DOI QR코드

DOI QR Code

OTACUS: Parameter-Tampering Prevention Techniques using Clean URL

OTACUS: 간편URL기법을 이용한 파라미터변조 공격 방지기법

  • Kim, Guiseok (CIST(Center for Information Security Technologies), Korea University) ;
  • Kim, Seungjoo (CIST(Center for Information Security Technologies), Korea University)
  • Received : 2014.06.12
  • Accepted : 2014.10.01
  • Published : 2014.12.31

Abstract

In a Web application, you can pass without restrictions special network security devices such as IPS and F/W, URL parameter, which is an important element of communication between the client and the server, is forwarded to the Web server. Parameters are modulated by an attacker requests a URL, disclose confidential information or through e-commerce, can take financial gain. Vulnerability parameter manipulation thereof cannot be able to determine whether to operate in only determined logical application, blocked with Web Application Firewall. In this paper, I will present a technique OTACUS(One-Time Access Control URL System) to complement the shortcomings of the measures existing approaches. OTACUS can be effectively blocked the modulation of the POST or GET method parameters passed to the server by preventing the exposure of the URL to the attacker by using clean URL technique simplifies complex URL that contains the parameter. Performance test results of the actual implementation OTACUS proves that it is possible to show a stable operation of less than 3% increase in the load.

웹 애플리케이션에서 클라이언트와 서버간의 정보전달의 핵심요소인 URL 파라미터는 F/W이나 IPS등의 네트워크 보안장비를 별다른 제약없이 통과하여 웹서버에 전달된다. 공격자는 이렇게 전달되는 파라미터를 변조하여 조작된 URL을 요청하는 것만으로도 인가받지 않은 기밀정보를 유출하거나 전자상거래를 통하여 금전적 이익을 취할 수 있다. 이러한 파라미터변조 취약점은 해당 애플리케이션의 논리적 판단에 의해서만 조작여부를 확인할 수 있어 웹 방화벽에서 차단할 수 없다. 이에 본 논문에서는 기존 방지기법의 취약점을 점검하고 이를 보완하는 OTACUS (One-Time Access Control URL System)기법을 제시한다. OTACUS는 파라미터가 포함된 복잡한 URL을 단순화 하는 간편URL기법을 이용하여 공격자에게 URL노출을 막음으로써 POST이나 GET방식으로 서버로 전달되는 파라미터의 변조를 효과적으로 차단할 수 있다. 실제 구현된 OTACUS의 성능 실험결과 3%이내의 부하가 증가함을 보여 안정적인 운영이 가능함을 증명한다.

Keywords

References

  1. Xiaowei Li and Yuan Xue. 2014. A survey on server-side approaches to securing web applications. ACM Comput. Surv. 46, 4, Article 54 (March 2014)
  2. OWASP top10 2013 https://www.owasp.org
  3. Balduzzi, Marco, et al. "Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications." NDSS. 2011.
  4. Web Parameter Tampering, https://www.owasp.org/index.php/Web_Parameter_Tampering
  5. CWE-472 External Control of AssumedImmutable Web Parameter, http://cwe.mitre.org/data/definitions/472.html
  6. Administrative penalties for Privacy violations of KT, Korea Communications Commission,2014.6.26
  7. Newyork Times June. 13, 2011. "Thieves Found Citigroup Site an Easy Entry", http://www.nytimes.com/2011/06/14/technology/14security.html
  8. Andrew G. West and Adam J. Aviv, "On the Privacy Concerns of URL Query Strings." In W2SP'14: Proceedings of the 8th Workshop on Web 2.0 Security and Privacy. San Jose, CA, USA. May 2014
  9. Amazon, System and method for providing secureURL based access to private resources, US 6360254 B1
  10. Nazari Skrupsky, Prithvi Bisht, Timothy Hinrichs, V. N. Venkatakrishnan, and Lenore Zuck. 2013. "TamperProof: a server-agnosticdefense for parameter tampering attacks on web applications." In Proceedings of the third ACM conference on Data and application security and privacy (CODASPY '13). ACM, New York, NY, USA, 129-140.
  11. Bisht, P., Hinrichs, T., Skrupsky, N.,Bobrowicz, R., and Venkatakrishnan, V. "NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications." In CCS'10: Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, IL, USA, 2010).
  12. Scott Mitchell "Passing Tamper-Proof QueryString Parameters" http://www.4guysfromrolla.com/articles/083105-1.aspx
  13. Asish Kumar Dalai, Saroj Kumar Panigrahy, Sanjay Kumar Jena, A Novel Approach for Message Authentication to Prevent Parameter Tampering Attackin Web Applications, Procedia Engineering, Volume 38, 2012, Pages 1495-1500, ISSN 1877-7058 https://doi.org/10.1016/j.proeng.2012.06.184
  14. Deok-Byung Lim and JunCheol Park, "Link-E-Param: A URL Parameter Encryption Technique for Improving Web Application Security", J-KICS, 11-09 Vol.36 No.9
  15. Microsoft Corporation, "Token-based authentication using middle tier" US 20120084561 A1
  16. Nick Nikiforakis, OWASP AppSecDev Research 2010 - On the privacy of file sharing services
  17. Brayn Sullivan, MSDN Magazine 2009 March, Protect Your Site With URL Rewriting
  18. SangHo Lee, YoungJae Maeng, DaeHun Nyang and KyungHee Lee "Possibility of Disclosure of User Information in Internet Explorer", J-KICS '13-12 Vol.38 No.12
  19. Soojin Yoon, Jeongeun Park, Changkuk Choi and Seungjoo Kim, "SHRT : New Method of URL Shortening including Relative Word of Target URL ", J-KICS 13-05 Vol.38 No.6B
  20. Dafydd Stuttard and Marcus Pinto, "The Web application Hacker's Handbook: Discovering and Exploiting security flaws" 2008.11.13