short-paper

LogicScope: automatic discovery of logic vulnerabilities within web applications

Authors:
Xiaowei Li

Vanderbilt University, Nashville, TN, USA

Vanderbilt University, Nashville, TN, USA
View Profile

,
Yuan Xue

Vanderbilt University, Nashville, TN, USA

Vanderbilt University, Nashville, TN, USA
View Profile

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications securityMay 2013Pages 481–486https://doi.org/10.1145/2484313.2484375

Published:08 May 2013Publication History

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

Pages 481–486

ABSTRACT

Logic flaws are an important class of vulnerabilities within web applications, which allow sensitive information and restrictive operations to be accessed at inappropriate application states. In this paper, we take a first step towards a systematic black-box approach to identifying logic vulnerabilities within web applications. We first construct a partial FSM over the expected input domain by collecting and analyzing the execution traces when users follow the navigation paths within the web application. Then, we test the application at each state by constructing unexpected input vectors and evaluating corresponding web responses. We implement a prototype system LogicScope and demonstrate its effectiveness using a set of real world web applications.

References

P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications. In CCS'10, pages 607--618, 2010. Google ScholarDigital Library
Citigroup credit card information leakage in 2011. http://www.wired.com/threatlevel/2011/06/citibank-hacked/.Google Scholar
M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In RAID'07, pages 63--86, 2007. Google ScholarDigital Library
V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In USENIX'10, pages 143--160, 2010. Google ScholarDigital Library
P. Godefroid, N. Klarlund, and K. Sen. Dart: directed automated random testing. In PLDI'05, pages 213--223, 2005. Google ScholarDigital Library
P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated whitebox fuzz testing. In NDSS'08, 2008.Google Scholar
X. Li and Y. Xue. BLOCK: A Black-box Approach for Detection of State Violation Attacks Towards Web Applications. In ACSAC'11, pages 247--256, 2011. Google ScholarDigital Library
X. Li and Y. Xue. LogicScope: Automatic Discovery of Logic Vulnerabilities within Web Applications. Technical report, Vanderbilt University ISIS, 2012.Google Scholar
X. Li, W. Yan, and Y. Xue. SENTINEL: securing database from logic flaws in web applications. In CODASPY '12, pages 25--36, 2012. Google ScholarDigital Library
P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Oakland'10, pages 513--528, 2010. Google ScholarDigital Library
P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS'10, 2010.Google Scholar
F. Sun, L. Xu, and Z. Su. Static Detection of Access Control Vulnerabilities in Web Applications. In USENIX'11, pages 11--11, 2011. Google ScholarDigital Library

Index Terms

LogicScope: automatic discovery of logic vulnerabilities within web applications
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Read More
PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications
CF '15: Proceedings of the 12th ACM International Conference on Computing Frontiers

As the usage of web applications for security-sensitive facilities has enlarged, the quantity and cleverness of web-based attacks against the web applications have grown-up as well. Several annual cyber security reports revealed that modern web ...
Read More
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
SP '09: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy

As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception.User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
May 2013
574 pages
ISBN:9781450317672
DOI:10.1145/2484313
General Chairs:
Kefei Chen
Shanghai Jiao Tong University, China
,
Qi Xie
Hangzhou Normal University, China
,
Weidong Qiu
Shanghai Jiao Tong University, China
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Wen-Guey Tzeng
National Chiao Tung University, Taiwan
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 May 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
finite state machine
logic vulnerability
web application security
Qualifiers
- short-paper
Conference

Acceptance Rates
ASIA CCS '13 Paper Acceptance Rate35of216submissions,16%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 11
  Total Citations
  View Citations
- 408
  Total Downloads
- Downloads (Last 12 months)47
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

LogicScope: automatic discovery of logic vulnerabilities within web applications

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Securing web applications from injection and logic vulnerabilities

PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications

Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers