NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 607-618

  Bisht, Prithvi ^a   Hinrichs, Timothy ^b   Skrupsky, Nazari ^a   Bobrowicz, Radoslaw ^a   Venkatakrishnan, V N ^a  

^a UNIVERSITY OF ILLINOIS AT CHICAGO   (United States)

^b UNIVERSITY OF CHICAGO   (United States)

Author keywords

Blackbox testing; Constraint solving; Exploit construction; Parameter tampering; Symbolic evaluation

Indexed keywords

BLACK-BOX TESTING; CONSTRAINT SOLVING; EXPLOIT CONSTRUCTION; PARAMETER TAMPERING; SYMBOLIC EVALUATION;

WORLD WIDE WEB;

PARAMETER ESTIMATION;

EID: 78649986947     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866307.1866375     Document Type: Conference Paper

References (25)

1. NOTAMPER Supplementary Website. http://sisl.rites.uic.edu/notamper.
2. BALZAROTTI, D., COVA, M., FELMETSGER, V., JOVANOVIC, N., KIRDA, E., KRUEGEL, C., AND VIGNA, G. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In SP'08: Proceedings of the 29th IEEE Symposium on Security and Privacy (Oakland, California, USA, 2008).
3. BALZAROTTI, D., COVA, M., FELMETSGER, V. V., AND VIGNA, G. Multi-Module Vulnerability Analysis of Web-based Applications. In CCS'07: 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, 2007).
4. BANDHAKAVI, S., BISHT, P., MADHUSUDAN, P., AND VENKATAKRISHNAN, V. CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications security (Alexandria, Virginia, USA, 2007).
5. BILLE, P. A survey on tree edit distance and related problems. Theoretical Computer Science 337, 1-3 (2005), 217-239.
6. BISHT, P., SISTLA, A. P., AND VENKATAKRISHNAN, V. Automatically Preparing Safe SQL Queries. In FC'10: Proceedings of the 14th International Conference on Financial Cryptography and Data Security (Tenerife, Canary Islands, Spain, 2010).
7. BRUMLEY, D., CABALLERO, J., LIANG, Z., NEWSOME, J., AND SONG, D. Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation. In SS'07: Proceedings of 16th USENIX Security Symposium (Berkeley, California, USA, 2007).
8. CHONG, S., LIU, J., MYERS, A. C., QI, X., VIKRAM, K., ZHENG, L., AND ZHENG, X. Secure Web Application via Automatic Partitioning. SIGOPS Oper. Syst. Rev. 41, 6 (2007), 31-44.
9. GODEFROID, P., KLARLUND, N., AND SEN, K. DART: Directed Automated Random Testing. SIGPLAN Not. 40, 6 (2005), 213-223.
10. GODEFROID, P., LEVIN, M. Y., AND MOLNAR, D. A. Automated Whitebox Fuzz Testing. In NDSS'08: Proceedings of the 16th Annual Network and Distributed System Security Symposium (San Diego, California, USA, 2008).
11. GRIER, C., TANG, S., AND KING, S. T. Secure Web Browsing With the OP Web Browser. In SP'08: Proceedings of the 29th IEEE Symposium on Security and Privacy (Oakland, California, USA, 2008).
12. HALFOND, W. G., VIEGAS, J., AND ORSO, A. A Classification of SQL-Injection Attacks and Countermeasures. In ISSE'06: Proceedings of the International Symposium on Secure Software Engineering (Washington, DC, USA, 2006).
13. KIEZUN, A., GANESH, V., GUO, P. J., HOOIMEIJER, P., AND ERNST, M. D. HAMPI: A Solver for String Constraints. In ISSTA '09: Proceedings of the 18th international symposium on Software testing and analysis (Chicago, Illinois, USA, 2009).
14. LIVSHITS, V. B., AND LAM, M. S. Finding Security Vulnerabilities in Java Applications with Static Analysis. In SS'05: Proceedings of the 14th USENIX Security Symposium (Baltimore, Maryland, USA, 2005).
15. NEWSOME, J., BRUMLEY, D., FRANKLIN, J., AND SONG, D. Replayer: Automatic Protocol Replay by Binary Analysis. In CCS'06: Proceedings of the 13th ACM conference on Computer and communications security (Alexandria, Virginia, USA, 2006).
16. RATCLIFF, J. W., AND METZENER, D. Pattern Matching: The Gestalt Approach. Dr. Dobbs Journal (July 1988), 46.
17. REIS, C., AND GRIBBLE, S. D. Isolating Web Programs in Modern Browser Architectures. In EuroSys'09: Proceedings of the 4th ACM European conference on Computer systems (Nuremberg, Germany, 2009).
18. SAXENA, P., AKHAWE, D., HANNA, S., MAO, F., MCCAMANT, S., AND SONG, D. A Symbolic Execution Framework for JavaScript. In SP'10: Proceedings of the 31st IEEE Symposium on Security and Privacy (Oakland, California, USA, 2010).
19. SAXENA, P., HANNA, S., POOSANKAM, P., AND SONG, D. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium (San Diego, California, USA, 2010).
20. SAXENA, P., SONG, D., AND NADJI, Y. Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In NDSS'09: Proceedings of 16th Annual Network & Distributed System Security Symposium (San Diego, California, USA, 2009).
21. SU, Z., AND WASSERMANN, G. The Essence of Command Injection Attacks in Web Applications. In POPL'06: Proceedings of the 33rd symposium on Principles of programming languages (Charleston, South Carolina, USA, 2006).
22. TER LOUW, M., AND VENKATAKRISHNAN, V. BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In SP'09: Proceedings of the 30th IEEE Symposium on Security and Privacy (Oakland, California, USA, 2009).
23. VAN GUNDY, M., AND CHEN, H. Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-site Scripting Attacks. In NDSS'09: Proceedings of the 16th Annual Network & Distributed System Security Symposium (San Diego, California, USA, 2009).
24. VIKRAM, K., PRATEEK, A., AND LIVSHITS, B. Ripley: Automatically Securing Distributed Web Applications Through Replicated Execution. In CCS'09: Proceedings of the 16th Conference on Computer and Communications Security (Chicago, Illinois, USA, 2009).
25. WANG, H. J., GRIER, C., MOSHCHUK, A., KING, S. T., CHOUDHURY, P., AND VENTER, H. The Multi-Principal OS Construction of the Gazelle Web Browser. In SS'09: Proceedings of the 18th USENIX Security Symposium (Montreal, Canada, 2009).