Scanning of Rich Web Applications for Parameter Tampering Vulnerabilities
This work addresses security vulnerabilities in web applications, particularly for online banking and similar systems, by providing a more effective scanner, though it is incremental as it builds on fuzzing-based approaches.
The paper tackled the problem of detecting parameter tampering vulnerabilities in rich web applications by addressing workflow and parameter dependency controls that existing scanners neglect, resulting in the successful identification of severe vulnerabilities, including one from a major banking website, which other tools missed.
Web applications require exchanging parameters between a client and a server to function properly. In real-world systems such as online banking transfer, traversing multiple pages with parameters contributed by both the user and server is a must, and hence the applications have to enforce workflow and parameter dependency controls across multiple requests. An application that applies insufficient server-side input validations is however vulnerable to parameter tampering attacks, which manipulate the exchanged parameters. Existing fuzzing-based scanning approaches however neglected these important controls, and this caused their fuzzing requests to be dropped before they can reach any vulnerable code. In this paper, we propose a novel approach to identify the workflow and parameter dependent constraints, which are then maintained and leveraged for automatic detection of server acceptances during fuzzing. We realized the approach by building a generic blackbox parameter tampering scanner. It successfully uncovered a number of severe vulnerabilities, including one from the largest multi-national banking website, which other scanners miss.