Sciweavers

CCS
2015
ACM

Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications

8 years 6 months ago
Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications
This paper describes a new class of denial-of-service (DoS) attack, which we refer to as Second Order DoS attacks. These attacks consist of two phases, one that pollutes a database with junk entries and another that performs a costly operation on these entries to cause resource exhaustion. The main contribution of this paper is a static analysis for detecting second-order DoS vulnerabilities in web applications. We have implemented our analysis in a tool called Torpedo, and we show that Torpedo can successfully detect second-order DoS vulnerabilities in widely used web applications written in PHP. Once our tool discovers a vulnerability, it also performs symbolic execution to generate candidate attack vectors. We evaluate Torpedo on six widely-used web applications and show that it uncovers 37 security vulnerabilities, while reporting 18 false positives. Categories and Subject Descriptors F.3.2 [Semantics of Programming Languages]: Program analysis. Keywords Static analysis; Program A...
Oswaldo Olivo, Isil Dillig, Calvin Lin
Added 17 Apr 2016
Updated 17 Apr 2016
Type Journal
Year 2015
Where CCS
Authors Oswaldo Olivo, Isil Dillig, Calvin Lin
Comments (0)