Our research focuses on identifying security vulnerabilities in web applications before they are deployed, using both static and dynamic analysis techniques. A number of existing vulnerability analysis approaches have been applied to web applications. However, there are some characteristics of web applications that make them different from traditional stand-alone applications, such as the use of scripting languages, the structuring of the application logic into separate pages and code modules, and the interaction with back-end databases. Most approaches to web application vulnerability analysis have focused on single application modules to identify insecure uses of information provided as input to the application. Unfortunately, these approaches are limited in scope, and, therefore, they cannot detect multi-step attacks that exploit the interaction among multiple modules of an application.
The goal of out research is to develop novel vulnerability analysis techniques that can be applied to web application to identify hard-to-detect security flaws, such as multi-module vulnerabilities application-logic flaws.
Analyzing web applications for web vulnerabilities, both from Black Box and White Box perspectives.