Symbolic security analysis of ruby-on-rails web applications

13 years 11 months ago

Download www.cs.umd.edu

Many of today's web applications are built on frameworks that include sophisticated defenses against malicious adversaries. However, mistakes in the way developers deploy those defenses could leave applications open to attack. To address this issue, we introduce Rubyx, a symbolic executor that we use to analyze Ruby-onRails web applications for security vulnerabilities. Rubyx specifications can easily be adapted to a variety of properties, since they are built from general assertions, assumptions, and object invariants. We show how to write Rubyx specifications to detect susceptibility to cross-site scripting and cross-site request forgery, insufficient authentication, leaks of secret information, insufficient access control, as well as application-specific security properties. We used Rubyx to check seven web applications from various sources against our specifications. We found many vulnerabilities, and each application was subject to at least one critical attack. Encouragingly...

Avik Chaudhuri, Jeffrey S. Foster

Real-time Traffic

CCS 2010 | Rubyx Specifications | Security Privacy | Security Vulnerabilities | Web Applications |

claim paper

Post Info
More Details (n/a)

Added	06 Dec 2010
Updated	06 Dec 2010
Type	Conference
Year	2010
Where	CCS
Authors	Avik Chaudhuri, Jeffrey S. Foster

Comments (0)

Sciweavers

Symbolic security analysis of ruby-on-rails web applications

CCS 2010 | Rubyx Specifications | Security Privacy | Security Vulnerabilities | Web Applications |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers