WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction. Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client. Malicious users who circumvent the client can capitalize on the missing server validation. In this paper, we describe WAPTEC, a tool that is designed to automatically identify parameter tampering vulnerabilities and generate exploits by construction to demonstrate those vulnerabilities. WAPTEC involves a new approach to whitebox analysis of the server’s code. We tested WAPTEC on six open source applications and found previously unknown vulnerabilities in every single one of them.
References in zbMATH (referenced in 4 articles )
Showing results 1 to 4 of 4.
- Amadini, Roberto; Gange, Graeme; Stuckey, Peter J.: Propagating \textsclex, \textscfindand \textscreplacewith dashed strings (2018)
- Amadini, Roberto; Flener, Pierre; Pearson, Justin; Scott, Joseph D.; Stuckey, Peter J.; Tack, Guido: Minizinc with strings (2017)
- Scott, Joseph D.; Flener, Pierre; Pearson, Justin; Schulte, Christian: Design and implementation of bounded-length sequence variables (2017)
- Li, Xiaowei; Xue, Yuan.: A survey on server-side approaches to securing web applications (2014)