FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications

In Proc. of the 17th Annual Network and Distributed System Security Symposium (NDSS), Feb 2010


The complexity of the client-side components of web applications has exploded with the increase in popularity of web 2.0 applications. Today, traditional desktop ap- plications, such as document viewers, presentation tools and chat applications are commonly available as online JavaScript applications. Previous research on web vulnerabilities has primarily concentrated on flaws in the server-side components of web applications. This paper highlights a new class of vulnera- bilities, which we term client-side validation (or CSV) vul- nerabilities. CSV vulnerabilities arise from unsafe usage of untrusted data in the client-side code of the web applica- tion that is typically written in JavaScript. In this paper, we demonstrate that they can result in a broad spectrum of attacks. Our work provides empirical evidence that CSV vulnerabilities are not merely conceptual but are prevalent in today’s web applications. We propose dynamic analysis techniques to systemati- cally discover vulnerabilities of this class. The techniques are light-weight, efficient, and have no false positives. We implemented our techniques in a prototype tool called FLAX, which scales to real-world applications and has dis- covered 11 vulnerabilities in the wild so far.