限制性，则服务器可能会接受合法客户端永远无法生成的输入，因为恶意用户可以轻松地绕过客户端检查。相反，如果服务器端检查更加严格，则客户端可能会产生随后被服务器拒绝的请求，从性能角度来看这并不理想。这项研究将开发基于程序分析、字符串分析和代码合成的新技术，可以识别、映射、建模和比较在客户端和服务器端执行的检查集。这些技术将能够识别和报告两组检查之间的不一致，并（半）自动扩展检查以消除此类不一致。 通过使网络应用程序更加安全和高效，这项研究有可能使依赖网络应用程序进行日常活动的社会中越来越多的人受益。