Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2011

Volumn , Issue , 2011, Pages

  Balduzzi, Marco ^a   Gimenez, Carmen Torrano ^b   Balzarotti, Davide ^a   Kirda, Engin ^a,c  

^a EURECOM   (France)

^b CSIC   (Spain)

^c NORTHEASTERN UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

NETWORK SECURITY; WEBSITES;

ANALYSIS SYSTEM; AUTOMATED DISCOVERY; DYNAMIC APPLICATIONS; HETEROGENEOUS TECHNOLOGY; INTERACTIVE SERVICES; PARAMETER POLLUTIONS; SIMPLE++; STATIC PAGES; WEB APPLICATION; WEB APPLICATIONS;

HTTP;

EID: 84948145339     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (34)

1. C. A. A-2000-02. Malicious HTML Tags Embedded in Client Web Requests, 2000. http://www.cert.org/advisories/CA-2000-02.html.
2. Acunetix. Acunetix Web Vulnerability Scanner. http://www.acunetix.com/, 2008.
3. I. Alexa Internet. Alexa - Top Sites by Category: Top. http://www.alexa.com/topsites/category.
4. D. Balzarotti, M. Cova, V. Felmetsger, D. Balzarotti, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In IEEE Symposium on Security and Privacy, 2008.
5. D. Bates, A. Barth, and C. Jackson. Regular Expressions Considered Harmful in Client-Side XSS Filters. In 19th International World Wide Web Conference. (WWW 2010), 2010.
6. J. Bau, E. Burzstein, D. Gupta, and J. C. Mitchell. State of the Art: Automated Black-Box Web Application Vulnerability Testing. In Proceedings of IEEE Security and Privacy, May 2010.
7. T. Berners-Lee, R. Fielding, and L. Masinter. Rfc 3986, uniform resource identifier (uri): Generic syntax, 2005. http://rfc.net/rfc3986.html.
8. Burp Spider. Web Application Security. http://portswigger.net/spider/, 2008.
9. Cenzic. Cenzic Hailstormr. http://www.cenzic.com/, 2010.
10. S. di Paola and L. Carettoni. Client side Http Parameter Pollution - Yahoo! Classic Mail Video Poc, May 2009. http://blog.mindedsecurity.com/2009/05/ client-side-http-parameter-pollution. html.
11. A. Doupé, M. Cova, and G. Vigna. Why Johnny Cant Pen-test: An Analysis of Black-Box Web Vulnerability Scanners. Detection of Intrusions and Malware, and Vulnerability Assessment, pages 111–131, 2010.
12. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Rfc 2616, hypertext transfer protocol – http/1.1, 1999. http://www.rfc.net/rfc2616.html.
13. B. D. A. G. and M. Stampar. sqlmap. http://sqlmap.sourceforge.net.
14. C. Ghezzi, M. Jazayeri, and D. Mandrioli. Fundamentals of Software Engineering. Prentice-Hall International, 1994.
15. W. G. J. Halfond and A. Orso. Preventing SQL injection attacks using AMNESIA. In ICSE’06: Proceedings of the 28th international conference on Software engineering, 2006.
16. N. Hardy. The Confused Deputy: (or why capabilities might have been invented). ACM SIGOPS Operating Systems Review, 22(4), October 1988.
17. Y. Huang, S. Huang, and T. Lin. Web Application Security Assessment by Fault Injection and Behavior Monitoring. 12th World Wide Web Conference, 2003.
18. Insecure.org. NMap Network Scanner. http://www.insecure.org/nmap/, 2010.
19. S. Institute. Top Cyber Security Risks, September 2009. http://www.sans.org/top-cyber-security-risks/summary.php.
20. A. B. C. Jackson and J. C. Mitchell. Robust Defenses for Cross-Site Request Forgery. In 15th ACM Conference on Computer and Communications Security, 2007.
21. M. Jakobsson, P. Finn, and N. Johnson. Why and How to Perform Fraud Experiments. Security & Privacy, IEEE, 6(2):66–68, March-April 2008.
22. M. Jakobsson and J. Ratkiewicz. Designing ethical phishing experiments: a study of (ROT13) rOnl query features. In 15th International Conference on World Wide Web (WWW), 2006.
23. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In IEEE Symposium on Security and Privacy, 2006.
24. S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic. SecuBat: A Web Vulnerability Scanner. In World Wide Web Conference, 2006.
25. N. J. E. Kirda and C. Kruegel. Preventing Cross Site Request Forgery Attacks. In IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), Baltimore, MD, 2006.
26. Nikto. Web Server Scanner. http://www.cirt.net/code/nikto.shtml, 2010.
27. OWASP AppSec Europe 2009. HTTP Parameter Pollution, May 2009. http://www.owasp.org/images/b/ba/AppsecEU09 CarettoniDiPaola v0.8.pdf.
28. J. Ratcliff and D. Metzener. Pattern matching: The gestalt approach. Dr. Dobbs Journal, 7:46, 1988.
29. D. Reading. CSRF Flaws Found on Major Websites: Princeton University researchers reveal four sites with cross-site request forgery flaws and unveil tools to protect against these attacks, 2008. http://www.darkreading. com/security/app-security/showArticle. jhtml?articleID=211201247.
30. D. Scott and R. Sharp. Abstracting Application-level Web Security. 11th World Wide Web Conference, 2002.
31. Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In Symposium on Principles of Programming Languages, 2006.
32. Tenable Network Security. Nessus Open Source Vulnerability Scanner Project. http://www.nessus.org/, 2010.
33. Web Application Attack and Audit Framework. http://w3af.sourceforge.net/.
34. Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In 15th USENIX Security Symposium, 2006.