Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Article type: Research Article
Authors: Bisht, Prithvi | Hinrichs, Timothy | Skrupsky, Nazari | Venkatakrishnan, V.N.; *
Affiliations: Department of Computer Science, University of Illinois at Chicago, Chicago, IL, USA
Correspondence: [*] Corresponding author: V.N. Venkatakrishnan, Department of Computer Science, 851 S. Morgan (M/C 152), Room 1120 SEO, Chicago, IL 60607-7053, USA. Tel.: +1 312 996 4860; Fax: +1 312 413 0024; E-mail: venkat@uic.edu.
Abstract: Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client in web forms. Malicious users who circumvent the client can capitalize on the missing server validation. In this paper, we provide a formal description of parameter tampering vulnerabilities and a high level approach for their detection. We specialize this high level approach to develop complementary detection solutions in two interesting settings: blackbox (only analyze client-side code in web forms) and whitebox (also analyze server-side code that processes submitted web forms). This paper presents interesting challenges encountered in realizing the high level approach for each setting and novel technical contributions that address these challenges. We also contrast utility, difficulties and effectiveness issues in both settings and provide a quantitative comparison of results. Our experiments with real world and open source applications demonstrate that parameter tampering vulnerabilities are prolific (total 47 in 9 applications), and their exploitation can have serious consequences including unauthorized transactions, account hijacking and financial losses. We conclude this paper with a discussion on countermeasures for parameter tampering attacks and present a detailed survey of existing defenses and their suitability.
Keywords: Parameter tampering attacks, symbolic evaluation, dynamic monitoring
DOI: 10.3233/JCS-140498
Journal: Journal of Computer Security, vol. 22, no. 3, pp. 415-465, 2014
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
sales@iospress.com
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
info@iospress.nl
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office info@iospress.nl
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
china@iospress.cn
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
如果您在出版方面需要帮助或有任何建, 件至: editorial@iospress.nl