Automated Detection of Client-State Manipulation Vulnerabilities

Author(s): Anders Møller, Mathias Schwarz
Venue: Transactions on Software Engineering and Methodology
Date: August 2014


To address the significant security issue of client-state manipulation in web applications, the authors propose a means of static analysis for several widely adopted frameworks to identify these issues pre-deployment. Client-state in the context of a web application is any data that translates a web session into a stateful one. Common examples include generated URL parameters or hidden fields in HTML forms. These representations of state are necessarily exposed to manipulation by a malicious end user. The authors consider a application "vulnerable to client-state manipulation if users, by modifying their client state, can gain additional capabilities to access or change shared application state" unless "all parts of the application state that can be accessed or changed by modifying client state can also be accessed by other [legitimate] means."

The authors categorize code locations into three types during their static analysis:

  • Source: code where client-state is read
  • Sink: code dependent on client state
  • Sanitizers: code (e.g. decryption of encrypted state) that protects against client-state manipulation

Conceptually, code in a secure application will have information flow from sources through sanitizers into sinks. The static analysis that the authors propose identifies possible code paths where information can flow from sources directly into sinks. The analysis is tunable with explicit rules, such that it can be run and then re-run with custom rules to prune application-specific false positives. The remainder of the paper outlines in detail the static analysis methods and example runs.