Skip to main content

Advertisement

Springer Nature Link
Log in

Lom: Discovering logic flaws within MongoDB-based web applications

  • Research Article
  • Published:
International Journal of Automation and Computing Aims and scope Submit manuscript

Abstract

Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language (SQL) statement construction and cannot be applied to the new generation of web applications that use not only structured query language (NoSQL) databases as the storage tier. In this paper, we present Lom, a black-box approach for discovering many categories of logic flaws within MongoDBbased web applications. Our approach introduces a MongoDB operation model to support new features of MongoDB and models the application logic as a mealy finite state machine. During the testing phase, test inputs which emulate state violation attacks are constructed for identifying logic flaws at each application state. We apply Lom to several MongoDB-based web applications and demonstrate its effectiveness.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  1. M. Cova, D. Balzarotti, V. Felmetsger, G. Vigna. Swaddler: An approach for the anomaly-based detection of state violations in web applications. In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection, Springer, Queensland, Australia, pp. 63–86, 2007.

    Chapter  Google Scholar 

  2. DB-Engines Ranking, July 2014, [Online], Available: http://dbengines.com/en/ranking.

  3. P. Bisht, T. Hinrichs, N. Skrupsky, V. N. Venkatakrishnan. WAPTEC: Whitebox analysis of web applications for parameter tampering exploit construction. In Proceedings of the 18th ACM Conference on Computer and Communications Security, ACM, Chicago, USA, pp. 575–586, 2011.

    Google Scholar 

  4. S. Son, K. S. McKinley, V. Shmatikov. RoleCast: Finding missing security checks when you do not know what checks are. In Proceedings of ACM International Conference on Object Oriented Programming Systems Languages and Applications, ACM, Portland, USA, pp. 1069–1084, 2011.

    Google Scholar 

  5. V. Felmetsger, L. Cavedon, C. Kruegel, G. Vigna. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX Conference on Security, USENIX Association, Berkeley, USA, pp. 10, 2010.

    Google Scholar 

  6. X. W. Li, W. Yan, Y. Xue. SENTINEL: Securing database from logic flaws in web applications. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, ACM, San Antonio, USA, pp. 25–36, 2012.

    Google Scholar 

  7. X. W. Li, X. J. Si, Y. Xue. Automated black-box detection of access control vulnerabilities in web applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, ACM, San Antonio, USA, pp. 49–60, 2014.

    Google Scholar 

  8. A. Doupé, B. Boe, C. Kruegel, G. Vigna. Fear the EAR: Discovering and mitigating execution after redirect vulnerabilities. In Proceedings of the 18th ACM Conference on Computer and Communications Security, ACM, Chicago, USA, pp. 251–262, 2011.

    Google Scholar 

  9. P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, V. N. Venkatakrishnan. NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security, ACM, Chicago, USA, pp. 607–618, 2010.

    Google Scholar 

  10. A. Doupé, L. Cavedon, C. Kruegel, G. Vigna. Enemy of the state: A state-aware black-box web vulnerability scanner. In Proceedings of the 21st USENIX Conference on Security Symposium, USENIX Association, Berkeley, USA, pp. 26, 2012.

    Google Scholar 

  11. G. H. Mealy. A method for synthesizing sequential circuits. Bell System Technical Journal, vol. 34, no. 5, pp. 1045–1079, 1955.

    Article  MathSciNet  Google Scholar 

  12. L. Okman, N. Gal-Oz, Y. Gonen, E. Gudes, J. Abramov. Security issues in NoSQL databases. In Proceedings of the 10th International Conference on Trust, Security and Privacy in Computing and Communications, IEEE, Changsha, China, pp. 541–547, 2011.

    Google Scholar 

  13. L. Aniello, S. Bonomi, M. Breno, R. Baldoni. Assessing data availability of Cassandra in the presence of non-accurate membership. In Proceedings of the 2nd International Workshop on Dependability Issues in Cloud Computing, ACM, Braga, Portugal, Article number 2, 2013.

    Google Scholar 

  14. P. Chapman, D. Evans. Automated black-box detection of side-channel vulnerabilities in web applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security, ACM, Chicago, USA, pp. 263–274, 2011.

    Google Scholar 

  15. Y. W. Huang, S. K. Huang, T. P. Lin, C. H. Tsai. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th International Conference on World Wide Web, ACM, Budapest, Hungary, pp. 148–159, 2003.

    Google Scholar 

  16. M. Martin, M. S. Lam. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In Proceedings of the 17th Conference on USENIX Security Symposium, USENIX Association, Berkeley, USA, pp. 31–43, 2008.

    Google Scholar 

  17. S. Kals, E. Kirda, C. Kruegel, N. Jovanovic. Secubat: Aweb vulnerability scanner. In Proceedings of the 15th International Conference on World Wide Web, ACM, Edinburgh, UK, pp. 247–256, 2006.

    Chapter  Google Scholar 

  18. M. Dalton, C. Kozyrakis, N. Zeldovich. Nemesis: Preventing authentication & access control vulnerabilities in web applications. In Proceedings of the 18th Conference on USENIX Security Symposium, USENIX Association, Berkeley, USA, pp. 267–282, 2009.

    Google Scholar 

  19. B. Parno, J. M. McCune, D. Wendlandt, D. G. Andersen, A. Perrig. CLAMP: Practical prevention of large-scale data leaks. In Proceedings of the 30th IEEE Symposium on Security and Privacy, IEEE, Oakland, USA, pp. 154–169, 2009.

    Google Scholar 

  20. X. W. Li, Y. Xue. BLOCK: A black-box approach for detection of state violation attacks towards web applications. In Proceedings of the 27th Annual Computer Security Applications Conference, ACM, Orlando, USA, pp. 247–256, 2011.

    Google Scholar 

  21. F. Q. Sun, L. Xu, Z. D. Su. Static detection of access control vulnerabilities in web applications. In Proceedings of the 20th USENIX Conference on Security, USENIX Association, Berkeley, USA, pp. 11, 2011.

    Google Scholar 

  22. D. Balzarotti, M. Cova, V. V. Felmetsger, G. Vigna. Multimodule vulnerability analysis of web-based applications. In Proceedings of the 14th ACM Conference on Computer and Communications Security, ACM, Alexandria, USA, pp. 25–35, 2007.

    Google Scholar 

  23. S. Son, K. S. McKinley, V. Shmatikov. Fix me up: Repairing access-control bugs in web applications. In Proceedings of 20th Network and Distributed System Security Symposium, Internet Society, San Diego, USA, 2013.

    Google Scholar 

  24. L. Y. Xing, Y. Y. Chen, X. F. Wang, S. Chen. InteGuard: Toward automatic protection of third-party web service integrations. In Proceedings of 20th Annual Network and Distributed System Security Symposium, Internet Society, San Diego, USA, 2013.

    Google Scholar 

  25. G. Pellegrino, D. Balzarotti. Toward black-box detection of logic flaws in web applications. In Network and Distributed System Security Symposium, Internet Society, San Diego, USA, 2014.

    Google Scholar 

  26. X. W. Li, Y. Xue. LogicScope: Automatic discovery of logic vulnerabilities within web applications. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ACM, Hangzhou, China, pp. 481–486, 2013.

    Google Scholar 

  27. S. Wen, Y. Xue, J. Xu, H. J. Yang, X. H. Li, W. L. Song, G. N. Si. Toward exploiting access control vulnerabilities within mongodb backend web applications. In Proceedings of the 40th Annual IEEE Computer Software and Applications Conference, IEEE, Atlanta, USA, 2016.

    Google Scholar 

  28. R. Wang, S. Chen, X. F. Wang, S. Qadeer. How to shop for free online–security analysis of cashier-as-a- service based web stores. In Proceedings of the 32nd IEEE Symposium on Security and Privacy, IEEE, Berkeley, USA, pp. 465–480, 2011.

    Google Scholar 

  29. R. Wang, S. Chen, X. F. Wang. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In Proceedings of IEEE Symposium on Security and Privacy, IEEE, Washington DC, USA, pp. 365–379, 2012.

    Google Scholar 

  30. Q. Wu, L. Wu, G. T. Liang, Q. X. Wang, T. Xie, H. Mei. Inferring dependency constraints on parameters for web services. In Proceedings of the 22nd International Conference on World Wide Web, ACM, Rio de Janiero, Brazil, pp. 1421–1432, 2013.

    Chapter  Google Scholar 

  31. A. Guha, S. Krishnamurthi, T. Jim. Using static analysis for Ajax intrusion detection. In Proceedings of the 18th International Conference onWorld WideWeb, ACM,Madrid, Spain, pp. 561–570, 2009.

    Google Scholar 

  32. A. Krishnamurthy, A. Mettler, D. Wagner. Fine-grained privilege separation for web applications. In Proceedings of the 19th International Conference on World Wide Web, ACM, Raleigh, USA, pp. 551–560, 2010.

    Chapter  Google Scholar 

  33. A. Kieyzun, P. J. Guo, K. Jayaraman, M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering, IEEE, Washington DC, USA, pp. 199–209, 2009.

    Google Scholar 

  34. P. Saxena, S. Hanna, P. Poosankam, D. Song. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In Proceedings of the 17th Annual Network and Distributed System Security Symposium, NDSS, San Diego, USA, 2010.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Machine Intelligence, College of Computer and Control Engineering, Nankai University, Tianjin, 300350, China

    Shuo Wen, Jing Xu, Li-Ying Yuan & Wen-Li Song

  2. Department of Electrical Engineering and Computer Science, Vanderbilt University, Nashville, Tennessee, 37212, USA

    Yuan Xue

  3. Centre for Creative Computing, Bath Spa University, Bath, BA2 9BN, UK

    Hong-Ji Yang

  4. School of Information Science and Electrical Engineering, Shandong Jiaotong University, Ji’nan, 250357, China

    Guan-Nan Si

Authors
  1. Shuo Wen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuan Xue
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jing Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Li-Ying Yuan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wen-Li Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Hong-Ji Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Guan-Nan Si
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jing Xu.

Additional information

This work was supported by China Scholarship Council, Tianjin Science and Technology Committee (No. 12JCZDJC20800), Science and Technology Planning Project of Tianjin (No. 13ZCZDGX01098), NSF TRUST (The Team for Research in Ubiquitous Secure Technology) Science and Technology Center (No.CCF-0424422), National Key Technology R&D Program (No. 2013BAH01B05), and National Natural Science Foundation of China (No. 61402264).

Recommended by Associate Editor Xun Chen

Shuo Wen received the B. Sc. degree in computer science and technology from Nankai University, China in 2009. He is currently a Ph. D. degree candidate at the Institute of Machine Intelligence, College of Computer and Control Engineering, Nankai University, China.

His research interests include networking and distributed systems with a focus on web applications and services and cloud computing.

ORCID iD: 0000-0001-6750-3735

Yuan Xue received the B. Sc. degree in computer science from Harbin Institute of Technology, China in 1998, and the M. Sc. and Ph. D. degrees in computer science from the University of Illinois at Urbana- Champaign, UK in 2002 and 2005. Currently, she is an assistant professor at the Department of Electrical Engineering and Computer Science of Vanderbilt University, USA. She is a NSF CAREER Award winner.

Her research interests include networking and distributed systems with a focus on wireless and mobile systems, web applications and services, clinical information system and cloud computing.

Jing Xu has been a professor of Nankai University in the Institute of Machine Intelligence, College of Computer and Control Engineering, Nankai University, China since 2006. She is a member of China Computer Federation, Software Engineering Technical Committee.

Her research interests include software engineering, software testing and information technology security evaluation.

ORCID iD: 0000-0001-8532-2241

Li-Ying Yuan received the B. Sc. degree in computer science and technology from Nankai University, China in 2014. Currently, she is a master student at the Institute of Machine Intelligence, College of Computer and Control Engineering, Nankai University, China.

Her research interest is software analysis.

Wen-Li Song received the B. Sc. degree in computer science and technology from Nankai University, China in 2013. Currently, she is a master student at the Institute of Machine Intelligence, College of Computer and Control Engineering, Nankai University, China.

Her research interest include software analysis.

Hong-Ji Yang is a professor in Centre for Creative Computing, Bath Spa University, Bath, UK. He has taken part in many important international conferences, such as International Conference on Software Maintenance, the 8th IEEEWorkshop on Future Trends of Distributed Computing Systems, the 26th Annual International Computer Software and Applications Conference, etc. He is also the leader of Software Evolution and Reengineering Group at the Software Technology Research Laboratory. He has become IEEE Computer Society Golden Core Member since 2010. Also, he is a member of EPSRC Peer Review College since 2003.

His research interests include software evolution, software engineering and creative computing.

Guan-Nan Si received the Ph.D. degree from Nankai University, China in 2011. He is currently an assistant professor of Shandong Jiaotong University, China.

His research interests include software engineering and software evaluating technology.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wen, S., Xue, Y., Xu, J. et al. Lom: Discovering logic flaws within MongoDB-based web applications. Int. J. Autom. Comput. 14, 106–118 (2017). https://doi.org/10.1007/s11633-016-1051-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11633-016-1051-x

Keywords