BFT (business flow tampering) leverage on client-side manipulation to get access to protected resources or execute functions in an unauthorized way. Logical flaws present in the codebase can also be exploited.
A simple representation of the application logic is sufficient to perform automated reasoning and to generate test cases that are likely to expose the presence of logic vulnerabilities. By analyzing the network traffic generated by user interacting with a certain application's functionality, heuristics can be applied to infer the underlying application logic, sufficient precision
The targets of this study are e-commerce web application
Contributions
- We introduce a new black-box technique to test applications for logic vulnerabilities
- We present the implementation of a tool and we show how the tool can be used to test several real web applications, even with a very limited knowledge and a small number of network traces
- We discover ten previously-unknown vulnerabilities in well-known and largely deployed web applications. Most of these vulnerabilities have a very high impact and would allow an attacker to buy online for free from hundreds of thousands of online stores
Using HTTP conversations to build a model of the application
Analyzing the HTTP conversation is a passive black-box testing approach to modeling an application. This method does not require access to the source code or crawling the application’s pages.
Collecting HTTP traces The traces are manually generated by a user interacting with the application (see HTTP trace collection). For simplicity, the analyzed pattern consists of the following steps:
- Logging in
- Adding items to the shopping cart
- Checking out
Other functionalities could also be examined, but the payment process is one of the most critical aspects of the business logic.
The traces are collected from the client, which communicates with multiple servers (typically, the web server handling the store and a separate server responsible for payments, often a third-party service).
Construct a model of the application Resource abstraction and clustering:
- this process synthesizes the application’s resources by abstracting away communication details and grouping similar responses. Each cluster contains the essential information for a specific phase or state of the application.
Navigation graph
- Each cluster represents a phase or logical operation within the application. Clusters are connected based on timestamps and logical dependencies (e.g., adding items to the shopping cart before viewing the updated cart). The entry and exit points of the graph are predefined (logging in and checking out).
Generation of attack patterns The navigation graph, which serves as a model of the application, is leveraged to generate various attack patterns, such as:
- Repeating operations in unintended ways (e.g., applying multiple discounts, altering the sequence of operations).
- Bypassing critical nodes (e.g., avoiding redirection to PayPal to complete a payment or using session data from other users).
- For each attack pattern, a corresponding test case is generated. The test defines the sequence of nodes (clusters) to traverse and the operations required to execute the attack.
Tests execution The test details are dynamically retrieved during execution on the real target.
The test results are evaluated against a test oracle, which is derived through logical inference (e.g., an order confirmation must not occur before payment is completed).