ABSTRACT
Logic flaws are an important class of vulnerabilities within web applications, which allow sensitive information and restrictive operations to be accessed at inappropriate application states. In this paper, we take a first step towards a systematic black-box approach to identifying logic vulnerabilities within web applications. We first construct a partial FSM over the expected input domain by collecting and analyzing the execution traces when users follow the navigation paths within the web application. Then, we test the application at each state by constructing unexpected input vectors and evaluating corresponding web responses. We implement a prototype system LogicScope and demonstrate its effectiveness using a set of real world web applications.
- P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications. In CCS'10, pages 607--618, 2010. Google ScholarDigital Library
- Citigroup credit card information leakage in 2011. http://www.wired.com/threatlevel/2011/06/citibank-hacked/.Google Scholar
- M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In RAID'07, pages 63--86, 2007. Google ScholarDigital Library
- V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In USENIX'10, pages 143--160, 2010. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. Dart: directed automated random testing. In PLDI'05, pages 213--223, 2005. Google ScholarDigital Library
- P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated whitebox fuzz testing. In NDSS'08, 2008.Google Scholar
- X. Li and Y. Xue. BLOCK: A Black-box Approach for Detection of State Violation Attacks Towards Web Applications. In ACSAC'11, pages 247--256, 2011. Google ScholarDigital Library
- X. Li and Y. Xue. LogicScope: Automatic Discovery of Logic Vulnerabilities within Web Applications. Technical report, Vanderbilt University ISIS, 2012.Google Scholar
- X. Li, W. Yan, and Y. Xue. SENTINEL: securing database from logic flaws in web applications. In CODASPY '12, pages 25--36, 2012. Google ScholarDigital Library
- P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Oakland'10, pages 513--528, 2010. Google ScholarDigital Library
- P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS'10, 2010.Google Scholar
- F. Sun, L. Xu, and Z. Su. Static Detection of Access Control Vulnerabilities in Web Applications. In USENIX'11, pages 11--11, 2011. Google ScholarDigital Library
Index Terms
- LogicScope: automatic discovery of logic vulnerabilities within web applications
Recommendations
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications
CF '15: Proceedings of the 12th ACM International Conference on Computing FrontiersAs the usage of web applications for security-sensitive facilities has enlarged, the quantity and cleverness of web-based attacks against the web applications have grown-up as well. Several annual cyber security reports revealed that modern web ...
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
SP '09: Proceedings of the 2009 30th IEEE Symposium on Security and PrivacyAs social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception.User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target ...
Comments