|The explosion in the availability of data fueled by mobile devices has pushed security to the forefront. As of 2016, Internet users worldwide are estimated at a staggering 3.47 billion. Such large numbers of users dictate the importance of online presence for organizations across different industries, and with that come security considerations for web-facing applications. Many web development frameworks offer common security features, such as authentication and session management out of the box (e.g. Rails, Django, and CakePHP). However, developers must still direct their efforts toward addressing application specific security issues.
In this dissertation we introduce a novel web application security enhancing practice, called web application flow whitelisting. It targets two of OWASP's top ten web vulnerabilities; A4: Insecure Direct Object References and A7: Missing Function Level Access Control. Initially, we create a workflow based on intended behavior. From the workflow, we define a whitelist as a tuple <C,D,W,S>, where C is a set of all components within the system boundary, D is a set containing conditions for transitions that occur within an application, W is a set of all ordered pairs representing allowed transitions, and finally S is a matrix containing safe components to redirect to in case a transition fails.
Validation of web application flow whitelisting was carried out in two phases. For phase one, a static whitelist was created and applied to a total of 15 applications developed by students in course COMP4970: Web Development with Django at Auburn University. For phase two, a static whitelist was created and applied on an existing open source Django application in production use. Application specific vulnerabilities were found and quantified through manual testing methods. Our results show that by conforming to a whitelist of flow, all unintended application behavior is eliminated while intended behavior is preserved.