| 摘要 |
A method for automatically detecting security vulnerabilities in a client-server application where a client is connected to a server. The method is implemented by a computer having a processor and a software program stored on a non-transitory computer readable medium. The method includes automatically extracting, with the software program at the client, a description of one or more validation checks on inputs performed by the client. The method also includes analyzing the server, with the software program by using the one or more validation checks on inputs performed by the client, to determine whether the server is not performing validation checks that the server must be performing. The method further includes determining that security vulnerabilities in the client-server application exist when the server is not performing validation checks that the server must be performing. A method further proposes preventing parameter tampering attacks on a running client-server application by enforcing the one or more validation checks on inputs performed by the client on each input that is submitted to the server.
|
