%0 Generic %1 fung2012faith %A Fung, Adonis P. H. %A Cheung, K. W. %A Wong, T. Y. %D 2012 %K security semantic %T FAITH: Scanning of Rich Web Applications for Parameter Tampering Vulnerabilities %U http://arxiv.org/abs/1204.1216 %X Modern HTML forms are designed to generate form controls dynamically and to submit them over AJAX; this is as a result of recent advances in Javascript programming techniques. Existing scanners are constrained by interacting only with traditional forms, and vulnerabilities are often left undetected even after scrutiny. In this paper, we demonstrate how we have overcome a number of client-side challenges that make automated fuzzing of form submissions difficult and unfaithful. We have built FAITH, a pragmatic scanner for uncovering parameter tampering vulnerabilities in real-world rich web applications. It is the first scanner that enables fuzzing in most kinds of form submissions while faithfully preserving the required user actions, HTML 5, AJAX, anti-CSRF tokens and dynamic form updates. The importance of this work is demonstrated by the severe vulnerabilities uncovered, including a way to bypass the most-trusted One-Time Password (OTP) in one of the largest multinational banks. These vulnerabilities cannot be detected by existing scanners.

@misc{fung2012faith, abstract = {Modern HTML forms are designed to generate form controls dynamically and to submit them over AJAX; this is as a result of recent advances in Javascript programming techniques. Existing scanners are constrained by interacting only with traditional forms, and vulnerabilities are often left undetected even after scrutiny. In this paper, we demonstrate how we have overcome a number of client-side challenges that make automated fuzzing of form submissions difficult and unfaithful. We have built FAITH, a pragmatic scanner for uncovering parameter tampering vulnerabilities in real-world rich web applications. It is the first scanner that enables fuzzing in most kinds of form submissions while faithfully preserving the required user actions, HTML 5, AJAX, anti-CSRF tokens and dynamic form updates. The importance of this work is demonstrated by the severe vulnerabilities uncovered, including a way to bypass the most-trusted One-Time Password (OTP) in one of the largest multinational banks. These vulnerabilities cannot be detected by existing scanners.}, added-at = {2012-07-24T22:30:12.000+0200}, author = {Fung, Adonis P. H. and Cheung, K. W. and Wong, T. Y.}, biburl = {https://www.bibsonomy.org/bibtex/287a1986bc1d6aaeb9434b718fc485038/jwalsh}, description = {FAITH: Scanning of Rich Web Applications for Parameter Tampering Vulnerabilities}, interhash = {69e2a2946c59d6d463fc1a0ecb1bf63f}, intrahash = {87a1986bc1d6aaeb9434b718fc485038}, keywords = {security semantic}, note = {cite arxiv:1204.1216Comment: 10 pages, 2 tables, 3 figures}, timestamp = {2012-07-24T22:30:12.000+0200}, title = {FAITH: Scanning of Rich Web Applications for Parameter Tampering Vulnerabilities}, url = {http://arxiv.org/abs/1204.1216}, year = 2012 }