Specifying and Enforcing Workflows in Ruby on Rails

Nowadays, Web applications are afflicted by numerous vulnerabilities and there ex- ist many attacks that exploit them to execute malicious tasks. In this thesis we focus on vulnerabilities related to workflows, which are sequences of steps that the user must per- form in order to complete some transaction. When the Web application fails to correctly enforce the workflows, undesired violations may be allowed. Currently, there is no system- atic methodology for enforcing workflows and the implementation is left to the developer, which may result in a weak application, vulnerable to attacks. In order to address this issue, we present the framework Workflower, which allows the developer to easily specify workflows and automatically enforce them. The framework allows the specification to be declarative and separated from the application logic, so that it is easier to understand and maintain. The specification is securely and automatically enforced in the application, so that any violation is prevented without requiring the developer to manually implement any defense. Additionally, it supports several features such as concurrent workflows, multiple instances workflows, automatic redirection and request resuming.