TY - GEN
T1 - EARs in the wild
T2 - 28th Annual ACM Symposium on Applied Computing, SAC 2013
AU - Payet, Pierre
AU - Doupé, Adam
AU - Kruegel, Christopher
AU - Vigna, Giovanni
PY - 2013
Y1 - 2013
N2 - Execution After Redirect vulnerabilities - logic flaws in web applications where unintended code is executed after a redirect - have received little attention from the research community. In fact, we found a research paper that incorrectly modeled the redirect semantics, causing their static analysis to miss EAR vulnerabilities. To understand the breadth and scope of EARs in the real world, we performed a large-scale analysis to determine the prevalence of EARs on the Internet. We crawled 8,097,283 URLs from 255,957 domains. We employ a black-box approach that finds EARs which manifest themselves by information leakage in the HTTP redirect response. For this type of EAR, we developed a classification system that discovered 2,173 security-critical EARs among 416 domains. This result shows that EARs are a serious and prevalent problem on the Internet today and deserve future research attention.
AB - Execution After Redirect vulnerabilities - logic flaws in web applications where unintended code is executed after a redirect - have received little attention from the research community. In fact, we found a research paper that incorrectly modeled the redirect semantics, causing their static analysis to miss EAR vulnerabilities. To understand the breadth and scope of EARs in the real world, we performed a large-scale analysis to determine the prevalence of EARs on the Internet. We crawled 8,097,283 URLs from 255,957 domains. We employ a black-box approach that finds EARs which manifest themselves by information leakage in the HTTP redirect response. For this type of EAR, we developed a classification system that discovered 2,173 security-critical EARs among 416 domains. This result shows that EARs are a serious and prevalent problem on the Internet today and deserve future research attention.
UR - http://www.scopus.com/inward/record.url?scp=84877992639&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84877992639&partnerID=8YFLogxK
U2 - 10.1145/2480362.2480699
DO - 10.1145/2480362.2480699
M3 - Conference contribution
AN - SCOPUS:84877992639
SN - 9781450316569
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 1792
EP - 1799
BT - 28th Annual ACM Symposium on Applied Computing, SAC 2013
Y2 - 18 March 2013 through 22 March 2013
ER -