Automated detection of parameter tampering opportunities and vulnerabilities in web applications

Bisht, Prithvi; Hinrichs, Timothy L.; Skrupsky, Nazari; Venkatakrishnan, V.

doi:10.3233/jcs-140498

Cited by 32 publications

(92 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Third, to detect deviations of normal workflows, it is important to first establish a good guideline of correct workflows. Such a guideline can be specified by developers [19], inferred from client-side validations which should be replicated on the server side [4,17], or obtained from dynamic analyses [3,11,15,22]. An alternative way of thwarting logic attacks is secure-byconstruction.…”

Section: Related Workmentioning

confidence: 99%

“…It is a common attack vector for various vulnerabilities which include logic vulnerabilities. WAPTEC [5] takes a white-box approach that combines symbolic execution and dynamic analysis to detect parameter tampering vulnerabilities in PHP applications, while NoTamper [4] and PAPAS [2] adopt black-box based approaches. NoTamper [4] detects insufficient server-side validations where a server fails to replicate the validations on the client side.…”

Section: Related Workmentioning

confidence: 99%

“…WAPTEC [5] takes a white-box approach that combines symbolic execution and dynamic analysis to detect parameter tampering vulnerabilities in PHP applications, while NoTamper [4] and PAPAS [2] adopt black-box based approaches. NoTamper [4] detects insufficient server-side validations where a server fails to replicate the validations on the client side. PAPAS [2] aims at automated discovery of parameter pollution based on a black-box scanning technique for vulnerable parameters.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Detecting Logic Vulnerabilities in E-commerce Applications

Sun

2014

Proceedings 2014 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-E-commerce has become a thriving business model. With easy access to various tools and third-party cashiers, it is straightforward to create and launch e-commerce web applications. However, it remains difficult to create secure ones. While third-party cashiers help bridge the gap of trustiness between merchants and customers, the involvement of cashiers as a new party complicates logic flows of checkout processes. Even a small loophole in a checkout process may lead to financial loss of merchants, thus logic vulnerabilities pose serious threats to the security of e-commerce applications. Performing manual code reviews is challenging because of the diversity of logic flows and the sophistication of checkout processes. Consequently, it is important to develop automated detection techniques. This paper proposes the first static detection of logic vulnerabilities in e-commerce web applications. The main difficulty of automated detection is the lack of a general and precise notion of correct payment logic. Our key insight is that secure checkout processes share a common invariant: A checkout process is secure when it guarantees the integrity and authenticity of critical payment status (order ID, order total, merchant ID and currency). Our approach combines symbolic execution and taint analysis to detect violations of the invariant by tracking tainted payment status and analyzing critical logic flows among merchants, cashiers and users. We have implemented a symbolic execution framework for PHP. In our evaluation of 22 unique payment modules, our tool detected 12 logic vulnerabilities, 11 of which are new. We have also performed successful proof-ofconcept experiments on live websites to confirm our findings.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Detecting Logic Vulnerabilities in E-commerce Applications

Sun

2014

Proceedings 2014 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…For example, Doupé et al [8] and NoTamper [9] can address EAR vulnerability and parameter tampering respectively. In comparison, our approaches can cover not only these two attacks, but also forceful browsing attack.…”

Section: Related Workmentioning

confidence: 99%

Lom: Discovering logic flaws within MongoDB-based web applications

Wen

Yuan

et al. 2016

Int. J. Autom. Comput.

View full text Add to dashboard Cite

“…Prithvi et al [27] proposes a black-box technique for exposing vulnerabilities in the server-side logic of web applications by identifying various parameter tampering opportunities and by generating test cases corresponding to the identified opportunity. However, this technique required manual effort to convert these exploit opportunities to actual ones.…”

Section: Related Workmentioning

confidence: 99%

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications

Sudhodanan¹,

Armando²,

Carbone³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-The advent of Software-as-a-Service (SaaS) has led to the development of multi-party web applications (MPWAs). MPWAs rely on core trusted third-party systems (e.g., payment servers, identity providers) and protocols such as Cashier-as-aService (CaaS), Single Sign-On (SSO) to deliver business services to users. Motivated by the large number of attacks discovered against MPWAs and by the lack of a single general-purpose application-agnostic technique to support their discovery, we propose an automatic technique based on attack patterns for black-box, security testing of MPWAs. Our approach stems from the observation that attacks against popular MPWAs share a number of similarities, even if the underlying protocols and services are different. In this paper, we target six different replay attacks, a login CSRF attack and a persistent XSS attack. Firstly, we propose a methodology in which security experts can create attack patterns from known attacks. Secondly, we present a security testing framework that leverages attack patterns to automatically generate test cases for testing the security of MPWAs. We implemented our ideas on top of OWASP ZAP (a popular, open-source penetration testing tool), created seven attack patterns that correspond to thirteen prominent attacks from the literature and discovered twenty one previously unknown vulnerabilities in prominent MPWAs (e.g., twitter.com, developer.linkedin.com, pinterest.com), including MPWAs that do not belong to SSO and CaaS families.

show abstract

Automated detection of parameter tampering opportunities and vulnerabilities in web applications

Cited by 32 publications

References 35 publications

Detecting Logic Vulnerabilities in E-commerce Applications

Detecting Logic Vulnerabilities in E-commerce Applications

Lom: Discovering logic flaws within MongoDB-based web applications

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications

Contact Info

Product

Resources

About