FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications
In Proc. of the 17th Annual Network and Distributed System Security Symposium (NDSS), Feb 2010
@Misc{saxena10kudzu,
author = {Prateek Saxena and Steve Hanna and Pongsin Poosankam and Dawn Song},
title = {FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications},
booktitle = {Proc. of the 17th Annual Network and Distributed System Security Symposium (NDSS)},
year = {2010},
}
Abstract
The complexity of the client-side components of web applications has
exploded with the increase in popularity of web 2.0
applications. Today, traditional desktop ap- plications, such as
document viewers, presentation tools and chat applications are
commonly available as online JavaScript applications.
Previous research on web vulnerabilities has primarily concentrated on
flaws in the server-side components of web applications. This paper
highlights a new class of vulnera- bilities, which we term client-side
validation (or CSV) vul- nerabilities. CSV vulnerabilities arise from
unsafe usage of untrusted data in the client-side code of the web
applica- tion that is typically written in JavaScript. In this paper,
we demonstrate that they can result in a broad spectrum of
attacks. Our work provides empirical evidence that CSV vulnerabilities
are not merely conceptual but are prevalent in today’s web
applications.
We propose dynamic analysis techniques to systemati- cally discover
vulnerabilities of this class. The techniques are light-weight,
efficient, and have no false positives. We implemented our techniques
in a prototype tool called FLAX, which scales to real-world
applications and has dis- covered 11 vulnerabilities in the wild so
far.