Main navigation | Main content
Adam Chlipala. “Static checking of dynamically-varying security
policies in database-backed applications”. In Operating
Systems Design and Implementation (OSDI), pages 105–118,
Vancouver, BC, Canada, October 2010.
[USENIX]
Joe Gibbs Politz, Spiridon Aristides Eliopoulos, Arjun Guha, and
Shriram Krishnamurthi. “ADsafety: Type-based verification of
JavaScript sandboxing”. In USENIX Security Symposium, San
Francisco, CA, USA, August 2011.
[USENIX]
Question: The discussion section of the UrFlow (Chlipala) paper compares the protection that UrFlow (and the underlying Ur/Web) provide against the top 10 web security vulnerabilities as enumerated by OWASP. In regard to the categories of insecure direct object references (#4) and failure to restrict URL access (#8), the paper says that “UrFlow can enforce that appropriate checks are always performed whenever database objects are used in particular ways.” Fill in some of the details of this claim by describing an example of a possible vulnerability of one of these kinds (you may wish to refer to the OWASP descriptions), and explaining how an UrFlow policy would function to prevent it.
Mike Samuel, Prateek Saxena, and Dawn Song. “Context-sensitive
auto-sanitization in web templating languages using type
qualifiers”. In ACM Conference on Computer and Communications
Security (CCS), pages 587–600, Chicago, IL, USA, October
2011.
[ACM]
There are several challenges to the correct use of sanitizers to prevent cross-site-scripting is that different transformations are appropriate in different contexts within a web page (e.g., HTML versus JavaScript). This paper address this problem by taking advantage of a tightly structured template language.
Adam Barth, Juan Caballero, and Dawn Song. “Secure content
sniffing for web browsers, or how to stop papers from reviewing
themselves”. In IEEE Symposium on Security and Privacy
“Oakland”, pages 360–371, Oakland, CA, USA, May
2009.
[IEEE]
An obscure corner of web browser behavior opens a hole for eye-catching attacks, like the one alluded to in the alternate title. The solution is mostly more conservative design, but binary analysis and string constraint solving can help in generating attacks or verifying their absence.
Gary Wassermann and Zhendong Su. “Sound and precise analysis of
web applications for injection vulnerabilities”. In
Programming Language Design and Implementation (PLDI), pages
32–41, San Diego, CA, USA, June 2007.
[ACM]
Shay Artzi, Adam Kiezun, Julian Dolby, Frank Tip, Danny Dig, Amit
M. Paradkar, and Michael D. Ernst. “Finding bugs in dynamic web
applications”. In International Symposium on Software Testing
and Analysis (ISSTA), pages 261–272, Seattle, WA, USA, July
2008.
[ACM]