Patching web application vulnerabilities with optimal word correction algorithm

• Main Authors: Shueh, Ching Yuan, 薛慶源
• Other Authors: Yu, Fang
• Format: Others
• Language: en_US
• Online Access: http://ndltd.ncl.edu.tw/handle/74474499757379503327

碩士 === 國立政治大學 === 資訊管理研究所 === 102 === The security problems of web application are always questioned and concerned by users because that can cause huge loss of nancial and privacy. We want to provide a online service that is open to public users, who can access and upload their codes to check for potential vulnerabilities. Moreover, if there exist vulnerabilities and may be cause damages, it will guide users how they can edit their codes through a easy way step by step. In this paper, we propose an optimal word correction approach for patching string related vulnerabilities in web applications. To be brief, we synthesize patches that sanitize malicious inputs to normal ones with the shortest edit distance. The analysis consists of two phases: First, we use automata based static string analysis techniques called Stranger to detect vulnerabilities in web applications, and generate sanitization signatures that accept un-malicious inputs as an input lter that ensures the vulnerabilities are not exploited with respect to given attack patterns. Second, we adopt the shortest edit-distance algorithms between words and automata to nd a minimum way on the cost of edit distance to patch malicious inputs. A malicious input (not accepted by the sanitization signature) is replaced with an unmalicious string and has the minimum change of character from the original input. We integrate the presented approach with Stranger and report the result of experiments on various web applications.