WAPTEC: Whitebox analysis of web applications for parameter tampering exploit construction

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2011, Pages 575-586

  Bisht, Prithvi ^a   Hinrichs, Timothy ^a   Skrupsky, Nazari ^a   Venkatakrishnan, V N ^a  

^a UNIVERSITY OF ILLINOIS AT CHICAGO   (United States)

Author keywords

Constraint solving; Exploit construction; Parameter tampering; Program analysis

Indexed keywords

CONSTRAINT SOLVING; EXPLOIT CONSTRUCTION; OPEN SOURCE APPLICATION; PARAMETER TAMPERING; PROGRAM ANALYSIS; WEB APPLICATION;

USER INTERFACES; WORLD WIDE WEB;

SECURITY OF DATA;

EID: 80755187789     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2046707.2046774     Document Type: Conference Paper

References (25)

1. Google Web Toolkit. http://www.google.com/webtoolkit/.
2. Ruby on Rails. http://www.rubyonrails.org/.
3. BALDUZZI, M., GIMENEZ, C. T., BALZAROTTI, D., AND KIRDA, E. Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. In 18th Annual Network and Distributed System Security Symposium (San Diego, CA, USA, 2011).
4. BALZAROTTI, D., COVA, M., FELMETSGER, V., JOVANOVIC, N., KRUEGEL, C., KIRDA, E., AND VIGNA, G. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In SP'08: Proceedings of the 29th IEEE Symposium on Security and Privacy (Oakland, CA, USA, 2008).
5. BALZAROTTI, D., COVA, M., FELMETSGER, V. V., AND VIGNA, G. Multi-Module Vulnerability Analysis of Web-based Applications. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, 2007).
6. BETHEA, D., COCHRAN, R., AND REITER, M. Server-side Verification of Client Behavior in Online Games. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium (San Diego, CA, USA, 2010).
7. BISHT, P., HINRICHS, T., SKRUPSKY, N., BOBROWICZ, R., AND VENKATAKRISHNAN, V. NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In 17th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA, 2010).
8. CHONG, S., LIU, J., MYERS, A. C., QI, X., VIKRAM, K., ZHENG, L., AND ZHENG, X. Secure Web Application via Automatic Partitioning. SIGOPS Oper. Syst. Rev. 41, 6 (2007), 31-44. (Pubitemid 351429368)
9. COOPER, E., LINDLEY, S., WADLER, P., AND YALLOP, J. Links: Web programming without tiers. In FMCO (2006).
10. CORCORAN, B. J., SWAMY, N., AND HICKS, M. Crosstier, label-based security enforcement for web applications. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD) (June 2009), pp. 269-282.
11. EMMI, M., MAJUMDAR, R., AND SEN, K. Dynamic Test Input Generation for Database Applications. In ISSTA'07: Proceedings of the 2007 International Symposium on Software Testing and Analysis (London, UK, 2007).
12. ENGLER, D., CHEN, D. Y., HALLEM, S., CHOU, A., AND CHELF, B. Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code. In 18th ACM Symposium on Operating Systems Principles (Banff, Alberta, Canada, 2001).
13. FELMETSGER, V., CAVEDON, L., KRUEGEL, C., AND VIGNA, G. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In 19th USENIX Security Symposium (Washington, DC, USA, 2010).
14. GODEFROID, P., KLARLUND, N., AND SEN, K. DART: Directed Automated Random Testing. SIGPLAN Not. 40, 6 (2005), 213-223.
15. GODEFROID, P., LEVIN, M. Y., AND MOLNAR, D. A. Automated Whitebox Fuzz Testing. In NDSS'08: Proceedings of the 15th Annual Network and Distributed System Security Symposium (San Diego, CA, USA, 2008).
16. HALFOND, W., ANAND, S., AND ORSO, A. Precise Interface Identification to Improve Testing and Analysis of Web Applications. In ISSTA'09: Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (Chicago, IL, USA, 2009).
17. HOOIMEIJER, P., LIVHSITS, B., MOLNAR, D., SAXENA, P., AND VEANES, M. Fast and Precise Sanitizer Analysis with BEK. In 20th USENIX Security Symposium (San Francisco, CA, USA, 2011).
18. JAYARAMAN, K., LEWANDOWSKI, G., TALAGA, P. G., AND CHAPIN, S. J. Enforcing Request Integrity in Web Applications. In DBSec'10: Proceedings of the 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (Rome, Italy, 2010).
19. KIEŻUN, A., J. GUO, P., JAYARAMAN, K., AND D. ERNST, M. Automatic Creation of SQL Injection and Cross-site Scripting Attacks. In ICSE'09: Proceedings of the 31st International Conference on Software Engineering (Washington, DC, USA, 2009).
20. KING, J. C. Symbolic execution and program testing. Commun. ACM 19, 7 (1976).
21. SAXENA, P., AKHAWE, D., HANNA, S., MAO, F., MCCAMANT, S., AND SONG, D. A Symbolic Execution Framework for JavaScript. In 31st IEEE Symposium on Security and Privacy (Oakland, CA, USA, 2010).
22. SEN, K., MARINOV, D., AND AGHA, G. CUTE: A Concolic Unit Testing Engine for C. In 10th European Software Engineering Conference.
23. SRIVASTAVA, V., BOND, M. D., MCKINLEY, K. S., AND SHMATIKOV, V. A Security Policy Oracle: Detecting Security Holes using Multiple API Implementations. In ACM Conference on Programming Language Design and Implementation (San Jose, CA, USA, 2011).
24. SU, Z., AND WASSERMANN, G. The Essence of Command Injection Attacks in Web Applications. In 33rd symposium on Principles of programming languages (Charleston, SC, USA, 2006).
25. TAN, L., ZHANG, X., MA, X., XIONG, W., AND ZHOU, Y. AutoISES: Automatically Inferring Security Specifications and Detecting Violations. In 17th USENIX Security Symposium (San Jose, CA, USA, 2008).