Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications

May 18-May 21

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/SP.2008.22

2008 IEEE Symposium on Security and P ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Davide Balzarotti Articles by Marco Cova Articles by Vika Felmetsger Articles by Nenad Jovanovic Articles by Engin Kirda Articles by Christopher Kruegel Articles by Giovanni Vigna

	ASCII Text	x
	Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna, "Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications," Security and Privacy, IEEE Symposium on, pp. 387-401, 2008 IEEE Symposium on Security and Privacy (sp 2008), 2008.

	BibTex	x
	@article{ 10.1109/SP.2008.22, author = {Davide Balzarotti and Marco Cova and Vika Felmetsger and Nenad Jovanovic and Engin Kirda and Christopher Kruegel and Giovanni Vigna}, title = {Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications}, journal ={Security and Privacy, IEEE Symposium on}, volume = {0}, year = {2008}, isbn = {978-0-7695-3168-7}, pages = {387-401}, doi = {http://doi.ieeecomputersociety.org/10.1109/SP.2008.22}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Security and Privacy, IEEE Symposium on TI - Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications SN - 978-0-7695-3168-7 SP387 EP401 A1 - Davide Balzarotti, A1 - Marco Cova, A1 - Vika Felmetsger, A1 - Nenad Jovanovic, A1 - Engin Kirda, A1 - Christopher Kruegel, A1 - Giovanni Vigna, PY - 2008 KW - null VL - 0 JA - Security and Privacy, IEEE Symposium on ER -

Web applications are ubiquitous, perform mission-critical tasks, and handle sensitive user data. Unfortunately, web applications are often implemented by developers with limited security skills, and, as a result, they contain vulnerabilities. Most of these vulnerabilities stem from the lack of input validation. That is, web applications use malicious input as part of a sensitive operation, without having properly checked or sanitized the input values prior to their use.Past research on vulnerability analysis has mostly focused on identifying cases in which a web application directly uses external input in critical operations. However, little research has been performed to analyze the correctness of the sanitization process. Thus, whenever a web application applies some sanitization routine to potentially malicious input, the vulnerability analysis assumes that the result is innocuous. Unfortunately, this might not be the case, as the sanitization process itself could be incorrect or incomplete.In this paper, we present a novel approach to the analysis of the sanitization process. More precisely, we combine static and dynamic analysis techniques to identify faultysanitization procedures that can be bypassed by an attacker. We implemented our approach in a tool, called Saner, and we applied it to a number of real-world applications. Our results demonstrate that we were able to identify several novel vulnerabilities that stem from erroneous sanitization procedures.

Citation:

Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna, "Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications," sp, pp.387-401, 2008 IEEE Symposium on Security and Privacy (sp 2008), 2008

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.