1. Field
The present embodiments generally relate to techniques for providing security for web applications. More specifically, the present embodiments relate to a method and a system that detects security vulnerabilities in a web application by performing web request analysis and replay verification.
2. Related Art
People are increasingly relying on the Internet to manage many aspects of their daily lives. Internet users routinely view content from numerous web sites and portals to obtain various types of information and entertainment. Internet users also increasingly rely on web applications or “web apps” to carry out more complicated online activities, which can include: web search, web mail, web gaming, online banking, online shopping, online auctions, discussion boards, Webblog, and many other activities.
Meanwhile, the proliferation of web applications has also made them popular targets for attacks by malicious users. One common type of attack is referred to as “cross-site scripting” (XSS). The concept of XSS is to exploit a vulnerability in a web application which allows content not controlled by the application (i.e., controlled by a malicious user) to be returned to a user (the victim) in such a way that it is possible to execute malicious code. This type of vulnerability has been exploited to generate powerful phishing attacks and hijack user sessions by stealing their HTTP cookies. Other common web application attacks can include, but are not limited to: code injection, header injection/tampering, response splitting, cross-site request forgery (XSRF), and cross-site script inclusion (CSSI). Note that all of the above attacks can lead to XSS attacks.
The increasing frequency of web-application attacks can be attributed to a number of factors. First, because most web applications are accessible to all web users, they are exposed to a large number of potential attackers. Web applications are also targeted because they provide opportunities to attack databases, web servers, and groups of users that are linked to the web applications. Moreover, even well-intended web applications frequently inadvertently introduce bugs which lead to XSS vulnerabilities that a malicious user can exploit. Unfortunately, as web applications become richer and more dynamic to meet the needs of Web 2.0 applications, these types of bugs are likely to proliferate.
Many proactive techniques exist to detect web-application vulnerabilities. These techniques include: manual code auditing; static analysis tools; software fuzzing tools, black-box testing tools, and language-specific intrusion-detection tools (such as a Personal Home Page-Intrusion Detection System (PHPIDS)). However, these existing techniques generally have some serious drawbacks. In particular, they generally do not test all the different permutations of a web request received by the web application, and hence cannot detect the full breadth of web-application vulnerabilities. Moreover, these existing techniques do not perform verification on the detection results, and therefore may detect a large number of “false vulnerabilities.” This drawback can seriously impair the usefulness of the above-mentioned techniques in practice.