Skip to Main content Skip to Navigation
New interface
Conference papers

Tailored Shielding and Bypass Testing of Web Applications

Abstract : User input validation is a technique to counter attacks on web applications. In typical client-server architectures, this validation is performed on the client side. This is inefficient because hackers bypass these checks and directly send malicious data to the server. User input validation thus has to be duplicated from the client-side (HTML pages) to the server-side (PHP or JSP etc.). We present a black-box approach for shielding and testing web application against bypass attacks. We automatically analyze HTML pages in order to extract all the constraints on user inputs in addition to the JavaScript validation code. Then, we leverage these constraints for an automated synthesis of a shield, a reverse-proxy tool that protects the server side. The originality and main contribution of this paper is to offer a solution specifically tailored to the web application, through a preliminary learning/analysis step. An experimental study on several open-source webapplications evaluates the effectiveness of the protection tool and the different flaws detected by the testing too and the impact of the shield on performance.
Document type :
Conference papers
Complete list of metadata
Contributor : Benoit Baudry Connect in order to contact the contributor
Submitted on : Tuesday, November 29, 2011 - 10:54:18 PM
Last modification on : Wednesday, April 6, 2022 - 3:48:09 PM
Long-term archiving on: : Monday, December 5, 2016 - 1:15:21 AM


Files produced by the author(s)


  • HAL Id : hal-00646424, version 1


Tejeddine Mouelhi, Yves Le Traon, Erwan Abgrall, Benoit Baudry, Sylvain Gombault. Tailored Shielding and Bypass Testing of Web Applications. International Conference on Software Testing Verification and Validation, Mar 2011, Berlin, Germany. ⟨hal-00646424⟩



Record views


Files downloads