Sciweavers

CCS
2010
ACM

NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications

13 years 11 months ago
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
Web applications rely heavily on client-side computation to examine and validate form inputs that are supplied by a user (e.g., “credit card expiration date must be valid”). This is typically done for two reasons: to reduce burden on the server and to avoid latencies in communicating with the server. However, when a server fails to replicate the validation performed on the client, it is potentially vulnerable to attack. In this paper, we present a novel approach for automatically detecting potential server-side vulnerabilities of this kind in existing (legacy) web applications through blackbox analysis. We discuss the design and implementation of NOTAMPER, a tool that realizes this approach. NOTAMPER has been employed to discover several previously unknown vulnerabilities in a number of open-source web applications and live web sites. Categories and Subject Descriptors D.4.6 [Security and Protection]: Verification; K.4.4 [Electronic Commerce]: Security; K.6.5 [Security and Protec...
Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky,
Added 13 Jan 2011
Updated 13 Jan 2011
Type Journal
Year 2010
Where CCS
Authors Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V. N. Venkatakrishnan
Comments (0)