Toward black-box detection of logic flaws in web applications

Pellegrino, Giancarlo; Balzarotti, Davide
NDSS 2014, Network and Distributed System Security Symposium, 23-26 February 2014, San Diego, USA

Web applications play a very important role in many critical areas, including online banking, health care, and personal communication. This, combined with the limited security
training of many web developers, makes web applications one of the most common targets for attackers. In the past, researchers have proposed a large number of white- and black-box techniques to test web applications for the presence of several classes of vulnerabilities. However, traditional approaches focus mostly on the detection of input validation flaws,
such as SQL injection and cross-site scripting. Unfortunately, logic vulnerabilities specific to particular applications remain outside the scope of most of the existing tools and still need
to be discovered by manual inspection. In this paper we propose a novel black-box technique to detect logic vulnerabilities in web applications. Our approach is based on the automatic identification of a number of behavioral patterns starting from few network traces in which users interact with a certain application. Based on the extracted model, we then generate targeted test cases following a number of common attack scenarios. We applied our prototype to seven real world E-commerce web applications, discovering ten very severe and previouslyunknown
logic vulnerabilities.

San Diego
Digital Security
Eurecom Ref:
© ISOC. Personal use of this material is permitted. The definitive version of this paper was published in NDSS 2014, Network and Distributed System Security Symposium, 23-26 February 2014, San Diego, USA and is available at :