ABSTRACT
Web applications rely heavily on client-side computation to examine and validate form inputs that are supplied by a user (e.g., "credit card expiration date must be valid"). This is typically done for two reasons: to reduce burden on the server and to avoid latencies in communicating with the server. However, when a server fails to replicate the validation performed on the client, it is potentially vulnerable to attack. In this paper, we present a novel approach for automatically detecting potential server-side vulnerabilities of this kind in existing (legacy) web applications through blackbox analysis. We discuss the design and implementation of NoTamper, a tool that realizes this approach. NoTamper has been employed to discover several previously unknown vulnerabilities in a number of open-source web applications and live web sites.
- }}NOTAMPER Supplementary Website. http://sisl.rites.uic.edu/notamper.Google Scholar
- }}BALZAROTTI, D., COVA, M., FELMETSGER, V., JOVANOVIC, N., KIRDA, E., KRUEGEL, C., AND VIGNA, G. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In SP'08: Proceedings of the 29th IEEE Symposium on Security and Privacy (Oakland, California, USA, 2008). Google ScholarDigital Library
- }}BALZAROTTI, D., COVA, M., FELMETSGER, V. V., AND VIGNA, G. Multi-Module Vulnerability Analysis of Web-based Applications. In CCS'07: 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, 2007). Google ScholarDigital Library
- }}BANDHAKAVI, S., BISHT, P., MADHUSUDAN, P., AND VENKATAKRISHNAN, V. CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications security (Alexandria, Virginia, USA, 2007). Google ScholarDigital Library
- }}BILLE, P. A survey on tree edit distance and related problems. Theoretical Computer Science 337, 1--3 (2005), 217--239. Google ScholarDigital Library
- }}BISHT, P., SISTLA, A. P., AND VENKATAKRISHNAN, V. Automatically Preparing Safe SQL Queries. In FC'10: Proceedings of the 14th International Conference on Financial Cryptography and Data Security (Tenerife, Canary Islands, Spain, 2010). Google ScholarDigital Library
- }}BRUMLEY, D., CABALLERO, J., LIANG, Z., NEWSOME, J., AND SONG, D. Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation. In SS'07: Proceedings of 16th USENIX Security Symposium (Berkeley, California, USA, 2007). Google ScholarDigital Library
- }}CHONG, S., LIU, J., MYERS, A. C., QI, X., VIKRAM, K., ZHENG, L., AND ZHENG, X. Secure Web Application via Automatic Partitioning. SIGOPS Oper. Syst. Rev. 41, 6 (2007), 31--44. Google ScholarDigital Library
- }}GODEFROID, P., KLARLUND, N., AND SEN, K. DART: Directed Automated Random Testing. SIGPLAN Not. 40, 6 (2005), 213--223. Google ScholarDigital Library
- }}GODEFROID, P., LEVIN, M. Y., AND MOLNAR, D. A. Automated Whitebox Fuzz Testing. In NDSS'08: Proceedings of the 16th Annual Network and Distributed System Security Symposium (San Diego, California, USA, 2008).Google Scholar
- }}GRIER, C., TANG, S., AND KING, S. T. Secure Web Browsing With the OP Web Browser. In SP'08: Proceedings of the 29th IEEE Symposium on Security and Privacy (Oakland, California, USA, 2008). Google ScholarDigital Library
- }}HALFOND, W. G., VIEGAS, J., AND ORSO, A. A Classification of SQL-Injection Attacks and Countermeasures. In ISSE'06: Proceedings of the International Symposium on Secure Software Engineering (Washington, DC, USA, 2006).Google Scholar
- }}KIEZUN, A., GANESH, V., GUO, P. J., HOOIMEIJER, P., AND ERNST, M. D. HAMPI: A Solver for String Constraints. In ISSTA '09: Proceedings of the 18th international symposium on Software testing and analysis (Chicago, Illinois, USA, 2009). Google ScholarDigital Library
- }}LIVSHITS, V. B., AND LAM, M. S. Finding Security Vulnerabilities in Java Applications with Static Analysis. In SS'05: Proceedings of the 14th USENIX Security Symposium (Baltimore, Maryland, USA, 2005). Google ScholarDigital Library
- }}NEWSOME, J., BRUMLEY, D., FRANKLIN, J., AND SONG, D. Replayer: Automatic Protocol Replay by Binary Analysis. In CCS'06: Proceedings of the 13th ACM conference on Computer and communications security (Alexandria, Virginia, USA, 2006). Google ScholarDigital Library
- }}RATCLIFF, J. W., AND METZENER, D. Pattern Matching: The Gestalt Approach. Dr. Dobbs Journal (July 1988), 46.Google Scholar
- }}REIS, C., AND GRIBBLE, S. D. Isolating Web Programs in Modern Browser Architectures. In EuroSys'09: Proceedings of the 4th ACM European conference on Computer systems (Nuremberg, Germany, 2009). Google ScholarDigital Library
- }}SAXENA, P., AKHAWE, D., HANNA, S., MAO, F., MCCAMANT, S., AND SONG, D. A Symbolic Execution Framework for JavaScript. In SP'10: Proceedings of the 31st IEEE Symposium on Security and Privacy (Oakland, California, USA, 2010). Google ScholarDigital Library
- }}SAXENA, P., HANNA, S., POOSANKAM, P., AND SONG, D. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium (San Diego, California, USA, 2010).Google Scholar
- }}SAXENA, P., SONG, D., AND NADJI, Y. Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In NDSS'09: Proceedings of 16th Annual Network & Distributed System Security Symposium (San Diego, California, USA, 2009).Google Scholar
- }}SU, Z., AND WASSERMANN, G. The Essence of Command Injection Attacks in Web Applications. In POPL'06: Proceedings of the 33rd symposium on Principles of programming languages (Charleston, South Carolina, USA, 2006). Google ScholarDigital Library
- }}TER LOUW, M., AND VENKATAKRISHNAN, V. BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In SP'09: Proceedings of the 30th IEEE Symposium on Security and Privacy (Oakland, California, USA, 2009). Google ScholarDigital Library
- }}VAN GUNDY, M., AND CHEN, H. Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-site Scripting Attacks. In NDSS'09: Proceedings of the 16th Annual Network & Distributed System Security Symposium (San Diego, California, USA, 2009).Google Scholar
- }}VIKRAM, K., PRATEEK, A., AND LIVSHITS, B. Ripley: Automatically Securing Distributed Web Applications Through Replicated Execution. In CCS'09: Proceedings of the 16th Conference on Computer and Communications Security (Chicago, Illinois, USA, 2009). Google ScholarDigital Library
- }}WANG, H. J., GRIER, C., MOSHCHUK, A., KING, S. T., CHOUDHURY, P., AND VENTER, H. The Multi-Principal OS Construction of the Gazelle Web Browser. In SS'09: Proceedings of the 18th USENIX Security Symposium (Montreal, Canada, 2009). Google ScholarDigital Library
Index Terms
- NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
Recommendations
TamperProof: a server-agnostic defense for parameter tampering attacks on web applications
CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacyParameter tampering attacks are dangerous to a web application whose server performs weaker data sanitization than its client. This paper presents TamperProof, a methodology and tool that offers a novel and efficient mechanism to protect Web ...
Scanning of real-world web applications for parameter tampering vulnerabilities
ASIA CCS '14: Proceedings of the 9th ACM symposium on Information, computer and communications securityWeb applications require exchanging parameters between a client and a server to function properly. In real-world systems such as online banking transfer, traversing multiple pages with parameters contributed by both the user and server is a must, and ...
WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityParameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client. Malicious users who circumvent the client can capitalize on the missing server ...
Comments