Automatic Detection and Correction of Client-Side and Server-Side Input-Validation Inconsistencies

This work presents an approach to automatically identify and correct erroneous or insufficient validation of the user inputs within web applications. Inside the context of web applications, developers typically perform redundant input validation in both the client and the server components of the application. Input validation is performed on both sides in order to avoid efficiency and security problems. In fact, client-side validation is used to improve the responsiveness of the web application, as it allows for responding without communicating with the server, whereas server-side validation is necessary for security reasons, as malicious users can easily circumvent client-side checks. The main idea behind this approach is that it is possible to leverage the redundancy in these checks to automatically identify and correct inconsistencies within input validation functions. In fact, the approach extracts client- and server-side validation functions for each input field, models them as deterministic finite automata and compares the corresponding client- and server-side deterministic finite automata to identify, report and correct the possible inconsistencies between the two sets of checks. The evaluation of the approach and its implementation are promising and have been applied to a set of real world web applications. The prototype was able to automatically identify and correct a large number of inconsistencies detected in the input validation functions of the web applications.