Toward Black-Box Detection of Logic Flaws in Web Applications

Web applications play a very important role in many critical areas, including online banking, health care, and personal communication. This, combined with the limited security training of many web developers, makes web applications one of the most common targets for attackers. In the past, researchers have proposed a large number of white- and black-box techniques to test web applications for the presence of several classes of vulnerabilities. However, traditional approaches focus mostly on the detection of input validation flaws, such as SQL injection and cross-site scripting. Unfortunately, logic vulnerabilities specific to particular applications remain outside the scope of most of the existing tools and still need to be discovered by manual inspection. In this paper we propose a novel black-box technique to detect logic vulnerabilities in web applications. Our approach is based on the automatic identification of a number of behavioral patterns starting from few network traces in which users interact with a certain application. Based on the extracted model, we then generate targeted test cases following a number of common attack scenarios.

[1]  Roberto Bruni,et al.  Sessions and Pipelines for Structured Service Programming , 2008, FMOODS.

[2]  Dana Angluin,et al.  Learning Regular Sets from Queries and Counterexamples , 1987, Inf. Comput..

[3]  Jun Sun,et al.  AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations , 2013, NDSS.

[4]  Roland Groz,et al.  Security Vulnerabilities Detection Using Model Inference for Applications and Security Protocols , 2011, 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops.

[5]  XiaoFeng Wang,et al.  InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations , 2013, NDSS.

[6]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[7]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.

[8]  Alexander Pretschner,et al.  Semi-Automatic Security Testing of Web Applications from a Secure Model , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[9]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[10]  Martin Johns,et al.  RequestRodeo: Client Side Protection against Session Riding , 2006 .

[11]  Christopher Krügel,et al.  Fear the EAR: discovering and mitigating execution after redirect vulnerabilities , 2011, CCS '11.

[12]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[13]  Shin Nakajima,et al.  The SPIN Model Checker : Primer and Reference Manual , 2004 .

[14]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[15]  Alessandro Armando,et al.  From Model-Checking to Automated Testing of Security Protocols: Bridging the Gap , 2012, TAP@TOOLS.

[16]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[17]  Xiaowei Li,et al.  BLOCK: a black-box approach for detection of state violation attacks towards web applications , 2011, ACSAC '11.

[18]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[19]  Rui Wang,et al.  How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores , 2011, 2011 IEEE Symposium on Security and Privacy.

[20]  K. Fernow New York , 1896, American Potato Journal.

[21]  Alessandro Armando,et al.  LTL model checking for security protocols , 2009, J. Appl. Non Class. Logics.

[22]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[23]  Alexandre Petrenko,et al.  Inferring Behavioural Models from Traces of Business Applications , 2009, 2009 IEEE International Conference on Web Services.

[24]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[25]  Matteo Pradella,et al.  SMT-based Verification of LTL Specification with Integer Constraints and its Application to Runtime Checking of Service Substitutability , 2010, 2010 8th IEEE International Conference on Software Engineering and Formal Methods.

[26]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[27]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[28]  Roberto Bruni,et al.  Static Detection of Logic Flaws in Service-Oriented Applications , 2009, ARSPA-WITS.

[29]  D. Box,et al.  Simple object access protocol (SOAP) 1.1 , 2000 .

[30]  Douglas Crockford,et al.  The application/json Media Type for JavaScript Object Notation (JSON) , 2006, RFC.

[31]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[32]  J. Ross Quinlan,et al.  C4.5: Programs for Machine Learning , 1992 .

[33]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.