Ecole d'ingénieur et centre de recherche en Sciences du numérique

Toward black-box detection of logic flaws in web applications

Pellegrino, Giancarlo; Balzarotti, Davide

NDSS 2014, Network and Distributed System Security Symposium, 23-26 February 2014, San Diego, USA

Web applications play a very important role in many critical areas, including online banking, health care, and personal communication. This, combined with the limited security training of many web developers, makes web applications one of the most common targets for attackers. In the past, researchers have proposed a large number of white- and black-box techniques to test web applications for the presence of several classes of vulnerabilities. However, traditional approaches focus mostly on the detection of input validation flaws, such as SQL injection and cross-site scripting. Unfortunately, logic vulnerabilities specific to particular applications remain outside the scope of most of the existing tools and still need to be discovered by manual inspection. In this paper we propose a novel black-box technique to detect logic vulnerabilities in web applications. Our approach is based on the automatic identification of a number of behavioral patterns starting from few network traces in which users interact with a certain application. Based on the extracted model, we then generate targeted test cases following a number of common attack scenarios. We applied our prototype to seven real world E-commerce web applications, discovering ten very severe and previouslyunknown logic vulnerabilities.

Document Bibtex

Titre:Toward black-box detection of logic flaws in web applications
Type:Conférence
Langue:English
Ville:San Diego
Pays:ÉTATS-UNIS
Date:
Département:Sécurité numérique
Eurecom ref:4207
Copyright: © ISOC. Personal use of this material is permitted. The definitive version of this paper was published in NDSS 2014, Network and Distributed System Security Symposium, 23-26 February 2014, San Diego, USA and is available at :
Bibtex: @inproceedings{EURECOM+4207, year = {2014}, title = {{T}oward black-box detection of logic flaws in web applications}, author = {{P}ellegrino, {G}iancarlo and {B}alzarotti, {D}avide}, booktitle = {{NDSS} 2014, {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium, 23-26 {F}ebruary 2014, {S}an {D}iego, {USA}}, address = {{S}an {D}iego, {\'{E}}{TATS}-{UNIS}}, month = {02}, url = {http://www.eurecom.fr/publication/4207} }
Voir aussi: