TamperProof: A server-agnostic defense for parameter tampering attacks on web applications

CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy

Volumn , Issue , 2013, Pages 129-140

  Skrupsky, Nazari ^a   Bisht, Prithvi ^a   Hinrichs, Timothy ^a   Venkatakrishnan, V N ^a   Zuck, Lenore ^a  

^a UNIVERSITY OF ILLINOIS AT CHICAGO   (United States)

Author keywords

Parameter tampering; Prevention

Indexed keywords

LEGACY APPLICATIONS; PARAMETER TAMPERING; PREVENTION; SANITIZATION; SERVER SIDES; TAMPERING ATTACKS; TAMPERPROOF; WEB APPLICATION;

WORLD WIDE WEB;

EID: 84874861173     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2435349.2435365     Document Type: Conference Paper

References (18)

1. Open Web Application Security Project (OWASP) AppSensor. https://www.owasp.org/index.php/Category:OWASP-AppSensor-Project.
2. TamperProof demo site. http://secwebapps.com, 2012.
3. Alkhalaf, M., Bultan, T., Choudhary, S. R., Fazzini, M., Orso, A., and Kruegel, C. ViewPoints: Differential String Analysis for Discovering Client and Server-Side Input Validation Inconsistencies. In ISSTA'12: Proceedings of the 2011 International Symposium on Software Testing and Analysis (Minneapolis, MN, USA, 2012).
4. Bethea, D., Cochran, R., and Reiter, M. Server-side Verification of Client Behavior in Online Games. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium (San Diego, CA, USA, 2010).
5. Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., and Venkatakrishnan, V. NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In CCS'10: Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, IL, USA, 2010).
6. Bisht, P., Hinrichs, T., Skrupsky, N., and Venkatakrishnan, V. WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security (Chicago, IL, USA, 2011).
7. Chong, S., Liu, J., Myers, A. C., Qi, X., Vikram, K., Zheng, L., and Zheng, X. Secure Web Application via Automatic Partitioning. SIGOPS Oper. Syst. Rev. 41, 6 (2007), 31{44.
8. Cooper, E., Lindley, S., Wadler, P., and Yallop, J. Links: Web Programming Without Tiers. In FMCO'06: Proceedings of the International Symposium on Formal Methods for Components and Objects (Amsterdam, The Netherlands, 2006).
9. Corcoran, B. J., Swamy, N., and Hicks, M. Cross-tier, Label-based Security Enforcement for Web Applications. In SIGMOD'09: Proceedings of the ACM SIGMOD International Conference on Management of Data (Providence, RI, USA, 2009).
10. Giffin, J. T., Jha, S., and Miller, B. P. Detecting Manipulated Remote Call Streams. In Security'02: Proceedings of the 11th USENIX Security Symposium (Berkeley, CA, USA, 2002).
11. Guha, A., Krishnamurthi, S., and Jim, T. Using Static Analysis for Ajax Intrusion Detection. In WWW'09: Proceedings of the 18th International Conference on World Wide Web (Madrid, Spain, 2009).
12. Johns, M., and Winter, J. RequestRodeo: Client Side Protection against Session Riding. In OWASP'06: Proceedings of the OWASP Europe 2006 Conference (Leuven, Belgium, 2006).
13. Jovanovic, N., Kirda, E., and Kruegel, C. Preventing Cross-site Request Forgery Attacks. In SecureComm'06: Proceedings of the Second IEEE Conference on Security and Privacy in Communications Networks (Baltimore, MD, USA, 2006).
14. Mouelhi, T., Traon, Y. L., Abgrall, E., Baudry, B., and Gombault, S. Tailored shielding and bypass testing of web applications. In ICST (2011), IEEE Computer Society, pp. 210{219.
15. Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., and Song, D. A Symbolic Execution Framework for JavaScript. In SP'10: Proceedings of the 31st IEEE Symposium on Security and Privacy (Oakland, CA, USA, 2010).
16. Simpleform website. http://blog.plataformatec.com.br/2010/06/simpleform- forms-made-easy/, 2011.
17. Vikram, K., Prateek, A., and Livshits, B. Ripley: Automatically Securing Distributed Web Applications Through Replicated Execution. In CCS'09: Proceedings of the 16th Conference on Computer and Communications Security (Chicago, IL, USA, 2009).
18. Wang, R., Chen, S., Wang, X., and Qadeer, S. How to Shop for Free Online { Security Analysis of Cashier-as-a-Service Based Web Stores. In Oakland'11: Proceedings of the 2011 IEEE Symposium on Security and Privacy (Oakland, CA, USA, 2011).