Finding Vulnerabilities in Rich Internet Applications (Flex/AS3) Using Static Techniques

Автор: Sreenivasa Rao Basavala, Narendra Kumar, Alok Agarrwal

Журнал: International Journal of Modern Education and Computer Science (IJMECS) @ijmecs

Статья в выпуске: 1 vol.4, 2012 года.

Бесплатный доступ

The number and the importance of Rich Internet Applications (RIA) have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such RIA applications have grown as well. Since manual code reviews are time-consuming, error prone and costly,the need for automated solutions has become evident.In this paper, we address the problem of vulnerable detection on Adobe Flex RIA web 2.0 applications by means of static source code analysis. To this end, we present a novel; precise alias analysis targeted at the unique reference semantics commonly found in RIA based web applications or widgets developed in Adobe Flex Framework or Action Script 3.0. Moreover, we enhance the quality and quantity of the generated vulnerability reports.

Еще

Applications security Analysis, Static Analysis, Taint Analysis, Vulnerability Detection in Flex, Static Techniques, Action Script Security

Короткий адрес: https://sciup.org/15010378

IDR: 15010378

Список литературы Finding Vulnerabilities in Rich Internet Applications (Flex/AS3) Using Static Techniques

  • Gagan Agarwal, Jinqian Li, and Qi Su. Evaluating a demand driven technique for call graph construction.In Proceedings of the International Conference on Compiler Construction, May 2002.
  • Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman.Compilers: Principles, Techniques, and Tools.Addison-Wesley.
  • Ken Ashcraft and Dawson Engler. Using programmer-written compiler extensions to catch security holes. In Proceedings of the Symposium on Security and Privacy.
  • Amit Klein. Cross site scripting explained.http://crypto.stanford.edu/cs155/CSS.pdf
  • Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the Conference on World Wide Web. May 2004.
  • http://www.adobe.com/devnet/flex/articles/flex_enter prise_security.html by Adobe.
  • Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Precise alias analysis for syntactic detection of Web application vulnerabilities. In Proceedings of the Workshop on Programming Languages and Analysis for Security, June 2006.
  • Brian Chess and Gary McGraw. Static analysis for security. IEEE Security and Privacy, 2(6):76–79,2004.
  • Jeremiah Grossman. Cross-site tracing (XST): the new techniques and emerging threats to bypass current Web security measures using TRACE and XSS. http://www.cgisecurity.com/whitehatmirror/WhitePaper screen.pdf
  • Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee,and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW '04:Proceedings of the 13th International Conference on World Wide Web, 2004.
  • Ss Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T.Lee, and S.-Y. Kuo. Verifying web applications using bounded model checking. In DSN, 2004.
  • Industrial Perspective on Static Analysis. Software Engineering Journal Mar. 1995: 69-75Wichmann, B.A., A. A. Canning, D. L. Clutterbuck, L. A.Winsbarrow, N. J. Ward, and D. W. R. Marsh.http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf
  • http://www.slideshare.net/eladnyc/top-securitythreats-to-flashflex-applications-and-how-to-avoidthem-4873308
  • http://www.cc.gatech.edu/~orso/papers/halfond.choudhary.orso.STVR11.pdf
  • http://en.wikipedia.org/wiki/Adobe_Flex
  • http://en.wikipedia.org/wiki/Rich_Internet_application
  • http://en.wikipedia.org/wiki/Adobe_Flash_Builder
  • Rich Internet Applications: The Next Frontier of Corporate Development" by Larry Seltzer. 2010-08-25. eWeek.http://www.eweek.com/c/a/Security/Rich-Internet-Applications-The-Next-Frontier-of-Corporate-Development-732651.
  • Laszlo: An Open Source Framework for Rich Internet Applications.
Еще
Статья научная