NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
作者: Prithvi Bisht , Timothy Hinrichs , Nazari Skrupsky , Radoslaw Bobrowicz , V. N. Venkatakrishnan
关键词: Black-box testing 、 Computer security 、 Web application 、 World Wide Web 、 Computer science
摘要: Web applications rely heavily on client-side computation to examine and validate form inputs that are supplied by a user (e.g., "credit card expiration date must be valid"). This is typically done for two reasons: reduce burden the server avoid latencies in communicating with server. However, when fails replicate validation performed client, it potentially vulnerable attack. In this paper, we present novel approach automatically detecting potential server-side vulnerabilities of kind existing (legacy) web through blackbox analysis. We discuss design implementation NoTamper, tool realizes approach. NoTamper has been employed discover several previously unknown number open-source live sites.
acm.org
uic.edu 
uoc.gr 参考文章(23)
William G.J. Halfond, Alessandro Orso, Jeremy Viegas, A Classification of SQL-Injection Attacks and Countermeasures Proceedings of the International Symposium on Secure Software Engineering. ,(2006)
Zhenkai Liang, Juan Caballero, Dawn Song, David Brumley, James Newsome, Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation usenix security symposium. pp. 15- ,(2007)
David A. Molnar, Michael Y. Levin, Patrice Godefroid, Automated Whitebox Fuzz Testing. network and distributed system security symposium. ,(2008)
Matthew Van Gundy, Hao Chen, Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks. network and distributed system security symposium. ,(2009)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Prithvi Bisht, A. Prasad Sistla, V. N. Venkatakrishnan, Automatically preparing safe SQL queries financial cryptography. ,vol. 6052, pp. 272- 288 ,(2010) , 10.1007/978-3-642-14577-3_21
Yacin Nadji, Prateek Saxena, Dawn Song, Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. network and distributed system security symposium. ,(2009)
Alexander Moshchuk, Chris Grier, Helen J. Wang, Herman Venter, Piali Choudhury, Samuel T. King, The multi-principal OS construction of the gazelle web browser usenix security symposium. pp. 417- 432 ,(2009)
Davide Balzarotti, Marco Cova, Viktoria V. Felmetsger, Giovanni Vigna, Multi-module vulnerability analysis of web-based applications computer and communications security. pp. 25- 35 ,(2007) , 10.1145/1315245.1315250
Philip Bille, A survey on tree edit distance and related problems Theoretical Computer Science. ,vol. 337, pp. 217- 239 ,(2005) , 10.1016/J.TCS.2004.12.030