CCS’15 paper accepted!

with No Comments

Our paper called “Detecting and Exploiting Second Order Denial of Service Vulnerabilities in Web Applications” is accepted to CCS 2015 in Denver! Here is the abstract:

This paper describes a new class of denial-of-service (DoS)
attack, which we refer to as Second Order DoS attacks.
These attacks consist of two phases, one that pollutes a
database with junk entries and another that performs a
costly operation on these entries to cause resource exhaustion.
The main contribution of this paper is a static analysis
for detecting second-order DoS vulnerabilities in web
applications. We have implemented our analysis in a tool
called Torpedo, and we show that Torpedo can successfully
detect second-order DoS vulnerabilities in widely used
web applications written in PHP. Once our tool discovers a
vulnerability, it also performs symbolic execution to generate
candidate attack vectors. We evaluate Torpedo on six
widely-used web applications and show that it uncovers 37
security vulnerabilities, while reporting 18 false positives.

Leave a Reply

You must be logged in to post a comment.