Toward Black-Box Detection of Logic Flaws in Web Applications

Abstract: Abstract-Web applications play a very important role in many critical areas, including online banking, health care, and personal communication. This, combined with the limited security training of many web developers, makes web applications one of the most common targets for attackers.In the past, researchers have proposed a large number of white-and black-box techniques to test web applications for the presence of several classes of vulnerabilities. However, traditional approaches focus mostly on the detectio… Show more

“…Similar attacks have also been detected in CaaS-enabled scenarios [35], [32]. For instance, a vulnerability in osCommerce v2.3.1 that allowed an attacker to shop for free has been reported in [32]: the attacker controls a SP and obtains an account identifier from PayPal for paying herself; later on, she replays this value in a subsequent session with a vulnerable SP where she purchases a product by paying herself. Recently, a token fixation attack in PayPal Express Checkout flow was discovered [18] which is very similar to the session fixation attack in OAuth 1.0 [10].…”

“…The aforementioned attacks have been discovered through a variety of domain-specific techniques with different levels of complexity, ranging from formal verification [23], white-box analysis [35], black-box testing [32], to manual testing [18]. In this paper, we pursue a different approach and propose an automatic black-box testing technique for security-critical MPWAs.…”

“…Upon successful verification of the transaction details, SP sends U the status of the purchase order (step 13). A serious vulnerability in the integration of the PayPal Payments Standard protocol in osCommerce v2.3.1 and AbanteCart v1.0.4 that allowed a malicious party to shop for free was discovered in [32]. The attack is as follows: from a session S 1 of the protocol involving the PSP and the malicious party controlling both a user (U M ) and a SP (SP M ), the malicious party obtains a payee (merchant) identifier.…”

“…While MPWAs for SSO and CaaS scenarios received a considerable attention (see, e.g., [29], [34], [35], [37], [36], [39], [32]), there are several other security critical MPWAs that are in need of close scrutiny. For instance, websites often send security-sensitive URIs to their users via email for verification purposes.…”

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications

“…Similar attacks have also been detected in CaaS-enabled scenarios [35], [32]. For instance, a vulnerability in osCommerce v2.3.1 that allowed an attacker to shop for free has been reported in [32]: the attacker controls a SP and obtains an account identifier from PayPal for paying herself; later on, she replays this value in a subsequent session with a vulnerable SP where she purchases a product by paying herself. Recently, a token fixation attack in PayPal Express Checkout flow was discovered [18] which is very similar to the session fixation attack in OAuth 1.0 [10].…”

“…The aforementioned attacks have been discovered through a variety of domain-specific techniques with different levels of complexity, ranging from formal verification [23], white-box analysis [35], black-box testing [32], to manual testing [18]. In this paper, we pursue a different approach and propose an automatic black-box testing technique for security-critical MPWAs.…”

“…Upon successful verification of the transaction details, SP sends U the status of the purchase order (step 13). A serious vulnerability in the integration of the PayPal Payments Standard protocol in osCommerce v2.3.1 and AbanteCart v1.0.4 that allowed a malicious party to shop for free was discovered in [32]. The attack is as follows: from a session S 1 of the protocol involving the PSP and the malicious party controlling both a user (U M ) and a SP (SP M ), the malicious party obtains a payee (merchant) identifier.…”

“…While MPWAs for SSO and CaaS scenarios received a considerable attention (see, e.g., [29], [34], [35], [37], [36], [39], [32]), there are several other security critical MPWAs that are in need of close scrutiny. For instance, websites often send security-sensitive URIs to their users via email for verification purposes.…”

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications

“…In comparison, our approaches can cover not only these two attacks, but also forceful browsing attack. InteGuard [24] and EURECOM [25] attempt to secure multi-party web applications. LogicScope [26] , SENTINEL [6] and BLOCK [21] make use of session information to construct application specifications.…”

Lom: Discovering logic flaws within MongoDB-based web applications

Bulwark: Holistic and Verified Security Monitoring of Web Protocols