Detecting vulnerabilities in web applications
First Claim
1. A method comprising:
- determining, via one or more computing devices, one or more values associated with a web application that flow to response data associated with the web application, wherein the one or more values are modifiable by unreliable input, wherein the one or more values modifiable by the unreliable input that flow to the response data associated with the web application are determined via, at least in part, a server-side taint analysis algorithm;
determining whether there is a path reaching a statement that renders data to the response data;
marking a value of the one or more values flowing into the response data as untrusted in response to determining that there is a path reaching the statement that renders data to the response data;
generating, via the one or more computing devices, an abstract representation of the response data associated with the web application generated via, at least in part, a string analysis algorithm that approximates at least one of a string output of the response data associated with the web application with a context-free grammar and a logical formula; and
determining, via the one or more computing devices, one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, the abstract representation of the response data associated with the web application, and a taint analysis algorithm operating on the abstract representation of the response data.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, computer program product, and system for detecting vulnerabilities in web applications is described. A method may comprise determining one or more values associated with a web application that flow to response data associated with the web application. The one or more values may be modifiable by unreliable input. The method may further comprise generating a representation of the response data associated with the web application. The method may additionally comprise determining one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, and the representation of the response data associated with the web application.
11 Citations
8 Claims
-
1. A method comprising:
-
determining, via one or more computing devices, one or more values associated with a web application that flow to response data associated with the web application, wherein the one or more values are modifiable by unreliable input, wherein the one or more values modifiable by the unreliable input that flow to the response data associated with the web application are determined via, at least in part, a server-side taint analysis algorithm; determining whether there is a path reaching a statement that renders data to the response data; marking a value of the one or more values flowing into the response data as untrusted in response to determining that there is a path reaching the statement that renders data to the response data; generating, via the one or more computing devices, an abstract representation of the response data associated with the web application generated via, at least in part, a string analysis algorithm that approximates at least one of a string output of the response data associated with the web application with a context-free grammar and a logical formula; and determining, via the one or more computing devices, one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, the abstract representation of the response data associated with the web application, and a taint analysis algorithm operating on the abstract representation of the response data. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
receiving, at a user computing device, an indication of one or more potentially vulnerable portions of a document object model associated with a response HTML from a web application, the indication based upon, at least in part; one or more values modifiable by unreliable input that flows to the response HTML and are determined, at least in part, by a first taint analysis algorithm, wherein the first taint analysis algorithm is a server-side taint analysis algorithm; determining whether there is a path reaching a statement that renders data to the response data; marking a value of the one or more values flowing into the response data as untrusted in response to determining that there is a path reaching the statement that renders data to the response data; and an abstract representation of the response HTML generated, at least in part, by a string analysis algorithm that approximates at least one of a string output of the response data associated with the web application with a context-free grammar and a logical formula; and determining, via the user computing device, whether unreliable input has flown to the response HTML and compromised security of the web application by running a second taint analysis algorithm informed by the indication of one or more potentially vulnerable portions of the document object model associated with the response HTML from the web application, wherein the second taint analysis algorithm is a taint analysis algorithm.
Specification