Detecting Logic Vulnerabilities in E-commerce Applications

Sun, Fangqi; Xu, Liang; Su, Zhendong

doi:10.14722/ndss.2014.23351

Cited by 26 publications

(14 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similar attacks have also been detected in CaaS-enabled scenarios [35], [32]. For instance, a vulnerability in osCommerce v2.3.1 that allowed an attacker to shop for free has been reported in [32]: the attacker controls a SP and obtains an account identifier from PayPal for paying herself; later on, she replays this value in a subsequent session with a vulnerable SP where she purchases a product by paying herself.…”

Section: Introductionmentioning

confidence: 67%

“…This shows how our technique can cover the kinds of attacks that were reported in literature. For instance, in [35], the authors mention that a logical vulnerability in the 2Checkout integration in osCommerce v2.3 enables an attacker to reuse the payment status values of the paid order to bypass payment for future orders (cf. #4 of Table I).…”

Section: B Resultsmentioning

confidence: 99%

“…The aforementioned attacks have been discovered through a variety of domain-specific techniques with different levels of complexity, ranging from formal verification [23], white-box analysis [35], black-box testing [32], to manual testing [18]. In this paper, we pursue a different approach and propose an automatic black-box testing technique for security-critical MPWAs.…”

Section: Introductionmentioning

confidence: 99%

“…While MPWAs for SSO and CaaS scenarios received a considerable attention (see, e.g., [29], [34], [35], [37], [36], [39], [32]), there are several other security critical MPWAs that are in need of close scrutiny. For instance, websites often send security-sensitive URIs to their users via email for verification purposes.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications

Sudhodanan¹,

Armando²,

Carbone³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-The advent of Software-as-a-Service (SaaS) has led to the development of multi-party web applications (MPWAs). MPWAs rely on core trusted third-party systems (e.g., payment servers, identity providers) and protocols such as Cashier-as-aService (CaaS), Single Sign-On (SSO) to deliver business services to users. Motivated by the large number of attacks discovered against MPWAs and by the lack of a single general-purpose application-agnostic technique to support their discovery, we propose an automatic technique based on attack patterns for black-box, security testing of MPWAs. Our approach stems from the observation that attacks against popular MPWAs share a number of similarities, even if the underlying protocols and services are different. In this paper, we target six different replay attacks, a login CSRF attack and a persistent XSS attack. Firstly, we propose a methodology in which security experts can create attack patterns from known attacks. Secondly, we present a security testing framework that leverages attack patterns to automatically generate test cases for testing the security of MPWAs. We implemented our ideas on top of OWASP ZAP (a popular, open-source penetration testing tool), created seven attack patterns that correspond to thirteen prominent attacks from the literature and discovered twenty one previously unknown vulnerabilities in prominent MPWAs (e.g., twitter.com, developer.linkedin.com, pinterest.com), including MPWAs that do not belong to SSO and CaaS families.

show abstract

Section: Introductionmentioning

confidence: 67%

Section: B Resultsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications

Sudhodanan¹,

Armando²,

Carbone³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Several techniques have been used in attempts to detect taint-style vulnerabilities, including XSS and SQLI, via static analyses [43,49,63,65] or dynamic executions [29,53]. Conducting symbolic execution has also been explored for finding logic bugs [59,62] and generating attack exploits [26]. However, few research studies have addressed finding U(E)FU vulnerabilities [40].…”

Section: Introductionmentioning

confidence: 99%

FUSE: Finding File Upload Bugs via Penetration Testing

Lee¹,

Lee³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

An Unrestricted File Upload (UFU) vulnerability is a critical security threat that enables an adversary to upload her choice of a forged file to a target web server. This bug evolves into an Unrestricted Executable File Upload (UEFU) vulnerability when the adversary is able to conduct remote code execution of the uploaded file via triggering its URL. We design and implement FUSE, a penetration testing tool designed to discover UFU and UEFU vulnerabilities in server-side PHP web applications. The goal of FUSE is to generate upload requests; each request becomes an exploit payload that triggers a UFU or UEFU vulnerability. However, this approach entails two technical challenges: (1) it should generate an upload request that bypasses all content-filtering checks present in a target web application; and (2) it should preserve the execution semantic of the resulting uploaded file. We address these technical challenges by mutating standard upload requests with carefully designed mutations that enable the bypassing of content-filtering checks and do not tamper with the execution of uploaded files. FUSE discovered 30 previously unreported UEFU vulnerabilities, including 15 CVEs from 33 real-world web applications, thereby demonstrating its efficacy in finding code execution bugs via file uploads.

show abstract

Static Detection of File Access Control Vulnerabilities on Windows System

Lü

Wang

et al. 2020

Concurrency and Computation

View full text Add to dashboard Cite

Summary Traditional applications have been developed for decades. Most of the security research around them have focused on the detection of memory corruption vulnerabilities, such as buffer overflow, double fetch, and integer overflow. On the contrary, logic bugs, a kind of flaws caused by unreasonable application logic, attract much less attention. Files are the most common media for programs to persist their data in the system. As the file owners, programs are responsible for protecting their files from malicious users' tampering by leveraging access control mechanisms. However, if a program configures their access control mechanisms in wrong ways and causes evil users to bypass security checks to access files, there exists a file access control vulnerability. As a branch of logic flaws, file access control vulnerabilities are less popular with researchers. Thus, to mitigate the harm of the file access control vulnerabilities on Windows system, our team conducted first‐step research on them. We first classified file access control bugs into two types and codified some bug patterns. Then we formalized file access control vulnerabilities to propose a scalable detection method and implemented a lightweight analysis system StaticFAC. After evaluating StaticFAC in real‐world Windows software, we discovered 15 0‐day bugs.

show abstract

Detecting Logic Vulnerabilities in E-commerce Applications

Cited by 26 publications

References 24 publications

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications

FUSE: Finding File Upload Bugs via Penetration Testing

Static Detection of File Access Control Vulnerabilities on Windows System

Contact Info

Product

Resources

About