Abstract

This thesis proposes new techniques for finding and eliminating application-specific bugs in web applications. We demonstrate three approaches to finding these bugs, each representing one position in the compromise between specificity and automation. All three are powered by a scalable symbolic execution specifically tailored to the structure of web application implementations, allowing analysis of even the largest real-world applications. In contrast to existing general-purpose verification approaches, this work was inspired by the hypothesis that narrowing our focus might produce more effective tools. Our approach has been to take advantage of properties specific to application-specific security bugs in web applications in order to produce more effective tools. The results suggest that focusing on a particular class of applications (web applications) and on a particular class of bugs (missing security checks) we can build static analysis tools that are both significantly more scalable and more automated than general-purpose bug-finding tools.