research-article

BLOCK: a black-box approach for detection of state violation attacks towards web applications

Authors:

Yuan XueAuthors Info & Claims

ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference

Pages 247 - 256

https://doi.org/10.1145/2076732.2076767

Published: 05 December 2011 Publication History

Abstract

State violation attacks towards web applications exploit logic flaws and allow restrictive functions and sensitive information to be accessed at inappropriate states. Since application logic flaws are specific to the intended functionality of a particular web application, it is difficult to develop a general approach that addresses state violation attacks. To date, existing approaches all require web application source code for analysis or instrumentation in order to detect state violations.

In this paper, we present BLOCK, a BLack-bOx approach for detecting state violation attaCKs. We regard the web application as a stateless system and infer the intended web application behavior model by observing the interactions between the clients and the web application. We extract a set of invariants from the web request/response sequences and their associated session variable values during its attack-free execution. The set of invariants is then used for evaluating web requests and responses at runtime. Any web request or response that violates the associated invariants is identified as a potential state violation attack. We develop a system prototype based on the WebScarab proxy and evaluate our detection system using a set of real-world web applications. The experiment results demonstrate that our approach is effective at detecting state violation attacks and incurs acceptable performance overhead. Our approach is valuable in that it is independent of the web application source code and can easily scale up.

References

[1]

M. Almgren, H. Debar, and M. Dacier. A lightweight tool for detecting web server attacks. In Proceedings of the ISOC Symposium on Network and Distributed Systems Security, pages 157--170, 2000.

[2]

G. Ammons, R. Bodĺtk, and J. R. Larus. Mining specifications. In Symposium on Principles of Programming Languages, volume 37, pages 4--16, 2002.

Digital Library

[3]

M. Balduzzi, C. Gimenez, D. Balzarotti, and E. Kirda. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS'11: Proceedings of the 18th Network and Distributed System Security Symposium, 2011.

[4]

D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of web-based applications. In CCS'07: Proceedings of the 14th ACM conference on Computer and communications security, pages 25--35, 2007.

Digital Library

[5]

P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications. In CCS'10: Proceedings of the 17th ACM conference on Computer and communications security, pages 607--618, 2010.

Digital Library

[6]

Y. Chen and B. Malin. Detection of anomalous insiders in collaborative environments via relational analysis of access logs. In CODASPY '11: Proceedings of the first ACM conference on Data and application security and privacy, pages 63--74, 2011.

Digital Library

[7]

M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In RAID'07: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection, pages 63--86, 2007.

Digital Library

[8]

X. Ding, H. Huang, Y. Ruan, A. Shaikh, B. Peterson, and X. Zhang. Splitter: a proxy-based approach for post-migration testing of web applications. In EuroSys'10: Proceedings of the 5th European conference on Computer systems, pages 97--110, 2010.

Digital Library

[9]

M. D. Ernst, J. Cockrell, W. G. Griswold, and D. Notkin. Dynamically discovering likely program invariants to support program evolution. IEEE Transactions on Software Engineering, 27(2):99--123, Feb. 2001.

Digital Library

[10]

V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In USENIX'10: Proceedings of the 19th conference on USENIX Security Symposium, pages 143--160, 2010.

Digital Library

[11]

K. L. Ingham, A. Somayaji, J. Burge, and S. Forrest. Learning dfa representations of http for protecting web applications. Computer Networks and Isdn Systems, 51:1239--1255, 2007.

Digital Library

[12]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In S&P'06: Proceedings of the 27th IEEE Symposium on Security & Privacy, pages 258--263, 2006.

Digital Library

[13]

C. Kim and K. Shim. Text: Automatic template extraction from heterogeneous web pages. IEEE Trans. Knowl. Data Eng., 23(4):612--626, 2011.

Digital Library

[14]

T. Kremenek, P. Twohey, G. Back, A. Ng, and D. Engler. From uncertainty to belief: inferring the specification within. In OSDI '06: Proceedings of the 7th symposium on Operating systems design and implementation, pages 161--176, 2006.

Digital Library

[15]

C. Kruegel and G. Vigna. Anomaly detection of web-based attacks. In CCS'03: Proceedings of the 10th ACM conference on Computer and communications security, pages 251--261, 2003.

Digital Library

[16]

D. Lorenzoli, L. Mariani, and M. Pezzè. Automatic generation of software behavioral models. In ICSE '08: Proceedings of the 30th international conference on Software engineering, pages 501--510, 2008.

Digital Library

[17]

OsCommerce Inc. http://www.oscommerce.com/.

[18]

OWASP WebScarab Project. https://www.owasp.org/index.php/category:owasp_webscarab_project.

[19]

D. C. Reis, P. B. Golgher, A. S. Silva, and A. F. Laender. Automatic web news extraction using tree edit distance. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 502--511, 2004.

Digital Library

[20]

R. Sekar. An efficient black-box technique for defeating web application attacks. In NDSS'09: 16th Annual Network and Distributed System Security Symposium, 2009.

[21]

SeleniumHQ: Web Application Testing System. http://seleniumhq.org/.

[22]

Symantec internet security threat report 2009. http://www.symantec.com/business/threatreport/.

[23]

G. Vigna, W. Robertson, V. Kher, and R. A. Kemmerer. A stateful intrusion detection system for world-wide web servers. In ACSAC'03: Proceedings of the Annual Computer Security Applications Conference, pages 34--43, 2003.

Digital Library

[24]

Wackopicko. https://github.com/adamdoupe/wackopicko.

[25]

G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE'08: ACM/IEEE 30th International Conference on Software Engineering, pages 171--180, 2008.

Digital Library

[26]

J. Yang, D. Evans, D. Bhardwaj, T. Bhat, and M. Das. Perracotta: mining temporal api rules from imperfect traces. In ICSE '06: Proceedings of the 28th international conference on Software engineering, pages 282--291, 2006.

Digital Library

Cited By

Yang WWang EGui ZZhou YWang BXie W(2025)An MLLM-Assisted Web Crawler Approach for Web Application FuzzingApplied Sciences10.3390/app1502096215:2(962)Online publication date: 19-Jan-2025
https://doi.org/10.3390/app15020962
Zhang JHe YHu MYu XGuo TGao XMa J(2024)AcVerifier: Cross-Domain Access Control Verification via Hybrid Static and Dynamic Analysis2024 IEEE International Symposium on Parallel and Distributed Processing with Applications (ISPA)10.1109/ISPA63168.2024.00099(736-742)Online publication date: 30-Oct-2024
https://doi.org/10.1109/ISPA63168.2024.00099
Iyer PMasoumzadeh ARanise SCarbone RTakabi D(2023)Towards Automated Learning of Access Control Policies Enforced by Web ApplicationsProceedings of the 28th ACM Symposium on Access Control Models and Technologies10.1145/3589608.3594743(163-168)Online publication date: 24-May-2023
https://dl.acm.org/doi/10.1145/3589608.3594743
Show More Cited By

Index Terms

BLOCK: a black-box approach for detection of state violation attacks towards web applications

Recommendations

SENTINEL: securing database from logic flaws in web applications
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

Logic flaws within web applications allow the attackers to disclose or tamper sensitive information stored in back-end databases, since the web application usually acts as the single trusted user that interacts with the database. In this paper, we model ...
PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications
CF '15: Proceedings of the 12th ACM International Conference on Computing Frontiers

As the usage of web applications for security-sensitive facilities has enlarged, the quantity and cleverness of web-based attacks against the web applications have grown-up as well. Several annual cyber security reports revealed that modern web ...
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference

December 2011

432 pages

ISBN:9781450306720

DOI:10.1145/2076732

Conference Chair:
Robert H'obbes' Zakon
Zakon Group LLC
,
Program Chairs:
John McDermott
Naval Research Lab
,
Michael Locasto
University of Calgary

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Division of Computing and Communication Foundations

Conference

ACSAC '11

Sponsor:

ACSA

ACSAC '11: Annual Computer Security Applications Conference

December 5 - 9, 2011

Florida, Orlando, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
525
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)5

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yang WWang EGui ZZhou YWang BXie W(2025)An MLLM-Assisted Web Crawler Approach for Web Application FuzzingApplied Sciences10.3390/app1502096215:2(962)Online publication date: 19-Jan-2025
https://doi.org/10.3390/app15020962
Zhang JHe YHu MYu XGuo TGao XMa J(2024)AcVerifier: Cross-Domain Access Control Verification via Hybrid Static and Dynamic Analysis2024 IEEE International Symposium on Parallel and Distributed Processing with Applications (ISPA)10.1109/ISPA63168.2024.00099(736-742)Online publication date: 30-Oct-2024
https://doi.org/10.1109/ISPA63168.2024.00099
Iyer PMasoumzadeh ARanise SCarbone RTakabi D(2023)Towards Automated Learning of Access Control Policies Enforced by Web ApplicationsProceedings of the 28th ACM Symposium on Access Control Models and Technologies10.1145/3589608.3594743(163-168)Online publication date: 24-May-2023
https://dl.acm.org/doi/10.1145/3589608.3594743
Trickel EPagani FZhu CDresel LVigna GKruegel CWang RBao TShoshitaishvili YDoupé A(2023)Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179317(2658-2675)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179317
Jain AAadithyanarayanan MAnand AMaheshwari HGonge SJoshi RKotecha K(2023)Web Scanner: An Innovative Prototype for Checking Web VulnerabilitySoftware Engineering Application in Systems Design10.1007/978-3-031-21435-6_58(680-691)Online publication date: 1-Jan-2023
https://doi.org/10.1007/978-3-031-21435-6_58
Alkofahi HUmphress DAlawneh H(2022)Discovering Authorization Business Rules toward Detecting Web Applications Logic Flaws2022 International Arab Conference on Information Technology (ACIT)10.1109/ACIT57182.2022.9994086(1-7)Online publication date: 22-Nov-2022
https://doi.org/10.1109/ACIT57182.2022.9994086
Steinhauser ATůma P(2020)Database Traffic Interception for Graybox Detection of Stored and Context-sensitive XSSDigital Threats: Research and Practice10.1145/33996681:3(1-23)Online publication date: 4-Aug-2020
https://dl.acm.org/doi/10.1145/3399668
Veronese LCalzavara SCompagna L(2020)Bulwark: Holistic and Verified Security Monitoring of Web ProtocolsComputer Security – ESORICS 202010.1007/978-3-030-58951-6_2(23-41)Online publication date: 12-Sep-2020
https://doi.org/10.1007/978-3-030-58951-6_2
Alidoosti MNowroozi ANickabadi A(2019)Evaluating the web‐application resiliency to business‐layer DoS attacksETRI Journal10.4218/etrij.2019-016442:3(433-445)Online publication date: 15-Dec-2019
https://doi.org/10.4218/etrij.2019-0164
Ndiaye YBarais OBlouin ABouabdallah AAillery NHung CPapadopoulos G(2019)Requirements for preventing logic flaws in the authentication procedure of web applicationsProceedings of the 34th ACM/SIGAPP Symposium on Applied Computing10.1145/3297280.3297438(1620-1628)Online publication date: 8-Apr-2019
https://dl.acm.org/doi/10.1145/3297280.3297438
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten