Abstract | ||
---|---|---|
ABSTRACTThe sheer complexity of web applications leaves open a large attack surface of business logic. Particularly, in some scenarios, developers have to expose a portion of the logic to the client-side in order to coordinate multiple parties (e.g. merchants, client users, and third-party payment services) involved in a business process. However, such client-side code can be tampered with on the fly, leading to business logic perturbations and financial loss. Although developers become familiar with concepts that the client should never be trusted, given the size and the complexity of the client-side code that may be even incorporated from third parties, it is extremely challenging to understand and pinpoint the vulnerability. To this end, we investigate client-side business flow tampering vulnerabilities and develop a dynamic analysis based approach to automatically identifying such vulnerabilities. We evaluate our technique on 200 popular real-world websites. With negligible overhead, we have successfully identified 27 unique vulnerabilities on 23 websites, such as New York Times, HBO, and YouTube, where an adversary can interrupt business logic to bypass paywalls, disable adblocker detection, earn reward points illicitly, etc. |
Year | DOI | Venue |
---|---|---|
2020 | 10.1145/3377811.3380355 | International Conference on Software Engineering |
Keywords | DocType | ISSN |
JavaScript, vulnerability detection, business flow tampering, dynamic analysis | Conference | 0270-5257 |
ISBN | Citations | PageRank |
978-1-7281-6519-6 | 1 | 0.34 |
References | Authors | |
0 | 7 |
Name | Order | Citations | PageRank |
---|---|---|---|
I Luk Kim | 1 | 29 | 5.07 |
Yunhui Zheng | 2 | 301 | 18.09 |
Hogun Park | 3 | 3 | 1.37 |
Weihang Wang | 4 | 45 | 7.17 |
Wei You | 5 | 14 | 3.63 |
Yousra Aafer | 6 | 264 | 13.36 |
Xiangyu Zhang | 7 | 2857 | 151.00 |