Scanning of Rich Web Applications for Parameter Tampering Vulnerabilities

TL;DR

This paper presents a novel blackbox scanner for web application parameter tampering that maintains workflow constraints to improve vulnerability detection, uncovering severe issues missed by existing tools.

Contribution

Introduces a new approach to identify and leverage workflow and parameter constraints for effective fuzzing-based vulnerability detection in web apps.

Findings

Successfully identified severe vulnerabilities in real-world banking website

Outperformed existing scanners by detecting vulnerabilities others missed

Demonstrated effectiveness of maintaining workflow constraints during fuzzing

Abstract

Web applications require exchanging parameters between a client and a server to function properly. In real-world systems such as online banking transfer, traversing multiple pages with parameters contributed by both the user and server is a must, and hence the applications have to enforce workflow and parameter dependency controls across multiple requests. An application that applies insufficient server-side input validations is however vulnerable to parameter tampering attacks, which manipulate the exchanged parameters. Existing fuzzing-based scanning approaches however neglected these important controls, and this caused their fuzzing requests to be dropped before they can reach any vulnerable code. In this paper, we propose a novel approach to identify the workflow and parameter dependent constraints, which are then maintained and leveraged for automatic detection of server acceptances during fuzzing. We realized the approach by building a generic blackbox parameter tampering scanner. It successfully uncovered a number of severe vulnerabilities, including one from the largest multi-national banking website, which other scanners miss.