TamperProof: a server-agnostic defense for parameter tampering attacks on web applications

Authors:
Nazari Skrupsky;Prithvi Bisht;Timothy Hinrichs;V. N. Venkatakrishnan;Lenore Zuck
Affiliations:
University of Illinois at Chicago, Chicago, USA;University of Illinois at Chicago, Chicago, USA;University of Illinois at Chicago, Chicago, USA;University of Illinois at Chicago, Chicago, USA;University of Illinois at Chicago, Chicago, USA
Venue:
Proceedings of the third ACM conference on Data and application security and privacy
Year:
2013

Citing 12
Cited 0

Detecting Manipulated Remote Call Streams

Proceedings of the 11th USENIX Security Symposium
Secure web applications via automatic partitioning

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Using static analysis for Ajax intrusion detection

Proceedings of the 18th international conference on World wide web
Cross-tier, label-based security enforcement for web applications

Proceedings of the 2009 ACM SIGMOD International Conference on Management of data
Ripley: automatically securing web 2.0 applications through replicated execution

Proceedings of the 16th ACM conference on Computer and communications security
Links: web programming without tiers

FMCO'06 Proceedings of the 5th international conference on Formal methods for components and objects
A Symbolic Execution Framework for JavaScript

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications

Proceedings of the 17th ACM conference on Computer and communications security
Tailored Shielding and Bypass Testing of Web Applications

ICST '11 Proceedings of the 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation
How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction

Proceedings of the 18th ACM conference on Computer and communications security
ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies

Proceedings of the 2012 International Symposium on Software Testing and Analysis

Quantified Score

Hi-index	0.00

Visualization

Abstract

Parameter tampering attacks are dangerous to a web application whose server performs weaker data sanitization than its client. This paper presents TamperProof, a methodology and tool that offers a novel and efficient mechanism to protect Web applications from parameter tampering attacks. TamperProof is an online defense deployed in a trusted environment between the client and server and requires no access to, or knowledge of, the server side codebase, making it effective for both new and legacy applications. The paper reports on experiments that demonstrate TamperProof's power in efficiently preventing all known parameter tampering vulnerabilities on ten different applications.