Discovering Authorization Business Rules toward Detecting Web Applications Logic Flaws

2022 International Arab Conference on Information Technology (ACIT) Pub Date : 2022-11-22 DOI:10.1109/ACIT57182.2022.9994086

Hamza Alkofahi, D. Umphress, Heba Alawneh

{"title":"Discovering Authorization Business Rules toward Detecting Web Applications Logic Flaws","authors":"Hamza Alkofahi, D. Umphress, Heba Alawneh","doi":"10.1109/ACIT57182.2022.9994086","DOIUrl":null,"url":null,"abstract":"Aggressive integration of validation checks into web framework software has altered the attack surface of web applications by reducing the opportunity for traditional injection flaws. The hacking community's reaction has shifted to a more subtle - and more challenging to detect - form of attacks, that of discovering and exploiting underlying application business logic. The lack of accurate business rules defining the final application product extends its logical vulnerability surface. We propose a novel black-box approach for discovering authorization business rules in web applications through users' dynamic behavior. Allowing applications that lack formal specifications to be better tested for logic vulnerabilities. Our approach discovers groups using agglomerative hierarchical clustering based on different profiling techniques that capture users' actions and privileges. We also automated the process of identifying the optimal number of roles. The results indicated high quality and stability in discovering business rules, even in smaller datasets.","PeriodicalId":256713,"journal":{"name":"2022 International Arab Conference on Information Technology (ACIT)","volume":"65 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 International Arab Conference on Information Technology (ACIT)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ACIT57182.2022.9994086","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Aggressive integration of validation checks into web framework software has altered the attack surface of web applications by reducing the opportunity for traditional injection flaws. The hacking community's reaction has shifted to a more subtle - and more challenging to detect - form of attacks, that of discovering and exploiting underlying application business logic. The lack of accurate business rules defining the final application product extends its logical vulnerability surface. We propose a novel black-box approach for discovering authorization business rules in web applications through users' dynamic behavior. Allowing applications that lack formal specifications to be better tested for logic vulnerabilities. Our approach discovers groups using agglomerative hierarchical clustering based on different profiling techniques that capture users' actions and privileges. We also automated the process of identifying the optimal number of roles. The results indicated high quality and stability in discovering business rules, even in smaller datasets.

查看原文本刊更多论文

发现授权业务规则，检测Web应用逻辑缺陷

将验证检查积极集成到web框架软件中，通过减少传统注入漏洞的机会，改变了web应用程序的攻击面。黑客社区的反应已经转变为一种更微妙的——也更难以检测的——攻击形式，即发现和利用应用程序的底层业务逻辑。缺乏定义最终应用程序产品的准确业务规则扩展了其逻辑漏洞面。我们提出了一种新的黑盒方法，通过用户的动态行为发现web应用程序中的授权业务规则。允许对缺乏正式规范的应用程序进行更好的逻辑漏洞测试。我们的方法使用基于捕获用户操作和特权的不同分析技术的聚合分层聚类来发现组。我们还自动化了识别最佳角色数量的过程。结果表明，即使在较小的数据集中，发现业务规则的质量和稳定性也很高。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 International Arab Conference on Information Technology (ACIT)

自引率

0.00%

发文量