{"title":"发现授权业务规则,检测Web应用逻辑缺陷","authors":"Hamza Alkofahi, D. Umphress, Heba Alawneh","doi":"10.1109/ACIT57182.2022.9994086","DOIUrl":null,"url":null,"abstract":"Aggressive integration of validation checks into web framework software has altered the attack surface of web applications by reducing the opportunity for traditional injection flaws. The hacking community's reaction has shifted to a more subtle - and more challenging to detect - form of attacks, that of discovering and exploiting underlying application business logic. The lack of accurate business rules defining the final application product extends its logical vulnerability surface. We propose a novel black-box approach for discovering authorization business rules in web applications through users' dynamic behavior. Allowing applications that lack formal specifications to be better tested for logic vulnerabilities. Our approach discovers groups using agglomerative hierarchical clustering based on different profiling techniques that capture users' actions and privileges. We also automated the process of identifying the optimal number of roles. The results indicated high quality and stability in discovering business rules, even in smaller datasets.","PeriodicalId":256713,"journal":{"name":"2022 International Arab Conference on Information Technology (ACIT)","volume":"65 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Discovering Authorization Business Rules toward Detecting Web Applications Logic Flaws\",\"authors\":\"Hamza Alkofahi, D. Umphress, Heba Alawneh\",\"doi\":\"10.1109/ACIT57182.2022.9994086\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Aggressive integration of validation checks into web framework software has altered the attack surface of web applications by reducing the opportunity for traditional injection flaws. The hacking community's reaction has shifted to a more subtle - and more challenging to detect - form of attacks, that of discovering and exploiting underlying application business logic. The lack of accurate business rules defining the final application product extends its logical vulnerability surface. We propose a novel black-box approach for discovering authorization business rules in web applications through users' dynamic behavior. Allowing applications that lack formal specifications to be better tested for logic vulnerabilities. Our approach discovers groups using agglomerative hierarchical clustering based on different profiling techniques that capture users' actions and privileges. We also automated the process of identifying the optimal number of roles. The results indicated high quality and stability in discovering business rules, even in smaller datasets.\",\"PeriodicalId\":256713,\"journal\":{\"name\":\"2022 International Arab Conference on Information Technology (ACIT)\",\"volume\":\"65 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-11-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2022 International Arab Conference on Information Technology (ACIT)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ACIT57182.2022.9994086\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 International Arab Conference on Information Technology (ACIT)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ACIT57182.2022.9994086","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Discovering Authorization Business Rules toward Detecting Web Applications Logic Flaws
Aggressive integration of validation checks into web framework software has altered the attack surface of web applications by reducing the opportunity for traditional injection flaws. The hacking community's reaction has shifted to a more subtle - and more challenging to detect - form of attacks, that of discovering and exploiting underlying application business logic. The lack of accurate business rules defining the final application product extends its logical vulnerability surface. We propose a novel black-box approach for discovering authorization business rules in web applications through users' dynamic behavior. Allowing applications that lack formal specifications to be better tested for logic vulnerabilities. Our approach discovers groups using agglomerative hierarchical clustering based on different profiling techniques that capture users' actions and privileges. We also automated the process of identifying the optimal number of roles. The results indicated high quality and stability in discovering business rules, even in smaller datasets.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
