DetLogic: A black-box approach for detecting logic vulnerabilities in web applications

G. Deepa, P. Santhi Thilagam, Amit Praseed, Alwyn R. Pais

Research output: Contribution to journalArticlepeer-review

29 Citations (Scopus)

Abstract

Web applications are subject to attacks by malicious users owing to the fact that the applications are implemented by software developers with insufficient knowledge about secure programming. The implementation flaws arising due to insecure coding practices allow attackers to exploit the application in order to perform adverse actions leading to undesirable consequences. These flaws can be categorized into injection and logic flaws. As large number of tools and solutions are available for addressing injection flaws, the focus of the attackers is shifting towards exploitation of logic flaws. The logic flaws allow attackers to compromise the application-specific functionality against the expectations of the stakeholders, and hence it is important to identify these flaws in order to avoid exploitation. Therefore, a prototype called DetLogic is developed for detecting different types of logic vulnerabilities such as parameter manipulation, access-control, and workflow bypass vulnerabilities in web applications. DetLogic employs black-box approach, and models the intended behavior of the application as an annotated finite state machine, which is subsequently used for deriving constraints related to input parameters, access-control, and workflows. The derived constraints are violated for simulating attack vectors to identify the vulnerabilities. DetLogic is evaluated against benchmark applications and is found to work effectively.

Original languageEnglish
Pages (from-to)89-109
Number of pages21
JournalJournal of Network and Computer Applications
Volume109
DOIs
Publication statusPublished - 01-05-2018

All Science Journal Classification (ASJC) codes

  • Hardware and Architecture
  • Computer Science Applications
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'DetLogic: A black-box approach for detecting logic vulnerabilities in web applications'. Together they form a unique fingerprint.

Cite this