short-paper

LogicScope: automatic discovery of logic vulnerabilities within web applications

Authors:

Xiaowei Li,

Yuan XueAuthors Info & Claims

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

Pages 481 - 486

https://doi.org/10.1145/2484313.2484375

Published: 08 May 2013 Publication History

Get Access

Abstract

Logic flaws are an important class of vulnerabilities within web applications, which allow sensitive information and restrictive operations to be accessed at inappropriate application states. In this paper, we take a first step towards a systematic black-box approach to identifying logic vulnerabilities within web applications. We first construct a partial FSM over the expected input domain by collecting and analyzing the execution traces when users follow the navigation paths within the web application. Then, we test the application at each state by constructing unexpected input vectors and evaluating corresponding web responses. We implement a prototype system LogicScope and demonstrate its effectiveness using a set of real world web applications.

References

[1]

P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications. In CCS'10, pages 607--618, 2010.

Digital Library

Google Scholar

[2]

Citigroup credit card information leakage in 2011. http://www.wired.com/threatlevel/2011/06/citibank-hacked/.

Google Scholar

[3]

M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In RAID'07, pages 63--86, 2007.

Digital Library

Google Scholar

[4]

V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In USENIX'10, pages 143--160, 2010.

Digital Library

Google Scholar

[5]

P. Godefroid, N. Klarlund, and K. Sen. Dart: directed automated random testing. In PLDI'05, pages 213--223, 2005.

Digital Library

Google Scholar

[6]

P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated whitebox fuzz testing. In NDSS'08, 2008.

Google Scholar

[7]

X. Li and Y. Xue. BLOCK: A Black-box Approach for Detection of State Violation Attacks Towards Web Applications. In ACSAC'11, pages 247--256, 2011.

Digital Library

Google Scholar

[8]

X. Li and Y. Xue. LogicScope: Automatic Discovery of Logic Vulnerabilities within Web Applications. Technical report, Vanderbilt University ISIS, 2012.

Google Scholar

[9]

X. Li, W. Yan, and Y. Xue. SENTINEL: securing database from logic flaws in web applications. In CODASPY '12, pages 25--36, 2012.

Digital Library

Google Scholar

[10]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Oakland'10, pages 513--528, 2010.

Digital Library

Google Scholar

[11]

P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS'10, 2010.

Google Scholar

[12]

F. Sun, L. Xu, and Z. Su. Static Detection of Access Control Vulnerabilities in Web Applications. In USENIX'11, pages 11--11, 2011.

Digital Library

Google Scholar

Cited By

View all

Cheh CTay NChen B(2022)From Hindsight to Foresight: Enhancing Design Artifacts for Business Logic Flaw DiscoveryProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564654(400-411)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564654
Cheh CTay NChen B(2022)Design and User Study of a Constraint-based Framework for Business Logic Flaw Discovery2022 IEEE Secure Development Conference (SecDev)10.1109/SecDev53368.2022.00029(91-99)Online publication date: Oct-2022
https://doi.org/10.1109/SecDev53368.2022.00029
Ghorbanzadeh MShahriari H(2020)Detecting application logic vulnerabilities via finding incompatibility between application design and implementationIET Software10.1049/iet-sen.2019.018614:4(377-388)Online publication date: Aug-2020
https://doi.org/10.1049/iet-sen.2019.0186
Show More Cited By

Index Terms

LogicScope: automatic discovery of logic vulnerabilities within web applications
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications
CF '15: Proceedings of the 12th ACM International Conference on Computing Frontiers

As the usage of web applications for security-sensitive facilities has enlarged, the quantity and cleverness of web-based attacks against the web applications have grown-up as well. Several annual cyber security reports revealed that modern web ...
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
SP '09: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy

As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception.User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target ...

Comments

Information & Contributors

Information

Published In

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

May 2013

574 pages

ISBN:9781450317672

DOI:10.1145/2484313

General Chairs:
Kefei Chen
Shanghai Jiao Tong University, China
,
Qi Xie
Hangzhou Normal University, China
,
Weidong Qiu
Shanghai Jiao Tong University, China
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Wen-Guey Tzeng
National Chiao Tung University, Taiwan

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 May 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

ASIA CCS '13

Sponsor:

SIGSAC

ASIA CCS '13: 8th ACM Symposium on Information, Computer and Communications Security

May 8 - 10, 2013

Hangzhou, China

Acceptance Rates

ASIA CCS '13 Paper Acceptance Rate 35 of 216 submissions, 16%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
441
Total Downloads

Downloads (Last 12 months)48
Downloads (Last 6 weeks)7

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Cheh CTay NChen B(2022)From Hindsight to Foresight: Enhancing Design Artifacts for Business Logic Flaw DiscoveryProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564654(400-411)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564654
Cheh CTay NChen B(2022)Design and User Study of a Constraint-based Framework for Business Logic Flaw Discovery2022 IEEE Secure Development Conference (SecDev)10.1109/SecDev53368.2022.00029(91-99)Online publication date: Oct-2022
https://doi.org/10.1109/SecDev53368.2022.00029
Ghorbanzadeh MShahriari H(2020)Detecting application logic vulnerabilities via finding incompatibility between application design and implementationIET Software10.1049/iet-sen.2019.018614:4(377-388)Online publication date: Aug-2020
https://doi.org/10.1049/iet-sen.2019.0186
Ghorbanzadeh MReza Shahriari H(2020)ANOVUL: Detection of logic vulnerabilities in annotated programs via data and control flow analysisIET Information Security10.1049/iet-ifs.2018.561514:3(352-364)Online publication date: May-2020
https://doi.org/10.1049/iet-ifs.2018.5615
(2018)RAJIVEInternational Journal of Innovative Computing and Applications10.1504/IJICA.2018.0908229:1(13-36)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1504/IJICA.2018.090822
Deepa GThilagam PPraseed APais A(2018)DetLogicJournal of Network and Computer Applications10.1016/j.jnca.2018.01.008109:C(89-109)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.1016/j.jnca.2018.01.008
Wen SXue YXu JYuan LSong WYang HSi G(2017)LomInternational Journal of Automation and Computing10.1007/s11633-016-1051-x14:1(106-118)Online publication date: 1-Feb-2017
https://dl.acm.org/doi/10.1007/s11633-016-1051-x
Wen SXue YXu JYang HLi XSong WSi G(2016)Toward Exploiting Access Control Vulnerabilities within MongoDB Backend Web Applications2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2016.207(143-153)Online publication date: Jun-2016
https://doi.org/10.1109/COMPSAC.2016.207
Gupta SGupta BNapoli CSalapura VFranke HHou R(2015)PHP-sensorProceedings of the 12th ACM International Conference on Computing Frontiers10.1145/2742854.2745719(1-8)Online publication date: 6-May-2015
https://dl.acm.org/doi/10.1145/2742854.2745719
Li XSi XXue YBertino ESandhu RPark J(2014)Automated black-box detection of access control vulnerabilities in web applicationsProceedings of the 4th ACM conference on Data and application security and privacy10.1145/2557547.2557552(49-60)Online publication date: 3-Mar-2014
https://dl.acm.org/doi/10.1145/2557547.2557552
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Securing web applications from injection and logic vulnerabilities

PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications

Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations