TY - JOUR
T1 - DetLogic
T2 - A black-box approach for detecting logic vulnerabilities in web applications
AU - Deepa, G.
AU - Thilagam, P. Santhi
AU - Praseed, Amit
AU - Pais, Alwyn R.
N1 - Funding Information:
This work was a part of the R&D project entitled “Development of tool for detection of XML based injection vulnerabilities in web applications”, and was supported by the Ministry of Communications and Information Technology (MCIT) (currently known as Ministry of Electronics and Information Technology (MeiTY)), Government of India.
Publisher Copyright:
© 2018 Elsevier Ltd
PY - 2018/5/1
Y1 - 2018/5/1
N2 - Web applications are subject to attacks by malicious users owing to the fact that the applications are implemented by software developers with insufficient knowledge about secure programming. The implementation flaws arising due to insecure coding practices allow attackers to exploit the application in order to perform adverse actions leading to undesirable consequences. These flaws can be categorized into injection and logic flaws. As large number of tools and solutions are available for addressing injection flaws, the focus of the attackers is shifting towards exploitation of logic flaws. The logic flaws allow attackers to compromise the application-specific functionality against the expectations of the stakeholders, and hence it is important to identify these flaws in order to avoid exploitation. Therefore, a prototype called DetLogic is developed for detecting different types of logic vulnerabilities such as parameter manipulation, access-control, and workflow bypass vulnerabilities in web applications. DetLogic employs black-box approach, and models the intended behavior of the application as an annotated finite state machine, which is subsequently used for deriving constraints related to input parameters, access-control, and workflows. The derived constraints are violated for simulating attack vectors to identify the vulnerabilities. DetLogic is evaluated against benchmark applications and is found to work effectively.
AB - Web applications are subject to attacks by malicious users owing to the fact that the applications are implemented by software developers with insufficient knowledge about secure programming. The implementation flaws arising due to insecure coding practices allow attackers to exploit the application in order to perform adverse actions leading to undesirable consequences. These flaws can be categorized into injection and logic flaws. As large number of tools and solutions are available for addressing injection flaws, the focus of the attackers is shifting towards exploitation of logic flaws. The logic flaws allow attackers to compromise the application-specific functionality against the expectations of the stakeholders, and hence it is important to identify these flaws in order to avoid exploitation. Therefore, a prototype called DetLogic is developed for detecting different types of logic vulnerabilities such as parameter manipulation, access-control, and workflow bypass vulnerabilities in web applications. DetLogic employs black-box approach, and models the intended behavior of the application as an annotated finite state machine, which is subsequently used for deriving constraints related to input parameters, access-control, and workflows. The derived constraints are violated for simulating attack vectors to identify the vulnerabilities. DetLogic is evaluated against benchmark applications and is found to work effectively.
UR - http://www.scopus.com/inward/record.url?scp=85044864053&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85044864053&partnerID=8YFLogxK
U2 - 10.1016/j.jnca.2018.01.008
DO - 10.1016/j.jnca.2018.01.008
M3 - Article
AN - SCOPUS:85044864053
SN - 1084-8045
VL - 109
SP - 89
EP - 109
JO - Journal of Network and Computer Applications
JF - Journal of Network and Computer Applications
ER -