NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications

机译：NoTamper：Web应用程序中参数篡改机会的自动黑匣子检测

获取原文

获取原文并翻译 | 示例

页面导航

摘要
著录项
相似文献
相关主题

摘要

Web applications rely heavily on client-side computation to examine and validate form inputs that are supplied by a user (e.g., "credit card expiration date must be valid")- This is typically done for two reasons: to reduce burden on the server and to avoid latencies in communicating with the server. However, when a server fails to replicate the validation performed on the client, it is potentially vulnerable to attack. In this paper, we present a novel approach for automatically detecting potential server-side vulnerabilities of this kind in existing (legacy) web applications through blackbox analysis. We discuss the design and implementation of NoTamper, a tool that realizes this approach. NoTamper has been employed to discover several previously unknown vulnerabilities in a number of open-source web applications and live web sites.

机译：Web应用程序严重依赖客户端计算来检查和验证用户提供的表单输入（例如，“信用卡有效期必须是有效的”）-通常这样做有两个原因：减轻服务器负担；以及以避免与服务器通信的延迟。但是，如果服务器无法复制在客户端上执行的验证，则可能容易受到攻击。在本文中，我们提出了一种新颖的方法，可以通过黑盒分析自动检测现有（旧版）Web应用程序中此类潜在的服务器端漏洞。我们将讨论实现这种方法的工具NoTamper的设计和实现。 NoTamper已被用来在许多开源Web应用程序和实时网站中发现几个以前未知的漏洞。

著录项

来源
《17th ACM conference on computer and communications security 2010》|2010年|p.607-618|共12页
会议地点 Chicago IL(US);Chicago IL(US)
作者
Prithyi Bisht; Timothy Hinrichs; Nazari Skrupsky; Nazari Skrupsky; Radoslaw Bobrowicz; V.N. Venkatakrishnan;
展开▼
作者单位

University of Illinois at Chicago Chicago, Illinois, USA;

University of Chicago Chicago, Illinois, USA;

University of Illinois at Chicago Chicago, Illinois, USA;

University of Chicago Chicago, Illinois, USA;

University of Illinois at Chicago Chicago, Illinois, USA;

University of Illinois at Chicago Chicago, Illinois, USA;

展开▼
会议组织
原文格式 PDF
正文语种 eng
中图分类安全保密;通信;
关键词
parameter tampering; exploit construction; constraint solving; blackbox testing; symbolic evaluation;

机译：参数篡改；开发建设；约束解黑盒测试；符号评价;

相似文献

外文文献
中文文献
专利

1. Automated detection of parameter tampering opportunities and vulnerabilities in web applications [J] . Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Journal of computer security . 2014,第3期

机译：自动检测Web应用程序中的参数篡改机会和漏洞
2. Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications [J] . Deepa G., Thilagam P. Santhi, Khan Furqan Ahmed, International Journal of Information Security . 2018,第1期

机译：XQuery注入的黑盒检测和Web应用程序中的漏洞漏洞
3. Automatic CFD analysis of planing hulls by means of a new web-based application: Usage, experimental data comparison and opportunities [J] . Ponzini Raffaele, Salvadore Francesco, Begovic Ermina, Ocean Engineering . 2020,第Auga15期

机译：通过新的基于Web的应用程序自动CFD分析刨床：使用，实验数据比较和机遇
4. A novel approach for message authentication to prevent parameter tampering attack in web applications [C] . Asish Kumar Dalai, Saroj Kumar Panigrahy, Sanjay Kumar Jena International Conference on Modelling Optimization and Computing . 2013

机译：一种新的消息认证方法，防止Web应用程序中的参数篡改攻击
5. Automatic speech code identification with application to tampering detection of speech recordings. [D] . Zhou, Jingting. 2011

机译：自动语音代码识别，可用于篡改语音记录。
6. An Automatic Stationary Water Color Parameters Observation System for Shallow Waters: Designment and Applications [O] . Wenkai Li, Liqiao Tian, Shanshan Guo, 2019

机译：浅水区静止水色参数自动观测系统：设计与应用
7. A Novel Approach for Message Authentication to Prevent Parameter Tampering Attack in Web Applications [O] . Dalai Asish Kumar, Panigrahy Saroj Kumar, Jena Sanjay Kumar 2012

机译：消息身份验证的新方法，可防止Web应用程序中的参数篡改攻击

NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications

摘要

著录项

相似文献

相关主题

期刊订阅