Abstract
A new web attack pattern called HTTP Parameter Pollution has been presented in recent years. The harm and detection method about HPP has become a hot topic in the field of web application security. In the paper, we started with analyzing the HPP attack pattern, researched on the necessary conditions and the potential harm of attack, pointed that the determination of parameter precedence is a prerequisite for the implementation and testing of such attacks, and proposed determination method for parameter priority based on tree edit distance to provide the necessary support for HPP vulnerabilities detection. As well as, we developed different detection methods for the difference of parameters between URL and the page. Finally the detection system for HPP vulnerability was realized, and some vulnerabilities have been discovered in real world.
Chapter PDF
References
Carettoni, L., di Paola, S.: HTTP Parameter Pollution (EB/OL) (May 2009), http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
Rafail, J.: Cross-Site Scripting Vulnerabilities (EB/OL) (May 27, 2008), http://www.cert.org/archive/pdf/cross_site_scripting.pdf
Prithvi, B., Timothy, H., Nazari, S., et al.: NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In: Computer and Communications Security, CCS (2010)
Chapela, V.: Advanced SQL Injection (EB/OL) (April 11, 2005), http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
Bille, P.: A survey on tree edit distance and related problems. Theoretical Computer Science 1(3), 217–239 (2005)
Yang, W.: Identifying Syntactic Differences Between Two Programs. Software-Practice and Experience 21(7), 739–755 (1991)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cao, Y., Wei, Q., Wang, Q. (2012). Parameter Pollution Vulnerabilities Detection Study Based on Tree Edit Distance. In: Chim, T.W., Yuen, T.H. (eds) Information and Communications Security. ICICS 2012. Lecture Notes in Computer Science, vol 7618. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34129-8_37
Download citation
DOI: https://doi.org/10.1007/978-3-642-34129-8_37
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34128-1
Online ISBN: 978-3-642-34129-8
eBook Packages: Computer ScienceComputer Science (R0)