Tailored Shielding and Bypass Testing of Web Applications

Abstract : User input validation is a technique to counter attacks on web applications. In typical client-server architectures, this validation is performed on the client side. This is inefficient because hackers bypass these checks and directly send malicious data to the server. User input validation thus has to be duplicated from the client-side (HTML pages) to the server-side (PHP or JSP etc.). We present a black-box approach for shielding and testing web application against bypass attacks. We automatically analyze HTML pages in order to extract all the constraints on user inputs in addition to the JavaScript validation code. Then, we leverage these constraints for an automated synthesis of a shield, a reverse-proxy tool that protects the server side. The originality and main contribution of this paper is to offer a solution specifically tailored to the web application, through a preliminary learning/analysis step. An experimental study on several open-source webapplications evaluates the effectiveness of the protection tool and the different flaws detected by the testing too and the impact of the shield on performance.
Type de document :
Communication dans un congrès
International Conference on Software Testing Verification and Validation, Mar 2011, Berlin, Germany. 2011
Liste complète des métadonnées

https://hal.inria.fr/hal-00646424
Contributeur : Benoit Baudry <>
Soumis le : mardi 29 novembre 2011 - 22:54:18
Dernière modification le : mercredi 5 septembre 2018 - 10:36:02
Document(s) archivé(s) le : lundi 5 décembre 2016 - 01:15:21

Fichier

ICST2011-Mouelhi-Shielding-Byp...
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-00646424, version 1

Citation

Tejeddine Mouelhi, Yves Le Traon, Erwan Abgrall, Benoit Baudry, Sylvain Gombault. Tailored Shielding and Bypass Testing of Web Applications. International Conference on Software Testing Verification and Validation, Mar 2011, Berlin, Germany. 2011. 〈hal-00646424〉

Partager

Métriques

Consultations de la notice

755

Téléchargements de fichiers

478