國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
(e.g., Iter, alias, worklist) to be the propagator for the flow analysis. In our ONLINE ANALYER, we choose Worklist algorithm to be our propagator. Because of it is an efficiency algorithm for program analysis. ONLINE ANALYER module provides its own analysis results. The results produced by ONLINE ANALYZER may contain the false positive alarms.
We regard the results as potential vulnerabilities and compare them with TAINT TRACKER’s result.
4.3 PROGRAM EXECUTOR
Our system is a kind dynamic analysis system. The web application must be executed as completely as possible for integrity of the analysis result. It is not an easy task. We designed the PROGRAM EXECUTOR module and try to solve the incompleteness problem. The PROGRAM EXECUTOR module provides two approaches to execute the programs: 1) executes the web application with mock HTTP request and response object. This approach doesn’t need the web program deployed on a web container and is specially designed for simple java servlet web application; 2) executes the web application with formatted URL. In this case, the program must be deployed on a web container. Figure 4.6 depicts the scenario of these two approaches.
For executing a web program, we need to know which associated resource in the back-end
Figure 4. 6: Scenario of program executor
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
(URL) does each HTML form refer to and what fields does each HTML form contain. We propose a novel way to find this information in Java web application. We will introduce our techniques in the following section.
4.3.1Gather the information of HTML form
The web crawler is a prevalent technique to collect the HTML information. It can gather the form’s information on each HTML file. One drawback of the web crawler is that there are plenty of client-side languages, e.g., Javascript, CSS, Ajax etc, and web crawler becomes inefficiency when encountered this client-side languages. We propose a novel way to retrieve the form’s information. We have observed the behavior of web application and find out that each form in the client-side is correspond to a series business in the server-side, i.e., an execution path. The fields in the form will be accessed along the execution path in the back-end. Hence we decided give up the ordinary way to crawl along Html files by using a traditional web crawler but directly examine the code to retrieve the form information instead.
There are two major advantages for directly examining the code in the back-end program for these Html form fields.
1. Our approach can discover the fields of dynamic forms which hard-code in the back-end program or in the database. But web crawler cannot discover these kinds of fields.
2. Our approach examines less code than web crawler because many of forms on Html files may associate to a same servlet in the back-end.
But, to examine all the code in a web application for retrieving attributes is a tedious work.
Thus we have to narrow down the scope of finding these fields. We choose to utilize the information of compiler when it is compiling the TAINT TRACKER aspect to the web application. When a statement is trying to access a field in the back-end, it has to know the
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
field name as key to access the field’s value. For example:
These statements are as the same as our source pointcut’s signatures in the TAINT TRACKER aspect. So we gather the weaving information of the source pointcut and use Soot to load the class’s source file listed in the weaving information. PROGRAM EXECUTOR module parses these source file and collects all the string declarations in the class as field name. Once the PROGRAM EXECUTOR module has the information of each HTML form, it can start to build the mock objects for HTTP request or the formated URL patterns.
4.3.2Parsing Web Configuration XML File
In a java web application, every Html form is associated with single servlet for entrance to the back-end program. The mappings between entrance servlet and html form are defined in the web configuration XML file as follows.
The XML file illustrated above is a typical example of web configuration file. The XML file defines the mappings between URL patterns to the corresponding servlet classes. PROGRAM EXECUTOR can parse the XML file to retrieve each entrance servlet class and directly executes the entrance servlets instead of executing the program by sending html forms to a web server. Once the PROGRAM EXECUTOR gathered the information of entrance servlets, it starts to execute the program sequentially.
String value = req.getParameter(FIELD_NAME);
<servlet>
<servlet-name>interbranch1</servlet-name>
<servlet-class>nccu.plsm.testing.interbranch1</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>interbranch1</servlet-name>
<url-pattern>/interbranch1</url-pattern>
</servlet-mapping>
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y Chapter 5
Evaluation
We have been conducted several experiments with our analyzer to some open source Java web application. First we have to examine the correctness of our analyzer. We choose to use the Securibench Micro benchmark to evaluate the correctness of our analyzer. We will also describe the difficulties when our analyzer encountered the Java web application in MVC architecture. In the rest of section, we summarize the experiments with real-life java web application and described the vulnerabilities we found.