Authors:
Ricardo Morgado
;
Ibéria Medeiros
and
Nuno Neves
Affiliation:
LASIGE, Faculty of Sciences, University of Lisboa, Portugal
Keyword(s):
Web Application Vulnerabilities, Static Analysis, Code Correction, Software Security.
Abstract:
Web applications are commonly used to provide access to the services and resources offered by companies. However, they are known to contain vulnerabilities in their source code, which, when exploited, can cause serious damage to organizations, such as the theft of millions of user credentials. For this reason, it is crucial to protect critical services, such as health care and financial services, with safe web applications. Often, vulnerabilities are left in the source code unintentionally by programmers because they have insufficient knowledge on how to write secure code. For example, developers many times employ sanitization functions of the programming language, believing that they will defend their applications. However, some of those functions do not invalidate all attacks, leaving applications still vulnerable. This paper presents an approach and a tool capable of automatically correcting web applications from relevant classes of vulnerabilities (XSS and SQL Injection). The too
l was evaluated with both benchmark test cases and real code, and the results are very encouraging. They show that the tool can insert safe and right corrections while maintaining the original behavior of the web applications in the vast majority of the cases.
(More)