FAITH: Scanning of Rich Web Applications for Parameter Tampering
Vulnerabilities
A. Fung, K. Cheung, и T. Wong. (2012)cite arxiv:1204.1216Comment: 10 pages, 2 tables, 3 figures.
Аннотация
Modern HTML forms are designed to generate form controls dynamically and to
submit them over AJAX; this is as a result of recent advances in Javascript
programming techniques. Existing scanners are constrained by interacting only
with traditional forms, and vulnerabilities are often left undetected even
after scrutiny. In this paper, we demonstrate how we have overcome a number of
client-side challenges that make automated fuzzing of form submissions
difficult and unfaithful. We have built FAITH, a pragmatic scanner for
uncovering parameter tampering vulnerabilities in real-world rich web
applications. It is the first scanner that enables fuzzing in most kinds of
form submissions while faithfully preserving the required user actions, HTML 5,
AJAX, anti-CSRF tokens and dynamic form updates. The importance of this work is
demonstrated by the severe vulnerabilities uncovered, including a way to bypass
the most-trusted One-Time Password (OTP) in one of the largest multinational
banks. These vulnerabilities cannot be detected by existing scanners.
Описание
FAITH: Scanning of Rich Web Applications for Parameter Tampering
Vulnerabilities
%0 Generic
%1 fung2012faith
%A Fung, Adonis P. H.
%A Cheung, K. W.
%A Wong, T. Y.
%D 2012
%K security semantic
%T FAITH: Scanning of Rich Web Applications for Parameter Tampering
Vulnerabilities
%U http://arxiv.org/abs/1204.1216
%X Modern HTML forms are designed to generate form controls dynamically and to
submit them over AJAX; this is as a result of recent advances in Javascript
programming techniques. Existing scanners are constrained by interacting only
with traditional forms, and vulnerabilities are often left undetected even
after scrutiny. In this paper, we demonstrate how we have overcome a number of
client-side challenges that make automated fuzzing of form submissions
difficult and unfaithful. We have built FAITH, a pragmatic scanner for
uncovering parameter tampering vulnerabilities in real-world rich web
applications. It is the first scanner that enables fuzzing in most kinds of
form submissions while faithfully preserving the required user actions, HTML 5,
AJAX, anti-CSRF tokens and dynamic form updates. The importance of this work is
demonstrated by the severe vulnerabilities uncovered, including a way to bypass
the most-trusted One-Time Password (OTP) in one of the largest multinational
banks. These vulnerabilities cannot be detected by existing scanners.
@misc{fung2012faith,
abstract = {Modern HTML forms are designed to generate form controls dynamically and to
submit them over AJAX; this is as a result of recent advances in Javascript
programming techniques. Existing scanners are constrained by interacting only
with traditional forms, and vulnerabilities are often left undetected even
after scrutiny. In this paper, we demonstrate how we have overcome a number of
client-side challenges that make automated fuzzing of form submissions
difficult and unfaithful. We have built FAITH, a pragmatic scanner for
uncovering parameter tampering vulnerabilities in real-world rich web
applications. It is the first scanner that enables fuzzing in most kinds of
form submissions while faithfully preserving the required user actions, HTML 5,
AJAX, anti-CSRF tokens and dynamic form updates. The importance of this work is
demonstrated by the severe vulnerabilities uncovered, including a way to bypass
the most-trusted One-Time Password (OTP) in one of the largest multinational
banks. These vulnerabilities cannot be detected by existing scanners.},
added-at = {2012-07-24T22:30:12.000+0200},
author = {Fung, Adonis P. H. and Cheung, K. W. and Wong, T. Y.},
biburl = {https://www.bibsonomy.org/bibtex/287a1986bc1d6aaeb9434b718fc485038/jwalsh},
description = {FAITH: Scanning of Rich Web Applications for Parameter Tampering
Vulnerabilities},
interhash = {69e2a2946c59d6d463fc1a0ecb1bf63f},
intrahash = {87a1986bc1d6aaeb9434b718fc485038},
keywords = {security semantic},
note = {cite arxiv:1204.1216Comment: 10 pages, 2 tables, 3 figures},
timestamp = {2012-07-24T22:30:12.000+0200},
title = {FAITH: Scanning of Rich Web Applications for Parameter Tampering
Vulnerabilities},
url = {http://arxiv.org/abs/1204.1216},
year = 2012
}