Skip to main content
SpringerLink
Log in
Book cover

Nordic Conference on Secure IT Systems

NordSec 2013: Secure IT Systems pp 231–246Cite as

A Survey on Control-Flow Integrity Means in Web Application Frameworks

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8208))

Abstract

Modern web applications frequently implement complex control flows, which require the users to perform actions in a given order. Users interact with a web application by sending HTTP requests with parameters and in response receive web pages with hyperlinks that indicate the expected next actions. If a web application takes for granted that the user sends only those expected requests and parameters, malicious users can exploit this assumption by crafting harming requests. We analyze recent attacks on web applications with respect to user-defined requests and identify their root cause in the missing explicit control-flow definition and enforcement. Then, we evaluate the most prevalent web application frameworks in order to assess how far real-world web applications can use existing means to explicitly define and enforce intended control flows. While we find that all tested frameworks allow individual retrofit solutions, only one out of ten provides a dedicated control-flow integrity protection feature. Finally, we describe ways to equip web applications with control-flow integrity properties.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Paleari, R., Marrone, D., Bruschi, D., Monga, M.: On Race Vulnerabilities in Web Applications. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 126–142. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  2. Chen, S.: Session Puzzles - Indirect Application Attack Vectors. White Paper (May 23, 2012), http://puzzlemall.googlecode.com/files/Session%20Puzzles%20-%20Indirect%20Application%20Attack%20Vectors%20-%20May%202011%20-%20Whitepaper.pdf

  3. Grossman, J.: Seven Business Logic Flaws That Put Your Website At Risk. White Paper (May 19, 2012), https://www.whitehatsec.com/assets/WP_bizlogic092407.pdf

  4. The New York Times: Thieves Found Citigroup Site an Easy Entry (May 24, 2012), http://www.nytimes.com/2011/06/14/technology/14security.html

  5. Wang, R., Chen, S., Wang, X., Qadeer, S.: How to Shop for Free Online – Security Analysis of Cashier-as-a-Service Based Web Stores. In: IEEE Symposium on Security and Privacy (2011)

    Google Scholar 

  6. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (June 1999), http://www.w3.org/Protocols/rfc2616/rfc2616.html

  7. Berners-Lee, T., Fielding, R., Masinter, L.: Uniform Resource Identifiers (URI): Generic Syntax. RFC 2396 (August 1998), http://www.ietf.org/rfc/rfc2396.txt

  8. Jovanovic, N., Kruegel, C., Kirda, E.: Preventing cross site request forgery attacks. In: Securecomm (2006)

    Google Scholar 

  9. OWASP: Race Conditions (May 23, 2012), https://www.owasp.org/index.php/Race_Conditions

  10. Hallé, S., Ettema, T., Bunch, C., Bultan, T.: Eliminating Navigation Errors in Web Applications via Model Checking and Runtime Enforcement of Navigation State Machines. In: ASE (2010)

    Google Scholar 

  11. builtWith: Framework Usage Statistics – Overview of Statistics for Framework Technologies, http://trends.builtwith.com/framework

  12. Johnson, R.E., Foote, B.: Designing Reusable Classes. Journal of Object-Oriented Programming 1 (1988)

    Google Scholar 

  13. The Apache Software Foundation: Tapestry, http://tapestry.apache.org/

  14. Google, Inc.: Google Web Toolkit, https://developers.google.com/web-toolkit/

  15. SpringSource: The Spring Framework, http://www.springsource.org/

  16. EllisLab, Inc.: CodeIgniter, http://ellislab.com/codeigniter

  17. Cake Software Foundation, Inc.: CakePHP, http://cakephp.org/

  18. Kohana Team: Kohana, http://kohanaframework.org/

  19. Microsoft: ASP.NET, http://www.asp.net/

  20. Microsoft: ASP.NET Web Forms, http://www.asp.net/web-forms

  21. Microsoft: ASP.NET MVC, http://www.asp.net/mvc

  22. Microsoft: ASP.NET Web Pages, http://www.asp.net/web-pages

  23. Hansson, D.H.: Ruby on Rails, http://rubyonrails.org/

  24. Django Software Foundation: Django, https://www.djangoproject.com/

  25. Mozilla Developer Network: AJAX, https://developer.mozilla.org/en-US/docs/AJAX

  26. Spring Projects: Spring Web Flow, http://www.springsource.org/spring-web-flow

  27. OWASP: Failure to Restrict URL Access (May 11, 2012), https://www.owasp.org/index.php/Top_10_2010-A8-Failure_to_Restrict_URL_Access

  28. OWASP: Forced Browsing (May 4, 2012), https://www.owasp.org/index.php/Forced_browsing

  29. Bray, T.: Deep Linking in the World Wide Web (May 29, 2012), http://www.w3.org/2001/tag/doc/deeplinking.html

  30. Braun, B., Gemein, P., Reiser, H.P., Posegga, J.: Control-Flow Integrity in Web Applications. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 1–16. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  31. Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  32. Li, X., Xue, Y.: BLOCK: A Black-box Approach for Detection of State Violation Attacks Towards Web Applications. In: ACSAC (2011)

    Google Scholar 

  33. Balzarotti, D., Cova, M., Felmetsger, V., Vigna, G.: Multi-Module Vulnerability Analysis of Web-based Applications. In: CCS (2007)

    Google Scholar 

  34. Jayaraman, K., Lewandowski, G., Talaga, P.G., Chapin, S.J.: Enforcing Request Integrity in Web Applications. In: Foresti, S., Jajodia, S. (eds.) Data and Applications Security and Privacy XXIV. LNCS, vol. 6166, pp. 225–240. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  35. Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, G.: Toward Automated Detection of Logic Vulnerabilities in Web Applications. In: USENIX Security (2010)

    Google Scholar 

  36. Balduzzi, M., Gimenez, C.T., Balzarotti, D., Kirda, E.: Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. In: NDSS (2011)

    Google Scholar 

  37. Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In: CCS (2010)

    Google Scholar 

  38. Vikram, K., Prateek, A., Livshits, B.: Ripley: Automatically Securing Web 2.0 Applications Through Replicated Execution. In: CCS (2009)

    Google Scholar 

  39. Guha, A., Krishnamurthi, S., Jim, T.: Using Static Analysis for Ajax Intrusion Detection. In: WWW (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of IT Security and Security Law (ISL), University of Passau, Germany

    Bastian Braun, Christian v. Pollak & Joachim Posegga

Authors
  1. Bastian Braun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian v. Pollak
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Joachim Posegga
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Applied Mathematics and Computer Science, DTU Compute, Technical University of Denmark, Richard Petersens Plades, Building 322, 2800, Lyngby, Denmark

    Hanne Riis Nielson

  2. Institut für Sicherheit in verteilten Anwendungen, Technische Universität Hamburg-Harburg, E-15, Harburger Schloßstraße 20, 21079, Hamburg, Germany

    Dieter Gollmann

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Braun, B., Pollak, C.v., Posegga, J. (2013). A Survey on Control-Flow Integrity Means in Web Application Frameworks. In: Riis Nielson, H., Gollmann, D. (eds) Secure IT Systems. NordSec 2013. Lecture Notes in Computer Science, vol 8208. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41488-6_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41488-6_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41487-9

  • Online ISBN: 978-3-642-41488-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation