Control-Flow Integrity in Web Applications

  • Bastian Braun
  • Patrick Gemein
  • Hans P. Reiser
  • Joachim Posegga
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7781)


Modern web applications frequently implement complex control flows, which require the users to perform actions in a given order. Users interact with a web application by sending HTTP requests with parameters and in response receive web pages with hyperlinks that indicate the expected next actions. If a web application takes for granted that the user sends only those expected requests and parameters, malicious users can exploit this assumption by crafting harming requests. We analyze recent attacks on web applications with respect to user-defined requests and identify their root cause in the missing explicit control-flow definition and enforcement. Based on this result, we provide our approach, a control-flow monitor that is applicable to legacy as well as newly developed web applications. It expects a control-flow definition as input and provides guarantees to the web application concerning the sequence of incoming requests and carried parameters. It protects the web application against race condition exploits, a special case of control-flow integrity violation. Moreover, the control-flow monitor supports modern browser features like multi-tabbing and back button usage. We evaluate our approach and show that it induces a negligible overhead.


Race Condition Malicious User Incoming Request Integrity Violation Aspect Orient Program 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Paleari, R., Marrone, D., Bruschi, D., Monga, M.: On Race Vulnerabilities in Web Applications. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 126–142. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Chen, S.: Session Puzzles - Indirect Application Attack Vectors (White Paper) (May 23, 2012),
  3. 3.
    Grossman, J.: Seven Business Logic Flaws That Put Your Website At Risk (White Paper) (May 19, 2012),
  4. 4.
    The New York Times: Thieves Found Citigroup Site an Easy Entry (May 24, 2012),
  5. 5.
    Wang, R., Chen, S., Wang, X., Qadeer, S.: How to Shop for Free Online – Security Analysis of Cashier-as-a-Service Based Web Stores. In: IEEE Symposium on Security and Privacy (2011)Google Scholar
  6. 6.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (June 1999),
  7. 7.
    Berners-Lee, T., Fielding, R., Irvine, U., Masinter, L.: Uniform Resource Identifiers (URI): Generic Syntax. RFC 2396 (August 1998),
  8. 8.
    OWASP: Race Conditions (May 23, 2012),
  9. 9.
    Hallé, S., Ettema, T., Bunch, C., Bultan, T.: Eliminating Navigation Errors in Web Applications via Model Checking and Runtime Enforcement of Navigation State Machines. In: ASE (2010)Google Scholar
  10. 10.
    Kristol, D., Montulli, L.: HTTP State Management Mechanism. RFC 2109 (February 1997),
  11. 11.
    ExpressionEngine Dev Team: CodeIgniter - Open Source PHP Web Application Framework (May 24, 2012),
  12. 12.
    Xdebug (June 05, 2012),
  13. 13.
    Magento Commerce (September 24, 2012),
  14. 14.
    OWASP: Failure to Restrict URL Access (May 11, 2012),
  15. 15.
    OWASP: Forced Browsing (May 04, 2012),
  16. 16.
    Bray, T.: Deep Linking in the World Wide Web (May 29, 2012),
  17. 17.
    Jayaraman, K., Lewandowski, G., Talaga, P.G., Chapin, S.J.: Enforcing Request Integrity in Web Applications. In: Foresti, S., Jajodia, S. (eds.) Data and Applications Security and Privacy XXIV. LNCS, vol. 6166, pp. 225–240. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Balzarotti, D., Cova, M., Felmetsger, V., Vigna, G.: Multi-Module Vulnerability Analysis of Web-based Applications. In: CCS (2007)Google Scholar
  19. 19.
    Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, G.: Toward Automated Detection of Logic Vulnerabilities in Web Applications. In: USENIX Security (2010)Google Scholar
  21. 21.
    Li, X., Xue, Y.: BLOCK: A Black-box Approach for Detection of State Violation Attacks Towards Web Applications. In: ACSAC (2011)Google Scholar
  22. 22.
    Vikram, K., Prateek, A., Livshits, B.: Ripley: Automatically Securing Web 2.0 Applications Through Replicated Execution. In: CCS (2009)Google Scholar
  23. 23.
    Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In: CCS (2010)Google Scholar
  24. 24.
    Guha, A., Krishnamurthi, S., Jim, T.: Using Static Analysis for Ajax Intrusion Detection. In: WWW (2009)Google Scholar
  25. 25.
    Balduzzi, M., Gimenez, C.T., Balzarotti, D., Kirda, E.: Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. In: NDSS (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Bastian Braun
    • 1
  • Patrick Gemein
    • 1
  • Hans P. Reiser
    • 1
  • Joachim Posegga
    • 1
  1. 1.Institute of IT-Security and Security Law (ISL)University of PassauGermany

Personalised recommendations