Article

Static analysis for java servlets and JSP

Authors:

Christian Kirkegaard,

Anders MøllerAuthors Info & Claims

SAS'06: Proceedings of the 13th international conference on Static Analysis

Pages 336 - 352

https://doi.org/10.1007/11823230_22

Published: 29 August 2006 Publication History

Abstract

We present an approach for statically reasoning about the behavior of Web applications that are developed using Java Servlets and JSP. Specifically, we attack the problems of guaranteeing that all output is well-formed and valid XML and ensuring consistency of XHTML form fields and session state. Our approach builds on a collection of program analysis techniques developed earlier in the JWIG and Xact projects, combined with work on balanced context-free grammars. Together, this provides the necessary foundation concerning reasoning about output streams and application control flow.

References

[1]

Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, 1986.

Digital Library

[2]

Assaf Arkin et al. Web Services Business Process Execution Language Version 2.0, December 2005. OASIS, Committee Draft.

[3]

Jean Berstel and Luc Boasson. Formal properties of XML grammars and languages. Acta Informatica, 38(9):649-671, 2002. Springer-Verlag.

[4]

Anne Brüggemann-Klein and Derick Wood. Balanced context-free grammars, hedge grammars and pushdown caterpillar automata. In Proc. Extreme Markup Languages, 2004.

[5]

Aske Simon Christensen, Anders Møller, and Michael I. Schwartzbach. Extending Java for high-level Web service construction. ACM Transactions on Programming Languages and Systems, 25(6):814-875, 2003.

Digital Library

[6]

Aske Simon Christensen, Anders Møller, and Michael I. Schwartzbach. Precise analysis of string expressions. In Proc. 10th International Static Analysis Symposium, SAS '03, volume 2694 of LNCS, pages 1-18. Springer-Verlag, June 2003.

Digital Library

[7]

M. H. Jansen-Vullers, Wil M. P. van der Aalst, and Michael Rosemann. Mining configurable enterprise information systems. Data & Knowledge Engineering, 56(3):195-244, 2006.

Digital Library

[8]

Christian Kirkegaard and Anders Møller. Type checking with XML Schema in Xact. Technical Report RS-05-31, BRICS, 2005. Presented at Programming Language Technologies for XML, PLAN-X '06.

[9]

Christian Kirkegaard and Anders Møller. Static analysis for Java Servlets and JSP. Technical Report RS-06-10, BRICS, 2006.

Digital Library

[10]

Christian Kirkegaard, Anders Møller, and Michael I. Schwartzbach. Static analysis of XML transformations in Java. IEEE Transactions on Software Engineering, 30(3):181-192, March 2004.

Digital Library

[11]

Christian Kirkegaard and Anders Møller. dk.brics.schematools, 2006. http://www. brics.dk/schematools/.

[12]

Donald E. Knuth. A characterization of parenthesis languages. Information and Control, 11:269-289, 1967.

[13]

Yasuhiko Minamide. Static approximation of dynamically generated Web pages. In Proc. 14th International Conference on World Wide Web, WWW '05, pages 432-441. ACM, May 2005.

Digital Library

[14]

Mehryar Mohri and Mark-Jan Nederhof. Robustness in Language and Speech Technology, chapter 9: Regular Approximation of Context-Free Grammars through Transformation. Kluwer Academic Publishers, 2001.

[15]

Sun Microsystems. Java Servlet Specification, Version 2.4, 2003. Available from http://java.sun.com/products/servlet/.

[16]

Sun Microsystems. JavaServer Pages Specification, Version 2.0, 2003. Available from http://java.sun.com/products/jsp/.

[17]

Raja Vallee-Rai, Laurie Hendren, Vijay Sundaresan, Patrick Lam, Etienne Gagnon, and Phong Co. Soot-a Java optimization framework. In Proc. IBM Centre for Advanced Studies Conference, CASCON '99. IBM, November 1999.

Digital Library

[18]

Wil M. P. van der Aalst, Lachlan Aldred, Marlon Dumas, and Arthur H. M. ter Hofstede. Design and implementation of the YAWL system. In Proc. 16th International Conference on Advanced Information Systems Engineering, CAiSE '04, volume 3084 of LNCS. Springer-Verlag, June 2004.

Cited By

Athaiya SBultan TSen K(2017)Inferring page models for web application analysisProceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3092703.3098240(412-415)Online publication date: 10-Jul-2017
https://dl.acm.org/doi/10.1145/3092703.3098240
Athaiya SKomondoor RBultan TSen K(2017)Testing and analysis of web applications using page modelsProceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3092703.3092734(181-191)Online publication date: 10-Jul-2017
https://dl.acm.org/doi/10.1145/3092703.3092734
Shatnawi AMili HBoussaidi GBoubaker AGuéhéneuc YMoha NPrivat JAbdellatif MGonzalez-Barahona JHindle ATan L(2017)Analyzing program dependencies in Java EE applicationsProceedings of the 14th International Conference on Mining Software Repositories10.1109/MSR.2017.6(64-74)Online publication date: 20-May-2017
https://dl.acm.org/doi/10.1109/MSR.2017.6
Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SAS'06: Proceedings of the 13th international conference on Static Analysis

August 2006

442 pages

ISBN:3540377565

Editor:
Kwangkeun Yi
Seoul National University, Korea

Sponsors

KISS Special Interest Group on Programming Languages: KISS Special Interest Group on Programming Languages
Seoul National University
Korea Info Sci Society: Korea Information Science Society

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 29 August 2006

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Athaiya SBultan TSen K(2017)Inferring page models for web application analysisProceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3092703.3098240(412-415)Online publication date: 10-Jul-2017
https://dl.acm.org/doi/10.1145/3092703.3098240
Athaiya SKomondoor RBultan TSen K(2017)Testing and analysis of web applications using page modelsProceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3092703.3092734(181-191)Online publication date: 10-Jul-2017
https://dl.acm.org/doi/10.1145/3092703.3092734
Shatnawi AMili HBoussaidi GBoubaker AGuéhéneuc YMoha NPrivat JAbdellatif MGonzalez-Barahona JHindle ATan L(2017)Analyzing program dependencies in Java EE applicationsProceedings of the 14th International Conference on Mining Software Repositories10.1109/MSR.2017.6(64-74)Online publication date: 20-May-2017
https://dl.acm.org/doi/10.1109/MSR.2017.6
Steinhauser AGauthier FMurray TStefan D(2016)JSPCheckerProceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security10.1145/2993600.2993606(57-68)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2993600.2993606
Cui BHou TLong BXu L(2015)Bidirectional Analysis Method of Static XSS Defect Detection Technique Based On Database Query LanguageTransactions on Computational Collective Intelligence XIX - Volume 938010.1007/978-3-662-49017-4_3(32-44)Online publication date: 1-Sep-2015
https://dl.acm.org/doi/10.1007/978-3-662-49017-4_3
Costantini GFerrara PCortesi A(2015)A suite of abstract domains for static analysis of string valuesSoftware—Practice & Experience10.1002/spe.221845:2(245-287)Online publication date: 1-Feb-2015
https://dl.acm.org/doi/10.1002/spe.2218
Møller ASchwarz M(2014)Automated Detection of Client-State Manipulation VulnerabilitiesACM Transactions on Software Engineering and Methodology10.1145/253192123:4(1-30)Online publication date: 5-Sep-2014
https://dl.acm.org/doi/10.1145/2531921
Møller ASchwarz MGlinz MMurphy GPezzè M(2012)Automated detection of client-state manipulation vulnerabilitiesProceedings of the 34th International Conference on Software Engineering10.5555/2337223.2337312(749-759)Online publication date: 2-Jun-2012
https://dl.acm.org/doi/10.5555/2337223.2337312
Van Gundy MChen H(2012)NoncespacesComputers and Security10.1016/j.cose.2011.12.00431:4(612-628)Online publication date: 1-Jun-2012
https://dl.acm.org/doi/10.1016/j.cose.2011.12.004
Doh KKim HSchmidt D(2011)Abstract LR-parsingFormal modeling10.5555/2074591.2074599(90-109)Online publication date: 1-Jan-2011
https://dl.acm.org/doi/10.5555/2074591.2074599
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten