| With the development of web technology, web application is becoming more and more popular. Meanwhile, web attacks are becoming increasingly frequent. As a result, the problem of exploiting web security flaws has attracted much attention. Effective user input validation should be provided to prevent web attacks. Actually, due to in-sufficient validation, there exist input validation vulnerabilities. The general criteria to evaluate the methods of detecting input validation vulnerabilities are the completeness and effectiveness of the analysis on validating operations.Combining constraint extraction and constraint evaluation is a common approach to perform web vulnerability detection. Comparing to others, this approach could as-sess the quality of the extracted constraints, which can effectively reduce false posi-tives and improve accuracy. This thesis starts with a review on the two phrases of the approach, concluding that improvement is needed on the completeness of constraint extraction and the accuracy of constraint evaluation, and afterwards proposes an im-proved approach.1. Parameter validation mechanisms on web applications and input validation vul-nerabilities are analyzed. Then, as a basis of following research, validating oper-ations are classified, and the risk of input validation vulnerabilities are summa-rized as well as related attacks.2. The main techniques on analyzing input validation vulnerabilities are described and the corresponding theories and characteristics are summarized. The exist-ing approaches should be improved in the following ways. Firstly, traditional taint analysis cannot handle checking validations. Secondly, string analysis em-phasizes accuracy, regardless of efficiency when it is adopted on vulnerability detection. Finally, string analysis relies on attack patterns.3. An improved approach to detecting web input validation vulnerabilities is pro-posed. During validation extracting, domain-grained taint marking and taint-driven slicing are used to accurately track tainted data and their propagation path-s, help to identify all validating operations, especially the checking validations, which ensures the integrity of validation extraction. Validation classification and input character set partition are executed before using string analysis to evaluate the quality of validating operations. These preprocessing methods effectively re-duce the burden and complexity of the analysis. During string analysis, variable-related validation policy is used to facilitate string analysis, which could ease the reliance on attack patterns.4. A prototype tool called Valer is designed and implemented based on the de-scribed approach. Some open source PHP programs are selected for SQL and XSS vulnerability detection. The results show that the proposed approach can effectively enhance the analysis efficiency. |
PDF Full Text Request