Toward automated detection of logic vulnerabilities in web applications

Authors:
Viktoria Felmetsger;Ludovico Cavedon;Christopher Kruegel;Giovanni Vigna
Affiliations:
Computer Security Group, Department of Computer Science, University of California, Santa Barbara;Computer Security Group, Department of Computer Science, University of California, Santa Barbara;Computer Security Group, Department of Computer Science, University of California, Santa Barbara;Computer Security Group, Department of Computer Science, University of California, Santa Barbara
Venue:
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Year:
2010

Citing 21
Cited 27

Bugs as deviant behavior: a general approach to inferring errors in systems code

SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
Mining specifications

POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Model Checking Programs

Automated Software Engineering
Securing web application code by static analysis and runtime protection

Proceedings of the 13th international conference on World Wide Web
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks

Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
The essence of command injection attacks in web applications

Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Finding security vulnerabilities in java applications with static analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Static detection of security vulnerabilities in scripting languages

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
From uncertainty to belief: inferring the specification within

OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Multi-module vulnerability analysis of web-based applications

Proceedings of the 14th ACM conference on Computer and communications security
The Daikon system for dynamic detection of likely invariants

Science of Computer Programming
DSD-Crasher: A hybrid analysis tool for bug finding

ACM Transactions on Software Engineering and Methodology (TOSEM)
On Race Vulnerabilities in Web Applications

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Automatic Inference and Enforcement of Kernel Data Structure Invariants

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Automatic generation of XSS and SQL injection attacks with goal-directed model checking

SS'08 Proceedings of the 17th conference on Security symposium
AutoISES: automatically inferring security specifications and detecting violations

SS'08 Proceedings of the 17th conference on Security symposium
Using static analysis for Ajax intrusion detection

Proceedings of the 18th international conference on World wide web
JPF-SE: a symbolic execution extension to Java PathFinder

TACAS'07 Proceedings of the 13th international conference on Tools and algorithms for the construction and analysis of systems
Swaddler: an approach for the anomaly-based detection of state violations in web applications

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Defending against injection attacks through context-sensitive string evaluation

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Diesel: applying privilege separation to database access

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Measuring subversions: security and legal risk in reused software artifacts

Proceedings of the 33rd International Conference on Software Engineering
Exploring the relationship betweenweb application development tools and security

WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
Static detection of access control vulnerabilities in web applications

SEC'11 Proceedings of the 20th USENIX conference on Security
A study of android application security

SEC'11 Proceedings of the 20th USENIX conference on Security
ZDVUE: prioritization of javascript attacks to discover new vulnerabilities

Proceedings of the 4th ACM workshop on Security and artificial intelligence
Fear the EAR: discovering and mitigating execution after redirect vulnerabilities

Proceedings of the 18th ACM conference on Computer and communications security
WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction

Proceedings of the 18th ACM conference on Computer and communications security
RoleCast: finding missing security checks when you do not know what checks are

Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
BLOCK: a black-box approach for detection of state violation attacks towards web applications

Proceedings of the 27th Annual Computer Security Applications Conference
ASIDE: IDE support for web application security

Proceedings of the 27th Annual Computer Security Applications Conference
SENTINEL: securing database from logic flaws in web applications

Proceedings of the second ACM conference on Data and Application Security and Privacy
SAFERPHP: finding semantic vulnerabilities in PHP applications

Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
Hunting application-level logical errors

ESSoS'12 Proceedings of the 4th international conference on Engineering Secure Software and Systems
Supporting automated vulnerability analysis using formalized vulnerability signatures

Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Enemy of the state: a state-aware black-box web vulnerability scanner

Security'12 Proceedings of the 21st USENIX conference on Security symposium
CHEX: statically vetting Android apps for component hijacking vulnerabilities

Proceedings of the 2012 ACM conference on Computer and communications security
VAM-aaS: online cloud services security vulnerability analysis and mitigation-as-a-service

WISE'12 Proceedings of the 13th international conference on Web Information Systems Engineering
Control-Flow integrity in web applications

ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Model checking database applications

TACAS'13 Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues

Information Sciences: an International Journal
EARs in the wild: large-scale analysis of execution after redirect vulnerabilities

Proceedings of the 28th Annual ACM Symposium on Applied Computing
LogicScope: automatic discovery of logic vulnerabilities within web applications

Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Semantic smells and errors in access control models: a case study in PHP

Proceedings of the 2013 International Conference on Software Engineering
A survey on server-side approaches to securing web applications

ACM Computing Surveys (CSUR)
Automated black-box detection of access control vulnerabilities in web applications

Proceedings of the 4th ACM conference on Data and application security and privacy
Automated detection of parameter tampering opportunities and vulnerabilities in web applications

Journal of Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Web applications are the most common way to make services and data available on the Internet. Unfortunately, with the increase in the number and complexity of these applications, there has also been an increase in the number and complexity of vulnerabilities. Current techniques to identify security problems in web applications have mostly focused on input validation flaws, such as crosssite scripting and SQL injection, with much less attention devoted to application logic vulnerabilities. Application logic vulnerabilities are an important class of defects that are the result of faulty application logic. These vulnerabilities are specific to the functionality of particular web applications, and, thus, they are extremely difficult to characterize and identify. In this paper, we propose a first step toward the automated detection of application logic vulnerabilities. To this end, we first use dynamic analysis and observe the normal operation of a web application to infer a simple set of behavioral specifications. Then, leveraging the knowledge about the typical execution paradigm of web applications, we filter the learned specifications to reduce false positives, and we use model checking over symbolic input to identify program paths that are likely to violate these specifications under specific conditions, indicating the presence of a certain type of web application logic flaws. We developed a tool, called Waler, based on our ideas, and we applied it to a number of web applications, finding previously-unknown logic vulnerabilities.