Security practices such as Audits that often focus on penetration testing are performed to find flaws in some types of vulnerability & use tools, which have been tailored to resolve certain risks based on code err...Security practices such as Audits that often focus on penetration testing are performed to find flaws in some types of vulnerability & use tools, which have been tailored to resolve certain risks based on code errors, code conceptual <span style="font-family:Verdana;">assumptions bugs</span><span style="font-family:Verdana;"><span style="font-family:Verdana;"><span style="font-family:Verdana;">,</span></span></span><span style="font-family:Verdana;"><span style="font-family:Verdana;"><span style="font-family:Verdana;"> etc. Most existing security practices in e-Commerce are</span></span></span><span><span><span style="font-family:;" "=""><span style="font-family:Verdana;"> dealt with as an auditing activity. They may have policies of security, which are enforced by auditors who enable a particular set of items to be reviewed, but </span><span style="font-family:Verdana;">also fail to find vulnerabilities, which have been established in complianc</span><span style="font-family:Verdana;">e </span><span style="font-family:Verdana;">with application logic. In this paper, we will investigate the problem of business</span><span style="font-family:Verdana;"> logic vulnerability in the component-based rapid development of e-commerce applications while reusing design specification of component. We propose secure application functional processing Logic Security technique for compo</span><span style="font-family:Verdana;">nent-based e-commerce application, based on security requirement of</span><span style="font-family:Verdana;"> e-business </span><span style="font-family:Verdana;">process and security assurance logical component behaviour specification</span><span style="font-family:Verdana;"> ap</span><span style="font-family:Verdana;">proach to formulize and design a solution for business logic vulnerability</span><span style="font-family:Verdana;"> phenomena.</span></span></span></span>展开更多
Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query ...Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language (SQL) statement construction and cannot be applied to the new generation of web applications that use not only structured query language (NoSQL) databases as the storage tier. In this paper, we present Lom, a black-box approach for discovering many categories of logic flaws within MongoDB- based web applications. Our approach introduces a MongoDB operation model to support new features of MongoDB and models the application logic as a mealy finite state machine. During the testing phase, test inputs which emulate state violation attacks are constructed for identifying logic flaws at each application state. We apply Lom to several MongoDB-based web applications and demonstrate its effectiveness.展开更多
文摘Security practices such as Audits that often focus on penetration testing are performed to find flaws in some types of vulnerability & use tools, which have been tailored to resolve certain risks based on code errors, code conceptual <span style="font-family:Verdana;">assumptions bugs</span><span style="font-family:Verdana;"><span style="font-family:Verdana;"><span style="font-family:Verdana;">,</span></span></span><span style="font-family:Verdana;"><span style="font-family:Verdana;"><span style="font-family:Verdana;"> etc. Most existing security practices in e-Commerce are</span></span></span><span><span><span style="font-family:;" "=""><span style="font-family:Verdana;"> dealt with as an auditing activity. They may have policies of security, which are enforced by auditors who enable a particular set of items to be reviewed, but </span><span style="font-family:Verdana;">also fail to find vulnerabilities, which have been established in complianc</span><span style="font-family:Verdana;">e </span><span style="font-family:Verdana;">with application logic. In this paper, we will investigate the problem of business</span><span style="font-family:Verdana;"> logic vulnerability in the component-based rapid development of e-commerce applications while reusing design specification of component. We propose secure application functional processing Logic Security technique for compo</span><span style="font-family:Verdana;">nent-based e-commerce application, based on security requirement of</span><span style="font-family:Verdana;"> e-business </span><span style="font-family:Verdana;">process and security assurance logical component behaviour specification</span><span style="font-family:Verdana;"> ap</span><span style="font-family:Verdana;">proach to formulize and design a solution for business logic vulnerability</span><span style="font-family:Verdana;"> phenomena.</span></span></span></span>
基金supported by China Scholarship Council,Tianjin Science and Technology Committee(No.12JCZDJC20800)Science and Technology Planning Project of Tianjin(No.13ZCZDGX01098)+2 种基金NSF TRUST(The Team for Research in Ubiquitous Secure Technology)Science and Technology Center(No.CCF-0424422)National High Technology Research and Development Program of Chia(863Program)(No.2013BAH01B05)National Natural Science Foundation of China(No.61402264)
文摘Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language (SQL) statement construction and cannot be applied to the new generation of web applications that use not only structured query language (NoSQL) databases as the storage tier. In this paper, we present Lom, a black-box approach for discovering many categories of logic flaws within MongoDB- based web applications. Our approach introduces a MongoDB operation model to support new features of MongoDB and models the application logic as a mealy finite state machine. During the testing phase, test inputs which emulate state violation attacks are constructed for identifying logic flaws at each application state. We apply Lom to several MongoDB-based web applications and demonstrate its effectiveness.
