AJAX applications are prone to security vulnerabilities due to the easeof inadvertently entrusting the client with security-critical logic. Wecharacterize exploits of such vulnerabilities as violations of aprotocol implicitly defined in the client-side code, and we introduce amethod to detect and prevent these protocol violations in middleware,without having to modify the original application. We accomplish this byinstrumenting the client code to send fragments of execution traces tothe server, allowing the server to efficiently prove that the incomingmessage complies with the protocol. By combining replay execution andconstraint solving, our method exploits the componentized structure ofapplications to minimize the server computing power and networkbandwidth required to monitor them. A prototype running on the GoogleWeb Toolkit platform demonstrates our method.
展开▼
