2014
DOI: 10.3233/jcs-140498
|View full text |Cite
|
Sign up to set email alerts
|

Automated detection of parameter tampering opportunities and vulnerabilities in web applications

Abstract: Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client in web forms. Malicious users who circumvent the client can capitalize on the missing server validation. In this paper, we provide a formal description of parameter tampering vulnerabilities and a high level approach for their detection. We specialize this high level approach to develop complementary detection solutions in two interesting settings: … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
5

Citation Types

0
92
0

Year Published

2014
2014
2022
2022

Publication Types

Select...
3
2
2

Relationship

0
7

Authors

Journals

citations
Cited by 32 publications
(92 citation statements)
references
References 35 publications
0
92
0
Order By: Relevance
“…Third, to detect deviations of normal workflows, it is important to first establish a good guideline of correct workflows. Such a guideline can be specified by developers [19], inferred from client-side validations which should be replicated on the server side [4,17], or obtained from dynamic analyses [3,11,15,22]. An alternative way of thwarting logic attacks is secure-byconstruction.…”
Section: Related Workmentioning
confidence: 99%
See 2 more Smart Citations
“…Third, to detect deviations of normal workflows, it is important to first establish a good guideline of correct workflows. Such a guideline can be specified by developers [19], inferred from client-side validations which should be replicated on the server side [4,17], or obtained from dynamic analyses [3,11,15,22]. An alternative way of thwarting logic attacks is secure-byconstruction.…”
Section: Related Workmentioning
confidence: 99%
“…It is a common attack vector for various vulnerabilities which include logic vulnerabilities. WAPTEC [5] takes a white-box approach that combines symbolic execution and dynamic analysis to detect parameter tampering vulnerabilities in PHP applications, while NoTamper [4] and PAPAS [2] adopt black-box based approaches. NoTamper [4] detects insufficient server-side validations where a server fails to replicate the validations on the client side.…”
Section: Related Workmentioning
confidence: 99%
See 1 more Smart Citation
“…For example, Doupé et al [8] and NoTamper [9] can address EAR vulnerability and parameter tampering respectively. In comparison, our approaches can cover not only these two attacks, but also forceful browsing attack.…”
Section: Related Workmentioning
confidence: 99%
“…Prithvi et al [27] proposes a black-box technique for exposing vulnerabilities in the server-side logic of web applications by identifying various parameter tampering opportunities and by generating test cases corresponding to the identified opportunity. However, this technique required manual effort to convert these exploit opportunities to actual ones.…”
Section: Related Workmentioning
confidence: 99%