BLProM: A black-box approach for detecting business-layer processes in the web applications

Document Type: Original Article

Authors

1 Malek-Ashtar University of technology, Tehran, Iran.

2 Amirkabir University of Tehran, Tehran, Iran.

10.22108/jcs.2020.117223.1028

Abstract

Web application vulnerability scanners cannot detect business logic vulnerabilities (vulnerabilities related to logic) because they are not able to understand the business logic of the web application. To identify the business logic of the web application, this paper presents BLProM, Business-Layer Process Miner, the black-box approach that identifies business processes of the web application. Detecting business processes of the web applications can be used in dynamic security testing to identify business logic vulnerabilities in web applications. BLProM first extracts the navigation graph of the web application then identifies business processes from the navigation graph. The evaluation conducted on three well-known open-source web applications shows that BLProM can detect business logic processes. Experimental results show that BLProM improves web application scanning because it clusters web application pages and prevents scanning similar pages. The proposed approach is compared to OWASP ZAP, an open-source web scanner. We show that BLProM improves web application scanning about %96.

Keywords


[1] Common vulnerabilities and exposures. https://cve.mitre.org/cve/cve.html. [ bib ]
[2] 2015 ITRC. Identity Theft Resource Center Breach Report Hits Near Record High in 2015. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html, Accessed Feb, 2017. [ bib ]
[3] G. Pellegrino and D. Balzarotti. Toward Black-Box Detection of Logic Flaws in Web Applications. In Network and Distributed System Security symposium 2014 (NDSS2014), 2014. [ bib | DOI ]
[4] Testing for business logic, OWASP. https://www.owasp.org/index.php/Testing_for_business_logic, Accessed Feb, 2017. [ bib ]
[5] D. Balzarotti, M. Cova, V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of web-based applications. In Proceedings of the 14th ACM conference on Computer and communications security, page 25–35. ACM, 2007. [ bib | DOI ]
[6] A. Doupé, B. Boe, C. Kruegel, and G. Vigna. Fear the EAR: discovering and mitigating execution after redirect vulnerabilities. In Proceedings of the 18th ACM conference on Computer and communications security, page 251–262. ACM, 2011. [ bib | DOI ]
[7] V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Business Logic Attacks – Bots and BATs, OWASP, 2009. In USENIX Security Symposium, 2010. [ bib ]
[8] E. Chai. Business Logic Attacks – Bots and BATs, OWASP, 2009. https://www.owasp.org/images/a/aa/OWASP_Cincinnati_Jan_2011.pdf, Accessed Feb. 2017. [ bib ]
[9] X. Li and Y. Xue. BLOCK: a black-box approach for detection of state violation attacks towards web applications. In Proceedings of the 27th Annual Computer Security Applications Conference, page 247–256, 2011. [ bib | DOI ]
[10] M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications. In Giovanni, pages 63--86. Springer, Berlin, Heidelberg, 2007. [ bib | DOI ]
[11] X. Li, W. Yan, and Y. Xue. SENTINEL: securing database from logic flaws in web applications. In Proceedings of the second ACM conference on Data and Application Security and Privacy, page 25–36, 2012. [ bib | DOI ]
[12] M. Alidoosti and A. Nowroozi. BLDAST: business-layer Dynamic Application Security Tester of the web application in order to detect web application vulnerabilities against flooding DoS attacks. In Iran Society of Cryptology Conference, shiraz, Iran. in Persian, 2017. [ bib ]
[13] M. Alidoosti, A. Nowroozi, and A. Nickabadi. Evaluating the Web-Application Resiliency to Business-Layer DoS Attacks. ETRI Journal, 2019. [ bib | DOI ]
[14] M. Alidoosti and A. Nowroozi. BLTOCTTOU: business-layer dynamic application security tester of the web application in order to detect web application vulnerabilities against Race Condition attacks. In Computer Society of Iran Conference, Tehran, Iran. in Persian, 2018. [ bib ]
[15] M. Alidoosti and A. Nowroozi. BLProM: Business-layer process miner of the web application. In ISCISC, pages 1--6. IEEE, 2018. [ bib | DOI ]
[16] V. Crescenzi, P. Merialdo, and P. Missier. Clustering Web pages based on their structure. Data & Knowledge Engineering, 54(3):279--299, 2005. [ bib | DOI ]

Volume 6, Issue 2
Summer and Autumn 2019
Pages 65-80
  • Receive Date: 24 May 2019
  • Revise Date: 22 December 2019
  • Accept Date: 09 February 2020