Symbolic execution and program testing
Communications of the ACM
Bugs as deviant behavior: a general approach to inferring errors in systems code
SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
Detecting Manipulated Remote Call Streams
Proceedings of the 11th USENIX Security Symposium
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
A survey on tree edit distance and related problems
Theoretical Computer Science
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks
SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
An anomaly-driven reverse proxy for web applications
Proceedings of the 2006 ACM symposium on Applied computing
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Dos and don'ts of client authentication on the web
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Privtrans: automatically partitioning programs for privilege separation
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Dynamic test input generation for database applications
Proceedings of the 2007 international symposium on Software testing and analysis
Secure web applications via automatic partitioning
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
CANDID: preventing sql injection attacks using dynamic candidate evaluations
Proceedings of the 14th ACM conference on Computer and communications security
Multi-module vulnerability analysis of web-based applications
Proceedings of the 14th ACM conference on Computer and communications security
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
AutoISES: automatically inferring security specifications and detecting violations
SS'08 Proceedings of the 17th conference on Security symposium
Using static analysis for Ajax intrusion detection
Proceedings of the 18th international conference on World wide web
Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Cross-tier, label-based security enforcement for web applications
Proceedings of the 2009 ACM SIGMOD International Conference on Management of data
Precise interface identification to improve testing and analysis of web applications
Proceedings of the eighteenth international symposium on Software testing and analysis
Ripley: automatically securing web 2.0 applications through replicated execution
Proceedings of the 16th ACM conference on Computer and communications security
Links: web programming without tiers
FMCO'06 Proceedings of the 5th international conference on Formal methods for components and objects
A Symbolic Execution Framework for JavaScript
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
Proceedings of the 17th ACM conference on Computer and communications security
Toward automated detection of logic vulnerabilities in web applications
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
A security policy oracle: detecting security holes using multiple API implementations
Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Fast and precise sanitizer analysis with BEK
SEC'11 Proceedings of the 20th USENIX conference on Security
WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction
Proceedings of the 18th ACM conference on Computer and communications security
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Automatically preparing safe SQL queries
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Hi-index | 0.00 |
Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client in web forms. Malicious users who circumvent the client can capitalize on the missing server validation. In this paper, we provide a formal description of parameter tampering vulnerabilities and a high level approach for their detection. We specialize this high level approach to develop complementary detection solutions in two interesting settings: blackbox only analyze client-side code in web forms and whitebox also analyze server-side code that processes submitted web forms. This paper presents interesting challenges encountered in realizing the high level approach for each setting and novel technical contributions that address these challenges. We also contrast utility, difficulties and effectiveness issues in both settings and provide a quantitative comparison of results. Our experiments with real world and open source applications demonstrate that parameter tampering vulnerabilities are prolific total 47 in 9 applications, and their exploitation can have serious consequences including unauthorized transactions, account hijacking and financial losses. We conclude this paper with a discussion on countermeasures for parameter tampering attacks and present a detailed survey of existing defenses and their suitability.