| Summary: | 碩士 === 國立政治大學 === 資訊管理研究所 === 102 === The security problems of web application are always questioned and
concerned by users because that can cause huge loss of nancial and
privacy. We want to provide a online service that is open to public
users, who can access and upload their codes to check for potential vulnerabilities.
Moreover, if there exist vulnerabilities and may be cause
damages, it will guide users how they can edit their codes through a
easy way step by step.
In this paper, we propose an optimal word correction approach for
patching string related vulnerabilities in web applications. To be brief,
we synthesize patches that sanitize malicious inputs to normal ones
with the shortest edit distance. The analysis consists of two phases:
First, we use automata based static string analysis techniques called
Stranger to detect vulnerabilities in web applications, and generate
sanitization signatures that accept un-malicious inputs as an input
lter that ensures the vulnerabilities are not exploited with respect
to given attack patterns. Second, we adopt the shortest edit-distance
algorithms between words and automata to nd a minimum way on
the cost of edit distance to patch malicious inputs. A malicious input
(not accepted by the sanitization signature) is replaced with an unmalicious
string and has the minimum change of character from the
original input. We integrate the presented approach with Stranger
and report the result of experiments on various web applications.
|
|---|
