Ecole d'ingénieur et centre de recherche en télécommunications

Saner: composing static and dynamic analysis to validate sanitization in web applications

Balzarotti, Davide; Cova, Marco; Felmetsger, Vika; Jovanovic, Nenad; Kirda, Engin; Krügel, Christopher; Vigna, Giovanni

SP 2008, IEEE Symposium on Security and Privacy, May 18-21, 2008, Oakland, USA

Web applications are ubiquitous, perform missioncritical tasks, and handle sensitive user data. Unfortunately, web applications are often implemented by developers with limited security skills, and, as a result, they contain vulnerabilities. Most of these vulnerabilities stem from the lack of input validation. That is, web applications use malicious input as part of a sensitive operation, without having properly checked or sanitized the input values prior to their use. Past research on vulnerability analysis has mostly focused on identifying cases in which a web application directly uses external input in critical operations. However, little research has been performed to analyze the correctness of the sanitization process. Thus, whenever a web application applies some sanitization routine to potentially malicious input, the vulnerability analysis assumes that the result is innocuous. Unfortunately, this might not be the case, as the sanitization process itself could be incorrect or incomplete. In this paper, we present a novel approach to the analysis of the sanitization process. More precisely, we combine static and dynamic analysis techniques to identify faulty sanitization procedures that can be bypassed by an attacker. We implemented our approach in a tool, called Saner, and we applied it to a number of real-world applications. Our results demonstrate that we were able to identify several novel vulnerabilities that stem from erroneous sanitization procedures.

Document Doi Bibtex

Titre:Saner: composing static and dynamic analysis to validate sanitization in web applications
Département:Sécurité numérique
Eurecom ref:2521
Copyright: © 2008 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
Bibtex: @inproceedings{EURECOM+2521, doi = { }, year = {2008}, title = {{S}aner: composing static and dynamic analysis to validate sanitization in web applications}, author = {{B}alzarotti, {D}avide and {C}ova, {M}arco and {F}elmetsger, {V}ika and {J}ovanovic, {N}enad and {K}irda, {E}ngin and {K}r{\"u}gel, {C}hristopher and {V}igna, {G}iovanni}, booktitle = {{SP} 2008, {IEEE} {S}ymposium on {S}ecurity and {P}rivacy, {M}ay 18-21, 2008, {O}akland, {USA}}, address = {{O}akland, {\'{E}}{TATS}-{UNIS}}, month = {05}, url = {} }
Voir aussi: