Computer Science – Cryptography and Security
Scientific paper
2012-04-05
Computer Science
Cryptography and Security
10 pages, 2 tables, 3 figures
Scientific paper
Modern HTML forms are designed to generate form controls dynamically and submit over AJAX as a result of recent advances in Javascript programming techniques. Existing scanners are constrained by interacting only with traditional forms, and vulnerabilities are often left undetected even after scrutiny. In this paper, we overcome a number of client-side challenges that used to make automated fuzzing of form submissions difficult and unfaithful. We build FAITH, a pragmatic scanner for uncovering parameter tampering vulnerabilities in real-world rich web applications. It is the first scanner that enables fuzzing in most kinds of form submissions while faithfully preserving the required user actions, HTML 5, AJAX, anti-CSRF tokens and dynamic form updates. The importance of this work is demonstrated by the severe vulnerabilities uncovered, including a way to bypass the most-trusted One-Time Password (OTP) in one of the largest multinational banks. These vulnerabilities cannot be detected by existing scanners.
Cheung William K.
Fung Adonis P. H.
Wong T. Y.
No associations
LandOfFree
FAITH: Scanning of Rich Web Applications for Parameter Tampering Vulnerabilities does not yet have a rating. At this time, there are no reviews or comments for this scientific paper.
If you have personal experience with FAITH: Scanning of Rich Web Applications for Parameter Tampering Vulnerabilities, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and FAITH: Scanning of Rich Web Applications for Parameter Tampering Vulnerabilities will most certainly appreciate the feedback.
Profile ID: LFWR-SCP-O-212844