ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Static approximation of dynamically generated Web pages
Full text PdfPdf (177 KB)
Source International World Wide Web Conference archive
Proceedings of the 14th international conference on World Wide Web table of contents
Chiba, Japan
SESSION: Trustworthy Web sites table of contents
Pages: 432 - 441  
Year of Publication: 2005
ISBN:1-59593-046-9
Author
Yasuhiko Minamide  University of Tsukuba, Tsukuba, Japan
Sponsor
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 19,   Downloads (12 Months): 106,   Citation Count: 17
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1060745.1060809
What is a DOI?

ABSTRACT

Server-side programming is one of the key technologies that support today's WWW environment. It makes it possible to generate Web pages dynamically according to a user's request and to customize pages for each user. However, the flexibility obtained by server-side programming makes it much harder to guarantee validity and security of dynamically generated pages.To check statically the properties of Web pages generated dynamically by a server-side program, we develop a static program analysis that approximates the string output of a program with a context-free grammar. The approximation obtained by the analyzer can be used to check various properties of a server-side program and the pages it generates.To demonstrate the effectiveness of the analysis, we have implemented a string analyzer for the server-side scripting language PHP. The analyzer is successfully applied to publicly available PHP programs to detect cross-site scripting vulnerabilities and to validate pages they generate dynamically.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
M. Achour, F. Betz, et~al. PHP Manual, 2005. http://www.php.net/docs.php.
2
B. Alpern , M. N. Wegman , F. K. Zadeck, Detecting equality of variables in programs, Proceedings of the 15th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.1-11, January 10-13, 1988, San Diego, California, United States  [doi>10.1145/73560.73561]
3
Véronique Benzaken , Giuseppe Castagna , Alain Frisch, CDuce: an XML-centric general-purpose language, Proceedings of the eighth ACM SIGPLAN international conference on Functional programming, p.51-63, August 25-29, 2003, Uppsala, Sweden
 
4
J. Berstel. Transductions and Context-Free Languages. Teubner Studienbucher, 1979.
5
Claus Brabrand , Anders Møller , Michael I. Schwartzbach, The <bigwig> project, ACM Transactions on Internet Technology (TOIT), v.2 n.2, p.79-114, May 2002  [doi>10.1145/514183.514184]
6
Aske Simon Christensen , Anders Møller , Michael I. Schwartzbach, Extending Java for high-level Web service construction, ACM Transactions on Programming Languages and Systems (TOPLAS), v.25 n.6, p.814-875, November 2003  [doi>10.1145/945885.945890]
 
7
A. S. Christensen, A. Moller, and M. I. Schwartzbach. Precise analysis of string expressions. In Proceedings of the Static Analysis Symposium (SAS), volume 2694 of LNCS, pages 1--18, 2003.
8
Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976  [doi>10.1145/360051.360056]
9
Dorothy E. Denning , Peter J. Denning, Certification of programs for secure information flow, Communications of the ACM, v.20 n.7, p.504-513, July 1977  [doi>10.1145/359636.359712]
 
10
Carl Gould , Zhendong Su , Premkumar Devanbu, Static Checking of Dynamically Generated Queries in Database Applications, Proceedings of the 26th International Conference on Software Engineering, p.645-654, May 23-28, 2004
11
Haruo Hosoya , Benjamin C. Pierce, XDuce: A statically typed XML processing language, ACM Transactions on Internet Technology (TOIT), v.3 n.2, p.117-148, May 2003  [doi>10.1145/767193.767195]
12
Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA  [doi>10.1145/988672.988679]
 
13
D. A. Ladd and J. C. Ramming. Programming the Web: An application-oriented language for hypermedia service programming. In Proceedings of the 4th International World Wide Web Conference, 1995.
 
14
X. Leroy. The Objective Caml system release 3.08: Documentation and user's manual, 2004. http://caml.inria.fr/index-eng.html.
 
15
David Melski , Thomas Reps, Interconvertibility of a class of set constraints and context-free-language reachability, Theoretical Computer Science, v.248 n.1-2, p.29-98, October 2000  [doi>10.1016/S0304-3975(00)00049-9]
 
16
M. Mohri and M.-J. Nederhof. Regular approximation of context-free grammars through transformation. In Robustness in Language and Speech Technology, pages 153--163, 2001.
 
17
Mehryar Mohri , Richard Sproat, An efficient compiler for weighted rewrite rules, Proceedings of the 34th annual meeting on Association for Computational Linguistics, p.231-238, June 24-27, 1996, Santa Cruz, California  [doi>10.3115/981863.981894]
 
18
Peter Ørbæk, Can you Trust your Data?, Proceedings of the 6th International Joint Conference CAAP/FASE on Theory and Practice of Software Development, p.575-589, May 22-26, 1995
 
19
P. Ørbæk , J. Palsberg, Trust in the λ-calculus, Journal of Functional Programming, v.7 n.6, p.557-591, November 1997  [doi>10.1017/S0956796897002906]
 
20
L. Quinn. WDG HTML validator. http://www.htmlhelp.com/tools/validator/.
 
21
T. Reps. Program analysis via graph reachability. Information and Software Technology, 40(11--12):701--726, 2000.
22
B. K. Rosen , M. N. Wegman , F. K. Zadeck, Global value numbers and redundant computations, Proceedings of the 15th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.12-27, January 10-13, 1988, San Diego, California, United States  [doi>10.1145/73560.73562]
 
23
N. Tabuchi, E. Sumii, and A. Yonezawa. Regular expression types for strings in a text processing language. In Proceedings of International Workshop on Types in Programming, ENTCS 75, 2002.
24
Peter Thiemann, Grammar-based analysis of string expressions, Proceedings of the 2005 ACM SIGPLAN international workshop on Types in languages design and implementation, p.59-70, January 10-10, 2005, Long Beach, California, USA  [doi>10.1145/1040294.1040300]
 
25
The W3C markup validation service. http://validator.w3.org/.
 
26
Larry Wall , Mike Loukides, Programming Perl, O'Reilly & Associates, Inc., Sebastopol, CA, 2000

CITED BY  17
Nenad Jovanovic , Christopher Kruegel , Engin Kirda, Precise alias analysis for static detection of web application vulnerabilities, Proceedings of the 2006 workshop on Programming languages and analysis for security, June 10-10, 2006, Ottawa, Ontario, Canada
Gary Wassermann , Dachuan Yu , Ajay Chander , Dinakar Dhurjati , Hiroshi Inamura , Zhendong Su, Dynamic test input generation for web applications, Proceedings of the 2008 international symposium on Software testing and analysis, July 20-24, 2008, Seattle, WA, USA
Úlfar Erlingsson , Benjamin Livshits , Yinglian Xie, End-to-end web application security, Proceedings of the 11th USENIX workshop on Hot topics in operating systems, p.1-6, May 07-09, 2007, San Diego, CA
Matthew Richardson , Amit Prakash , Eric Brill, Beyond PageRank: machine learning for static ranking, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland
Gary Wassermann , Zhendong Su, Sound and precise analysis of web applications for injection vulnerabilities, ACM SIGPLAN Notices, v.42 n.6, June 2007
Gary Wassermann , Zhendong Su, Static detection of cross-site scripting vulnerabilities, Proceedings of the 30th international conference on Software engineering, May 10-18, 2008, Leipzig, Germany
Shay Artzi , Adam Kiezun , Julian Dolby , Frank Tip , Danny Dig , Amit Paradkar , Michael D. Ernst, Finding bugs in dynamic web applications, Proceedings of the 2008 international symposium on Software testing and analysis, July 20-24, 2008, Seattle, WA, USA
William G. J. Halfond , Alessandro Orso, Automated identification of parameter mismatches in web applications, Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering, November 09-14, 2008, Atlanta, Georgia
Akihiko Tozawa , Michiaki Tatsubori , Tamiya Onodera , Yasuhiko Minamide, Copy-on-write in the PHP language, Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 21-23, 2009, Savannah, GA, USA
William G. J. Halfond, Web application modeling for testing and analysis, Proceedings of the 2008 Foundations of Software Engineering Doctoral Symposium, p.13-16, November 10-10, 2008, Atlanta, Georgia
Jason Sawin , Atanas Rountev, Improving static resolution of dynamic class loading in Java using dynamically gathered environment information, Automated Software Engineering, v.16 n.2, p.357-381, June 2009
Omer Tripp , Marco Pistoia , Stephen J. Fink , Manu Sridharan , Omri Weisman, TAJ: effective taint analysis of web applications, ACM SIGPLAN Notices, v.44 n.6, June 2009
Adam Kieyzun , Philip J. Guo , Karthick Jayaraman , Michael D. Ernst, Automatic creation of SQL Injection and cross-site scripting attacks, Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, p.199-209, May 16-24, 2009
Xiaoyin Wang , Lu Zhang , Tao Xie , Hong Mei , Jiasu Sun, Locating need-to-translate constant strings for software internationalization, Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, p.353-363, May 16-24, 2009
Emmanuel Geay , Marco Pistoia , Takaaki Tateishi , Barbara G. Ryder , Julian Dolby, Modular string-sensitive permission analysis with demand-driven precision, Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, p.177-187, May 16-24, 2009
Adam Kiezun , Vijay Ganesh , Philip J. Guo , Pieter Hooimeijer , Michael D. Ernst, HAMPI: a solver for string constraints, Proceedings of the eighteenth international symposium on Software testing and analysis, July 19-23, 2009, Chicago, IL, USA
Pieter Hooimeijer , Westley Weimer, A decision procedure for subset constraints over regular languages, ACM SIGPLAN Notices, v.44 n.6, June 2009

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
          Subjects: Formal methods

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
          Subjects: Validation

  F. Theory of Computation
  F.3 LOGICS AND MEANINGS OF PROGRAMS
      F.3.2 Semantics of Programming Languages
          Subjects: Program analysis


General Terms:
Languages, Security, Verification


Keywords:
HTML validation, context-free grammars, cross-site scripting, server-side scripting, static analysis

Collaborative Colleagues:
Yasuhiko Minamide: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player