LogicScope: automatic discovery of logic vulnerabilities within web applications

Authors:
Xiaowei Li;Yuan Xue
Affiliations:
Vanderbilt University, Nashville, TN, USA;Vanderbilt University, Nashville, TN, USA
Venue:
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Year:
2013

Citing 8
Cited 2

DART: directed automated random testing

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Swaddler: an approach for the anomaly-based detection of state violations in web applications

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
A Symbolic Execution Framework for JavaScript

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications

Proceedings of the 17th ACM conference on Computer and communications security
Toward automated detection of logic vulnerabilities in web applications

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Static detection of access control vulnerabilities in web applications

SEC'11 Proceedings of the 20th USENIX conference on Security
BLOCK: a black-box approach for detection of state violation attacks towards web applications

Proceedings of the 27th Annual Computer Security Applications Conference
SENTINEL: securing database from logic flaws in web applications

Proceedings of the second ACM conference on Data and Application Security and Privacy

A survey on server-side approaches to securing web applications

ACM Computing Surveys (CSUR)
Automated black-box detection of access control vulnerabilities in web applications

Proceedings of the 4th ACM conference on Data and application security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Logic flaws are an important class of vulnerabilities within web applications, which allow sensitive information and restrictive operations to be accessed at inappropriate application states. In this paper, we take a first step towards a systematic black-box approach to identifying logic vulnerabilities within web applications. We first construct a partial FSM over the expected input domain by collecting and analyzing the execution traces when users follow the navigation paths within the web application. Then, we test the application at each state by constructing unexpected input vectors and evaluating corresponding web responses. We implement a prototype system LogicScope and demonstrate its effectiveness using a set of real world web applications.