Title : 
Verifying client-side input validation functions using string analysis
         
        
            Author : 
Alkhalaf, Muath ; Bultan, Tevfik ; Gallegos, Jose L.
         
        
            Author_Institution : 
Comput. Sci. Dept., Univ. of California, Santa Barbara, CA, USA
         
        
        
        
        
        
            Abstract : 
Client-side computation in web applications is becoming increasingly common due to the popularity of powerful client-side programming languages such as JavaScript. Clientside computation is commonly used to improve an application´s responsiveness by validating user inputs before they are sent to the server. In this paper, we present an analysis technique for checking if a client-side input validation function conforms to a given policy. In our approach, input validation policies are expressed using two regular expressions, one specifying the maximum policy (the upper bound for the set of inputs that should be allowed) and the other specifying the minimum policy (the lower bound for the set of inputs that should be allowed). Using our analysis we can identify two types of errors 1) the input validation function accepts an input that is not permitted by the maximum policy, or 2) the input validation function rejects an input that is permitted by the minimum policy. We implemented our analysis using dynamic slicing to automatically extract the input validation functions from web applications and using automata-based string analysis to analyze the extracted functions. Our experiments demonstrate that our approach is effective in finding errors in input validation functions that we collected from real-world applications and from tutorials and books for teaching JavaScript.
         
        
            Keywords : 
Java; formal verification; JavaScript; Web applications; automata based string analysis; client side computation; client side input validation function verification; client-side programming languages; clientside computation; extracted functions; string analysis; Algorithm design and analysis; Browsers; Doped fiber amplifiers; Electronic mail; HTML; Lattices; Reactive power;
         
        
        
        
            Conference_Titel : 
Software Engineering (ICSE), 2012 34th International Conference on
         
        
            Conference_Location : 
Zurich
         
        
        
            Print_ISBN : 
978-1-4673-1066-6
         
        
            Electronic_ISBN : 
0270-5257
         
        
        
            DOI : 
10.1109/ICSE.2012.6227124