Automated Detection of Client-State Manipulation Vulnerabilities

Web application programmers must be aware of a wide range of potential security risks. Although the most common pitfalls are well described and categorized in the literature, it remains a challenging task to ensure that all guidelines are followed. For this reason, it is desirable to construct automated tools that can assist the programmers in the application development process by detecting weaknesses. Many vulnerabilities are related to web application code that stores references to application state in the generated HTML docu-ments to work around the statelessness of the HTTP protocol. In this article, we show that such client-state manipulation vulnerabilities are amenable to tool-supported detection. We present a static analysis for the widely used frameworks Java Servlets, JSP, and Struts. Given a web application archive as input, the analysis identifies occurrences of client state and infers the information flow between the client state and the shared application state on the server. This makes it possible to check how client-state manipulation performed by malicious users may affect the shared application state and cause leakage or modifications of sensitive information. The warnings produced by the tool help the applica-tion programmer identify vulnerabilities before deployment. The inferred information can also be applied to configure a security filter that automatically guards against attacks at runtime. Experiments on a collection of open-source web applications indicate that the static analysis is able to effectively help the programmer prevent client-state manipulation vulnerabilities. The analysis detects a total of 4,802 client-state parame-ters in the 10 applications, whereof 4,437 are classified as safe and 241 reveal exploitable vulnerabilities