Ghostrail: Ad Hoc Control-Flow Integrity for Web Applications
作者: Bastian Braun , Caspar Gries , Benedikt Petschkuhn , Joachim Posegga
DOI: 10.1007/978-3-642-55415-5_22
关键词:
摘要: Modern web applications frequently implement complex control flows, which require the users to perform actions in a given order. Users interact with application by sending HTTP requests parameters and response receive pages hyperlinks that indicate expected next actions. If takes for granted user sends only those parameters, malicious can exploit this assumption crafting harming requests. We analyze recent attacks on respect user-defined identify their root cause missing enforcement of allowed Based result, we provide our approach, named Ghostrail, control-flow monitor is applicable legacy as well newly developed applications. It observes incoming lets pass were provided steps last page. Ghostrail protects against race condition exploits, manipulation unsolicited request sequences, forceful browsing. evaluate approach show it neither needs training phase nor manual policy definition while suitable broad range technologies.
uni-passau.de
springer.com
sci-hub.st 参考文章(14)
K. Vikram, Abhishek Prateek, Benjamin Livshits, Ripley: automatically securing web 2.0 applications through replicated execution computer and communications security. pp. 173- 186 ,(2009) , 10.1145/1653662.1653685
Arjun Guha, Shriram Krishnamurthi, Trevor Jim, Using static analysis for Ajax intrusion detection Proceedings of the 18th international conference on World wide web - WWW '09. pp. 561- 570 ,(2009) , 10.1145/1526709.1526785
Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V. N. Venkatakrishnan, NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications computer and communications security. pp. 607- 618 ,(2010) , 10.1145/1866307.1866375
Data and Applications Security XXI Springer Berlin Heidelberg. ,(2007) , 10.1007/978-3-540-73538-0
Christopher Kruegel, Viktoria Felmetsger, Ludovico Cavedon, Giovanni Vigna, Toward automated detection of logic vulnerabilities in web applications usenix security symposium. pp. 10- 10 ,(2010)
Roberto Paleari, Davide Marrone, Danilo Bruschi, Mattia Monga, On Race Vulnerabilities in Web Applications international conference on detection of intrusions and malware and vulnerability assessment. pp. 126- 142 ,(2008) , 10.1007/978-3-540-70542-0_7
Marco Cova, Davide Balzarotti, Viktoria Felmetsger, Giovanni Vigna, Swaddler: an approach for the anomaly-based detection of state violations in web applications recent advances in intrusion detection. pp. 63- 86 ,(2007) , 10.1007/978-3-540-74320-0_4
Karthick Jayaraman, Grzegorz Lewandowski, Paul G. Talaga, Steve J. Chapin, Enforcing request integrity in web applications DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy. pp. 225- 240 ,(2010) , 10.1007/978-3-642-13739-6_15
Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, Engin Kirda, Automated discovery of parameter pollution vulnerabilities in web applications network and distributed system security symposium. ,(2011)
Bastian Braun, Patrick Gemein, Hans P. Reiser, Joachim Posegga, Control-Flow Integrity in Web Applications Lecture Notes in Computer Science. pp. 1- 16 ,(2013) , 10.1007/978-3-642-36563-8_1