Title :
WAFA: Fine-grained dynamic analysis of web applications
Author :
Alalfi, Manar H. ; Cordy, James R. ; Dean, Thomas R.
Author_Institution :
Sch. of Comput., Queen´´s Univ., Kingston, ON, Canada
Abstract :
Database interactions are a vital source of information in the analysis of highly dynamic systems such as web applications. Most web application security vulnerabilities, such as SQL injection and broken access control, can be traced to problems in database interactions. which are implemented as a set of embedded or constructed SQL statements. The identification and analysis of these embedded statements as an integral component of the host application requires complex analysis including robust parsing, pattern matching, control flow and data flow analysis. In this paper, we propose an approach to this problem using source transformation technology. A rich model of fine-grained information is extracted from dynamic web applications, allowing us to reason not only about the SQL embedded system, but also about page access, server environment variables, cookies and session management functions. We evaluate our system on the popular bulletin board web application PhpBB, a PHP / MySQL-based dynamic web application.
Keywords :
Internet; SQL; authorisation; data flow computing; SQL injection; WAFA; broken access control; complex analysis; control flow; data flow analysis; database interactions; fine grained dynamic analysis; pattern matching; robust parsing; server environment variables; session management functions; source transformation technology; vital source; web application security; Analytical models; Data mining; Databases; Grammar; Instruments; Runtime; Servers;
Conference_Titel :
Web Systems Evolution (WSE), 2009 11th IEEE International Symposium on
Conference_Location :
Edmonton, AB
Print_ISBN :
978-1-4244-5124-1
DOI :
10.1109/WSE.2009.5631226
