Sciweavers

CCS
2011
ACM

WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction

12 years 3 months ago
WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction
Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client. Malicious users who circumvent the client can capitalize on the missing server validation. In this paper, we describe WAPTEC, a tool that is designed to automatically identify parameter tampering vulnerabilities and generate exploits by construction to demonstrate those vulnerabilities. WAPTEC involves a new approach to whitebox analysis of the server’s code. We tested WAPTEC on six open source applications and found previously unknown vulnerabilities in every single one of them. Categories and Subject Descriptors D.4.6 [Security and Protection]: Verification; K.4.4 [Electronic Commerce]: Security; K.6.5 [Security and Protection]: Unauthorized access General Terms Languages, Security, Verification Keywords Parameter Tampering, Exploit Construction, Program Analysis, Constraint Solving
Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky,
Added 13 Dec 2011
Updated 13 Dec 2011
Type Journal
Year 2011
Where CCS
Authors Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, V. N. Venkatakrishnan
Comments (0)