Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
CCS
2010
ACM
2010
ACM
Symbolic security analysis of ruby-on-rails web applications
Many of today's web applications are built on frameworks that include sophisticated defenses against malicious adversaries. However, mistakes in the way developers deploy those defenses could leave applications open to attack. To address this issue, we introduce Rubyx, a symbolic executor that we use to analyze Ruby-onRails web applications for security vulnerabilities. Rubyx specifications can easily be adapted to a variety of properties, since they are built from general assertions, assumptions, and object invariants. We show how to write Rubyx specifications to detect susceptibility to cross-site scripting and cross-site request forgery, insufficient authentication, leaks of secret information, insufficient access control, as well as application-specific security properties. We used Rubyx to check seven web applications from various sources against our specifications. We found many vulnerabilities, and each application was subject to at least one critical attack. Encouragingly...
Real-time TrafficRelated Content
| Added | 06 Dec 2010 |
| Updated | 06 Dec 2010 |
| Type | Conference |
| Year | 2010 |
| Where | CCS |
| Authors | Avik Chaudhuri, Jeffrey S. Foster |
Comments (0)
Researcher Info
|
