Sciweavers

SP
2008
IEEE

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications

13 years 10 months ago
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
Web applications are ubiquitous, perform missioncritical tasks, and handle sensitive user data. Unfortunately, web applications are often implemented by developers with limited security skills, and, as a result, they contain vulnerabilities. Most of these vulnerabilities stem from the lack of input validation. That is, web applications use malicious input as part of a sensitive operation, without having properly checked or sanitized the input values prior to their use. Past research on vulnerability analysis has mostly focused on identifying cases in which a web application directly uses external input in critical operations. However, little research has been performed to analyze the correctness of the sanitization process. Thus, whenever a web application applies some sanitization routine to potentially malicious input, the vulnerability analysis assumes that the result is innocuous. Unfortunately, this might not be the case, as the sanitization process itself could be incorrect or i...
Davide Balzarotti, Marco Cova, Viktoria Felmetsger
Added 01 Jun 2010
Updated 01 Jun 2010
Type Conference
Year 2008
Where SP
Authors Davide Balzarotti, Marco Cova, Viktoria Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna
Comments (0)