Notamper: Automatic Blackbox Detection Of Parameter Tampering Opportunities In Web Applications
CCS(2010)
摘要
Web applications rely heavily on client-side computation to examine and validate form inputs that are supplied by a user (e.g., "credit card expiration date must be valid"). This is typically done for two reasons: to reduce burden on the server and to avoid latencies in communicating with the server. However, when a server fails to replicate the validation performed on the client, it is potentially vulnerable to attack. In this paper, we present a novel approach for automatically detecting potential server-side vulnerabilities of this kind in existing (legacy) web applications through blackbox analysis. We discuss the design and implementation of NOTAMPER, a tool that realizes this approach. NOTAMPER has been employed to discover several previously unknown vulnerabilities in a number of open-source web applications and live web sites.
更多查看译文
关键词
Parameter Tampering,Exploit Construction,Constraint Solving,Blackbox Testing,Symbolic Evaluation
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络