Finding Vulnerabilities in Rich Internet Applications (Flex/AS3) Using Static Techniques

Full Text (PDF, 222KB), PP.33-39

Views: 0 Downloads: 0

Author(s)

Sreenivasa Rao Basavala 1,* Narendra Kumar 2 Alok Agarrwal 3

1. Dept. of Computer Science & Engineering, CMJ University, Shillong, India

2. Dept. of Computer Science & Engineering, Ace college of Technology and Management, Agra, India

3. Dept. of Computer Science & Engineering, JIIT University, Noida, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijmecs.2012.01.05

Received: 5 Sep. 2011 / Revised: 20 Oct. 2011 / Accepted: 12 Nov. 2011 / Published: 8 Jan. 2012

Index Terms

Applications security Analysis, Static Analysis, Taint Analysis, Vulnerability Detection in Flex, Static Techniques, Action Script Security

Abstract

The number and the importance of Rich Internet Applications (RIA) have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such rich internet applications (RIA) have increasing as well. Since manual code reviews are time consuming, error prone and costly and it need skilled developers or programmers to review the manual source code review, the need for automated solutions has become evident. In this paper, we address the problem of application security vulnerable detection in Adobe Flex (Rich Internet Applications) platform in web 2.0 applications by means of static source code analysis. To this end, we present precise analysis targeted at the unique reference semantics commonly found in RIA based web applications or widgets (small applications which will run on fly i.e. drag and drop) developed in Adobe Flex Framework or Action Script 3.0. Moreover, we enhance the quality and quantity of the generated vulnerability reports. 

Cite This Paper

Sreenivasa Rao Basavala, Narendra Kumar, Alok Agarrwal, "Finding Vulnerabilities in Rich Internet Applications (Flex/AS3) Using Static Techniques", International Journal of Modern Education and Computer Science (IJMECS), vol.4, no.1, pp.33-39, 2012. DOI:10.5815/ijmecs.2012.01.05

Reference

[1]Gagan Agarwal, Jinqian Li, and Qi Su. Evaluating a demand driven technique for call graph construction.In Proceedings of the International Conference on Compiler Construction, May 2002.
[2]Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman.Compilers: Principles, Techniques, and Tools.Addison-Wesley.
[3]Ken Ashcraft and Dawson Engler. Using programmer-written compiler extensions to catch security holes. In Proceedings of the Symposium on Security and Privacy.
[4]Amit Klein. Cross site scripting explained.http://crypto.stanford.edu/cs155/CSS.pdf
[5]Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the Conference on World Wide Web. May 2004.
[6]http://www.adobe.com/devnet/flex/articles/flex_enter prise_security.html by Adobe.
[7]Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Precise alias analysis for syntactic detection of Web application vulnerabilities. In Proceedings of the Workshop on Programming Languages and Analysis for Security, June 2006.
[8]Brian Chess and Gary McGraw. Static analysis for security. IEEE Security and Privacy, 2(6):76–79,2004.
[9]Jeremiah Grossman. Cross-site tracing (XST): the new techniques and emerging threats to bypass current Web security measures using TRACE and XSS. http://www.cgisecurity.com/whitehatmirror/WhitePaper screen.pdf
[10]Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee,and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW '04:Proceedings of the 13th International Conference on World Wide Web, 2004.
[11]Ss Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T.Lee, and S.-Y. Kuo. Verifying web applications using bounded model checking. In DSN, 2004.
[12]Industrial Perspective on Static Analysis. Software Engineering Journal Mar. 1995: 69-75Wichmann, B.A., A. A. Canning, D. L. Clutterbuck, L. A.Winsbarrow, N. J. Ward, and D. W. R. Marsh.http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf
[13]http://www.slideshare.net/eladnyc/top-securitythreats-to-flashflex-applications-and-how-to-avoidthem-4873308
[14]http://www.cc.gatech.edu/~orso/papers/halfond.choudhary.orso.STVR11.pdf
[15]http://en.wikipedia.org/wiki/Adobe_Flex
[16]http://en.wikipedia.org/wiki/Rich_Internet_application
[17]http://en.wikipedia.org/wiki/Adobe_Flash_Builder
[18]Rich Internet Applications: The Next Frontier of Corporate Development" by Larry Seltzer. 2010-08-25. eWeek.http://www.eweek.com/c/a/Security/Rich-Internet-Applications-The-Next-Frontier-of-Corporate-Development-732651.
[19]Laszlo: An Open Source Framework for Rich Internet Applications.