Input Validation Vulnerabilities in Web Applications and Countermeasures
March 11th from 2-3pm, SEO 1000
The current practice of web application development, the client and server components are usually written independently, in distinct programming languages and development platforms. This process is known to be prone to errors when the client and server share application logic. When the client and server are out of sync, an "impedance mismatch" occurs, often leading to software vulnerabilities exploited by attacks such as parameter tampering.
We are concerned with specific kind of application logic: the input validation logic. Examples of input validation include input character validation ("username does not contain special characters"), required fields ("phone number is required") and logical checks ("credit card expiry date in past").
In this talk, I will discuss input validation vulnerabilities and the related attacks (parameter tampering attack in particular) and the challenges involved in code analysis and synthesis, and then will introduce some of proposed techniques.
Maliheh Monshizadeh is a PhD student in the Department of Computer Science department at UIC and ESP-IGERT Associate. She works as a research assistant in the SISL Lab doing under the supervision of Professor Venkatakrishnan. Her main interests lie in Web Security and code analysis. Maliheh got her master degree in Information Technology (with a focus on Computer Networks) from Sharif University of Technology in Tehran, Iran and her Bachelors degree in Software Engineering from Shahid Beheshti University, Tehran, Iran.