WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

Abstract

The current practice of Web application development treats the client and server components of the application as two separate pieces of software. Each component is written independently, usually in distinct programming languages and development platforms - a process known to be prone to errors when the client and server share application logic. When the client and server are out of sync, an âimpedance mismatchâ occurs, often leading to software vulnerabilities as demonstrated by recent work on parameter tampering. This paper outlines the groundwork for a new software development approach, WAVES, where developers author the server-side application logic and rely on tools to automatically synthesize the corresponding client-side application logic. WAVES employs program analysis techniques to extract a logical specification from the server, from which it synthesizes client code. WAVES also synthesizes interactive client interfaces that include asynchronous callbacks (AJAX) whose performance and coverage rival that of manually written clients while ensuring no new security vulnerabilities are introduced. The effectiveness of WAVES is demonstrated and evaluated on three real-world web applications.