Proceedings 2014 Network and Distributed System Security Symposium 2014
DOI: 10.14722/ndss.2014.23351
|View full text |Cite
|
Sign up to set email alerts
|

Detecting Logic Vulnerabilities in E-commerce Applications

Abstract: Abstract-E-commerce has become a thriving business model. With easy access to various tools and third-party cashiers, it is straightforward to create and launch e-commerce web applications. However, it remains difficult to create secure ones. While third-party cashiers help bridge the gap of trustiness between merchants and customers, the involvement of cashiers as a new party complicates logic flows of checkout processes. Even a small loophole in a checkout process may lead to financial loss of merchants, thu… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
4
1

Citation Types

0
27
0

Year Published

2015
2015
2021
2021

Publication Types

Select...
4
2
1

Relationship

0
7

Authors

Journals

citations
Cited by 29 publications
(27 citation statements)
references
References 24 publications
0
27
0
Order By: Relevance
“…Similar attacks have also been detected in CaaS-enabled scenarios [35], [32]. For instance, a vulnerability in osCommerce v2.3.1 that allowed an attacker to shop for free has been reported in [32]: the attacker controls a SP and obtains an account identifier from PayPal for paying herself; later on, she replays this value in a subsequent session with a vulnerable SP where she purchases a product by paying herself.…”
Section: Introductionmentioning
confidence: 67%
See 3 more Smart Citations
“…Similar attacks have also been detected in CaaS-enabled scenarios [35], [32]. For instance, a vulnerability in osCommerce v2.3.1 that allowed an attacker to shop for free has been reported in [32]: the attacker controls a SP and obtains an account identifier from PayPal for paying herself; later on, she replays this value in a subsequent session with a vulnerable SP where she purchases a product by paying herself.…”
Section: Introductionmentioning
confidence: 67%
“…This shows how our technique can cover the kinds of attacks that were reported in literature. For instance, in [35], the authors mention that a logical vulnerability in the 2Checkout integration in osCommerce v2.3 enables an attacker to reuse the payment status values of the paid order to bypass payment for future orders (cf. #4 of Table I).…”
Section: B Resultsmentioning
confidence: 99%
See 2 more Smart Citations
“…Several techniques have been used in attempts to detect taint-style vulnerabilities, including XSS and SQLI, via static analyses [43,49,63,65] or dynamic executions [29,53]. Conducting symbolic execution has also been explored for finding logic bugs [59,62] and generating attack exploits [26]. However, few research studies have addressed finding U(E)FU vulnerabilities [40].…”
Section: Introductionmentioning
confidence: 99%