Details

Autor(en) / Beteiligte

• Chaudhuri, Avik
• Foster, Jeffrey S.

Titel

Symbolic security analysis of ruby-on-rails web applications

Ist Teil von

• Proceedings of the 17th ACM conference on Computer and communications security, 2010, p.585-594

Ort / Verlag

New York, NY, USA: ACM

Erscheinungsjahr

2010

Quelle

ACM Digital Library Complete

Beschreibungen/Notizen

• Many of today's web applications are built on frameworks that include sophisticated defenses against malicious adversaries. However, mistakes in the way developers deploy those defenses could leave applications open to attack. To address this issue, we introduce Rubyx, a symbolic executor that we use to analyze Ruby-on-Rails web applications for security vulnerabilities. Rubyx specifications can easily be adapted to variety of properties, since they are built from general assertions, assumptions, and object invariants. We show how to write Ruby specifications to detect susceptibility to cross-site scripting and cross-site request forgery, insufficient authentication, leaks of secret information, insufficient access control, as well as application-specific security properties. We used Rubyx to check seven web applications from various sources against out specifications. We found many vulnerabilities, and each application was subject to at least one critical attack. Encouragingly, we also found that it was relatively easy to fix most vulnerabilities, and that Rubyx showed the absence of attacks after our fixes. Our results suggest that Rubyx is a promising new way to discover security vulnerabilities in Ruby-on-Rails web applications.