The main contributions of this dissertation can be summarized as follows:
1. We present a new modular verification framework for analyzing and repairing input val- idation and sanitization code in web applications. The framework simplifies the verifi- cation process by separating the extraction, modeling and verification of input validation and sanitization functions.
2. We present a new formal specification for string related input validation and sanitization functions that are used in web applications.
3. We present a new Input Validation and sSanitization Language called IVSL that is capa- ble of capturing the semantics of string related input validation and sanitization opera- tions in different programming languages.
4. We present a new dynamic technique to extract input validation and sanitization functions from JavaScript into IVSL.
5. We present an automata-based symbolic string analysis framework for IVSL programs to 1) conservatively compute all possible output values assuming any input value, 2) conservatively compute all possible input values given a preferred set of output values and 3) conservatively compute the set of possibly rejected inputs.
6. We present a set of novel language-based algorithms to model string-related branch con- ditions in input validation and sanitization functions.
7. We present a set of novel language-based replace algorithms to efficiently and precisely model specialized string replace operations that are commonly used in input sanitization in web applications.
8. We present new policy-based techniques to automatically discover, generate counter ex- amples and repair bugs and vulnerabilities in web applications.
9. We present a new semantic differential analysis and repair algorithm that is capable of au- tomatically detecting and repairing differences between client-client, client-server and/or server-server input validation and sanitization code in a web application.
10. We extend LIBSTRANGER which is an efficient symbolic automata manipulation library and present two automatic bug detection and repair tools for web applications called
Modeling and Extraction of Sanitizer
Functions
In this chapter we explain the first phase of our verification process which is the extraction phase. We start by formally specifying what we mean by input validation and sanitization functions. Then, we introduce a new intermediate language called Input Validation and San- itization Language (IVSL) that allows us to have a unified language-agnostic framework for analyzing different input validation and sanitization functions extracted from different pro- gramming languages. After that, we show static and dynamic techniques that we developed to extract input validation and sanitization code, that is written in JavaScript, PHP and Java, from web applications into IVSL functions.
1 function validateEmail(inputField, helpText){ 2 if (!/.+/.test(inputField.value)) { 3 return false; 4 } 5 else { 6 if ( !/^[a-zA-Z0-9\.-_\+]+@[a-zA-Z0-9-]+(\.[a-zA-Z0-9] {2,3})+$/.test(inputField.value)) { 7 return false; 8 } 9 else { 10 return true; 11 } 12 } 13 }
Figure 2.1: An example of a JavaScript pure validator.
2.1
Formal Modeling of Sanitizer Functions
Input validation and sanitization operations in web applications can be characterized us- ing three types of functions: 1) pure validator, 2) pure sanitizer and 3) validating-sanitizer functions [2]. Each of these three types of functions can further be characterized as either a single-input or multi-input functions. We first define the single-input version of each of the three function types then generalize the definition to multi-input functions.
A single-input pure validator is a total function:
Fv : Σ∗ → {⊥, >}
that takes a string s ∈ Σ∗ and returns either > indicating that the string is valid and should be
accepted or ⊥ indicating the string is not valid and should be rejected. A multi-input pure validator is a total function:
1 function escape($x){
2 $x = preg_replace(’/"/’, ’\"’, $x);
3 return $x;
4 }
Figure 2.2: An example of a PHP pure sanitizer function.
that takes a tuple of strings (s1, s2, . . . , sn) ∈ (Σ∗)n and returns either > indicating that all
these strings are valid and should be accepted or ⊥ indicating one of the strings si is not valid
and hence the tuple (s1, s2, . . . , sn) should be rejected.
Note that, a pure validator does not change the value of the input string, it either accepts or rejects it as it is. Figure 2.1 shows a JavaScript single-input pure validator that validates email addresses. The function makes sure that the email address is not empty (line 2) and that it matches the regular expression for valid email addresses (line 6). If these two conditions are satisfied then it accepts the input by returning true (line 10) otherwise it rejects it by returning false (lines 3,7). Notice that the email address value is not modified by the function.
A single-input pure sanitizer is a total function:
Fs: Σ∗ → Σ∗
that maps an input string s ∈ Σ∗to an output string s0 ∈ Σ∗.
A multi-input pure sanitizer is a total function:
Fs: (Σ∗)n→ Σ∗
that maps an input tuple of strings (s1, s2, . . . , sn) ∈ (Σ∗)nto an output string s0 ∈ Σ∗.
Note that, a pure sanitizer does not reject any input string, however, it may modify some of the input strings. Figure 2.2 shows a PHP single-input pure sanitizer function. The function
1 function reference_function($x){ 2 if (strlen($x) > 4) 3 exit(); 4 else { 5 $x = preg_replace(’/</’, ’’, $x); 6 if ($x == ’’) 7 exit(); 8 else 9 return $x; 10 } 11 }
Figure 2.3: An example of a PHP validating sanitizor function.
modifies its input by escaping each "character with a\ character (line 2) then it returns the
new modified value. Notice that the function does not reject any invalid input that contains the
character".
A single-input validating-sanitizer is a function:
Fvs : Σ∗ → {⊥} ∪ Σ∗
that takes an input string s ∈ Σ∗ and either returns ⊥ indicating that s is invalid or maps s to
output string s0 ∈ Σ∗.
A multi-input validating-sanitizer is a function:
Fvs : (Σ∗)n→ {⊥} ∪ Σ∗
that takes a tuple of strings (s1, s2, . . . , sn) ∈ (Σ∗)n and either returns ⊥ indicating that one
or more of the string values si is invalid or maps (s1, s2, . . . , sn) to output string s0 ∈ Σ∗ by
modifying and/or combining one or more of the components si of the input tuple.
Note that, a validating-sanitizer may reject some inputs and modify some others. For the rest of the dissertation we call a validating-sanitizer function a sanitizer for short. We model
all input validation and sanitization operations in web applications as sanitizers. Note that, one can simulate a pure validator using a sanitizer: If an input is rejected by the validator, it is rejected by the sanitizer and if it is accepted by the validator it is returned without modification by the sanitizer. Obviously, any pure sanitizer is also a sanitizer that never rejects an input. Hence, by just focusing on sanitizers we are able to analyze all three types of behavior.
Figure 2.3 shows an example of a PHP single input validating-sanitizer function. The function validates the length of the input on line 2. Then, it sanitizes the input by deleting the
character<on line 5. Finally, the function validates the result again to make sure it is not empty
on line 6. This shows how input validation and sanitization operations are mixed together in a validating-sanitizer.
2.1.1
Input Validation vs. Sanitization in practice
Some examples of validation operations in practice include functions such as PHP function
preg_match, JavaScript functionindexofand Java functioncontainswhich are utilized usu-
ally through branch conditions. Examples of sanitization operations are JavaScript and Java
replacefunctions and PHP functionstrim, addslashesandhtmlspecialchars.
Based on our observation of input validation and sanitization in web applications, we no- ticed a relationship between data read and write operations and the usage of either input vali- dation or input sanitization. In case of a data read operation that will not change the backend database, input sanitization can be used to convert malicious user inputs into benign ones.
This should not affect the database since these sanitized values will be only used to query the database but not to change its state.
In case of a data write operation that will change the backend database, the use of validation vs. sanitization depends on weather or not the input value is used later to query the database. If the value is going to be used later to query the database, then input validation is used to make sure that the input is in a correct format that matches the format of the data type expected by the database. For example, when signing up in a website, input fields such as username are usually validated only and not sanitized. The reason is that, when a sanitizer modifies a
usernamevalue during signup without the user knowledge, the user may not be able to use the
original value s/he signed up with to login. Preventing attack strings that may come through these fields is done by validation operations. On the other hand, input fields for contents, such as messages in a forum, are only sanitized even when they are entered into the database since they are not used to query the database later on.