Automated detection of parameter tampering opportunities and vulnerabilities in web applications

Authors:
Prithvi Bisht;Timothy Hinrichs;Nazari Skrupsky;V. N. Venkatakrishnan
Affiliations:
Department of Computer Science, University of Illinois at Chicago, Chicago, IL, USA;Department of Computer Science, University of Illinois at Chicago, Chicago, IL, USA;Department of Computer Science, University of Illinois at Chicago, Chicago, IL, USA;Department of Computer Science, University of Illinois at Chicago, Chicago, IL, USA
Venue:
Journal of Computer Security
Year:
2014

Citing 37
Cited 0

Symbolic execution and program testing

Communications of the ACM
Bugs as deviant behavior: a general approach to inferring errors in systems code

SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
Detecting Manipulated Remote Call Streams

Proceedings of the 11th USENIX Security Symposium
DART: directed automated random testing

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C

Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
A survey on tree edit distance and related problems

Theoretical Computer Science
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks

Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks

SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications

Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
An anomaly-driven reverse proxy for web applications

Proceedings of the 2006 ACM symposium on Applied computing
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks

Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Dos and don'ts of client authentication on the web

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Privtrans: automatically partitioning programs for privilege separation

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Dynamic test input generation for database applications

Proceedings of the 2007 international symposium on Software testing and analysis
Secure web applications via automatic partitioning

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
CANDID: preventing sql injection attacks using dynamic candidate evaluations

Proceedings of the 14th ACM conference on Computer and communications security
Multi-module vulnerability analysis of web-based applications

Proceedings of the 14th ACM conference on Computer and communications security
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
AutoISES: automatically inferring security specifications and detecting violations

SS'08 Proceedings of the 17th conference on Security symposium
Using static analysis for Ajax intrusion detection

Proceedings of the 18th international conference on World wide web
Automatic creation of SQL Injection and cross-site scripting attacks

ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Cross-tier, label-based security enforcement for web applications

Proceedings of the 2009 ACM SIGMOD International Conference on Management of data
Precise interface identification to improve testing and analysis of web applications

Proceedings of the eighteenth international symposium on Software testing and analysis
Ripley: automatically securing web 2.0 applications through replicated execution

Proceedings of the 16th ACM conference on Computer and communications security
Links: web programming without tiers

FMCO'06 Proceedings of the 5th international conference on Formal methods for components and objects
A Symbolic Execution Framework for JavaScript

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications

Proceedings of the 17th ACM conference on Computer and communications security
Toward automated detection of logic vulnerabilities in web applications

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
A security policy oracle: detecting security holes using multiple API implementations

Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Fast and precise sanitizer analysis with BEK

SEC'11 Proceedings of the 20th USENIX conference on Security
WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction

Proceedings of the 18th ACM conference on Computer and communications security
Defending against injection attacks through context-sensitive string evaluation

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Automatically preparing safe SQL queries

FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client in web forms. Malicious users who circumvent the client can capitalize on the missing server validation. In this paper, we provide a formal description of parameter tampering vulnerabilities and a high level approach for their detection. We specialize this high level approach to develop complementary detection solutions in two interesting settings: blackbox only analyze client-side code in web forms and whitebox also analyze server-side code that processes submitted web forms. This paper presents interesting challenges encountered in realizing the high level approach for each setting and novel technical contributions that address these challenges. We also contrast utility, difficulties and effectiveness issues in both settings and provide a quantitative comparison of results. Our experiments with real world and open source applications demonstrate that parameter tampering vulnerabilities are prolific total 47 in 9 applications, and their exploitation can have serious consequences including unauthorized transactions, account hijacking and financial losses. We conclude this paper with a discussion on countermeasures for parameter tampering attacks and present a detailed survey of existing defenses and their suitability.