A Survey on Control-Flow Integrity Means in Web Application Frameworks

  • Bastian Braun
  • Christian v. Pollak
  • Joachim Posegga
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8208)


Modern web applications frequently implement complex control flows, which require the users to perform actions in a given order. Users interact with a web application by sending HTTP requests with parameters and in response receive web pages with hyperlinks that indicate the expected next actions. If a web application takes for granted that the user sends only those expected requests and parameters, malicious users can exploit this assumption by crafting harming requests. We analyze recent attacks on web applications with respect to user-defined requests and identify their root cause in the missing explicit control-flow definition and enforcement. Then, we evaluate the most prevalent web application frameworks in order to assess how far real-world web applications can use existing means to explicitly define and enforce intended control flows. While we find that all tested frameworks allow individual retrofit solutions, only one out of ten provides a dedicated control-flow integrity protection feature. Finally, we describe ways to equip web applications with control-flow integrity properties.


Race Condition Malicious User Incoming Request Intended Control Integrity Protection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Paleari, R., Marrone, D., Bruschi, D., Monga, M.: On Race Vulnerabilities in Web Applications. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 126–142. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
  3. 3.
    Grossman, J.: Seven Business Logic Flaws That Put Your Website At Risk. White Paper (May 19, 2012),
  4. 4.
    The New York Times: Thieves Found Citigroup Site an Easy Entry (May 24, 2012),
  5. 5.
    Wang, R., Chen, S., Wang, X., Qadeer, S.: How to Shop for Free Online – Security Analysis of Cashier-as-a-Service Based Web Stores. In: IEEE Symposium on Security and Privacy (2011)Google Scholar
  6. 6.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (June 1999),
  7. 7.
    Berners-Lee, T., Fielding, R., Masinter, L.: Uniform Resource Identifiers (URI): Generic Syntax. RFC 2396 (August 1998),
  8. 8.
    Jovanovic, N., Kruegel, C., Kirda, E.: Preventing cross site request forgery attacks. In: Securecomm (2006)Google Scholar
  9. 9.
    OWASP: Race Conditions (May 23, 2012),
  10. 10.
    Hallé, S., Ettema, T., Bunch, C., Bultan, T.: Eliminating Navigation Errors in Web Applications via Model Checking and Runtime Enforcement of Navigation State Machines. In: ASE (2010)Google Scholar
  11. 11.
    builtWith: Framework Usage Statistics – Overview of Statistics for Framework Technologies,
  12. 12.
    Johnson, R.E., Foote, B.: Designing Reusable Classes. Journal of Object-Oriented Programming 1 (1988)Google Scholar
  13. 13.
    The Apache Software Foundation: Tapestry,
  14. 14.
    Google, Inc.: Google Web Toolkit,
  15. 15.
    SpringSource: The Spring Framework,
  16. 16.
    EllisLab, Inc.: CodeIgniter,
  17. 17.
    Cake Software Foundation, Inc.: CakePHP,
  18. 18.
    Kohana Team: Kohana,
  19. 19.
    Microsoft: ASP.NET,
  20. 20.
    Microsoft: ASP.NET Web Forms,
  21. 21.
    Microsoft: ASP.NET MVC,
  22. 22.
    Microsoft: ASP.NET Web Pages,
  23. 23.
    Hansson, D.H.: Ruby on Rails,
  24. 24.
    Django Software Foundation: Django,
  25. 25.
    Mozilla Developer Network: AJAX,
  26. 26.
    Spring Projects: Spring Web Flow,
  27. 27.
    OWASP: Failure to Restrict URL Access (May 11, 2012),
  28. 28.
    OWASP: Forced Browsing (May 4, 2012),
  29. 29.
    Bray, T.: Deep Linking in the World Wide Web (May 29, 2012),
  30. 30.
    Braun, B., Gemein, P., Reiser, H.P., Posegga, J.: Control-Flow Integrity in Web Applications. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 1–16. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  31. 31.
    Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  32. 32.
    Li, X., Xue, Y.: BLOCK: A Black-box Approach for Detection of State Violation Attacks Towards Web Applications. In: ACSAC (2011)Google Scholar
  33. 33.
    Balzarotti, D., Cova, M., Felmetsger, V., Vigna, G.: Multi-Module Vulnerability Analysis of Web-based Applications. In: CCS (2007)Google Scholar
  34. 34.
    Jayaraman, K., Lewandowski, G., Talaga, P.G., Chapin, S.J.: Enforcing Request Integrity in Web Applications. In: Foresti, S., Jajodia, S. (eds.) Data and Applications Security and Privacy XXIV. LNCS, vol. 6166, pp. 225–240. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  35. 35.
    Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, G.: Toward Automated Detection of Logic Vulnerabilities in Web Applications. In: USENIX Security (2010)Google Scholar
  36. 36.
    Balduzzi, M., Gimenez, C.T., Balzarotti, D., Kirda, E.: Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. In: NDSS (2011)Google Scholar
  37. 37.
    Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In: CCS (2010)Google Scholar
  38. 38.
    Vikram, K., Prateek, A., Livshits, B.: Ripley: Automatically Securing Web 2.0 Applications Through Replicated Execution. In: CCS (2009)Google Scholar
  39. 39.
    Guha, A., Krishnamurthi, S., Jim, T.: Using Static Analysis for Ajax Intrusion Detection. In: WWW (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Bastian Braun
    • 1
  • Christian v. Pollak
    • 1
  • Joachim Posegga
    • 1
  1. 1.Institute of IT Security and Security Law (ISL)University of PassauGermany

Personalised recommendations