ETRI Journal

  • 제42권3호
  • /
  • Pages.433-445
  • /
  • 2020
  • /
  • 1225-6463(pISSN)
  • /
  • 2233-7326(eISSN)
한국전자통신연구원 (Electronics and Telecommunications Research Institute)
권호 표지
DOI QR코드

DOI QR Code

Evaluating the web-application resiliency to business-layer DoS attacks

  • 투고 : 2019.04.05
  • 심사 : 2019.08.28
  • 발행 : 2020.06.08
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

A denial-of-service (DoS) attack is a serious attack that targets web applications. According to Imperva, DoS attacks in the application layer comprise 60% of all the DoS attacks. Nowadays, attacks have grown into application- and business-layer attacks, and vulnerability-analysis tools are unable to detect business-layer vulnerabilities (logic-related vulnerabilities). This paper presents the business-layer dynamic application security tester (BLDAST) as a dynamic, black-box vulnerability-analysis approach to identify the business-logic vulnerabilities of a web application against DoS attacks. BLDAST evaluates the resiliency of web applications by detecting vulnerable business processes. The evaluation of six widely used web applications shows that BLDAST can detect the vulnerabilities with 100% accuracy. BLDAST detected 30 vulnerabilities in the selected web applications; more than half of the detected vulnerabilities were new and unknown. Furthermore, the precision of BLDAST for detecting the business processes is shown to be 94%, while the generated user navigation graph is improved by 62.8% because of the detection of similar web pages.

키워드

참고문헌

  1. Verizon, Data Breach Investigations Report. New York, NY, USA, Tech. Rep., 2017, available at https://enterprise.verizon.com/content/dam/resources/reports/2017/2017_dbir.pdf (accessed 8 Nov. 2018).
  2. The MITRE Corporation, CVE: Common vulnerabilities and exposures, McLean, VA, USA, available at http://www.cve.mitre.org (accessed 8 Nov. (2018).
  3. Symantec, Symantec Internet Security Threat Report, Mountain View, CA, USA, Tech. Rep., Apr. 2016, available at https://www.symantec.com/security-center/threat-report (accessed 8 Nov. 2018).
  4. TrustwaveTrustwave Global Security Report, Chicago, IL, USA, 2014, Tech. Rep., available at https://www.trustwave.com/Resources/Trustwave-Blog/The-2014-Trustwave-Global-Security-Report-Is-Here/ (accessed 8 Nov. 2018).
  5. H. H. Jazi et al., Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling, Comput. Netw. 121 (2017), 25-36. https://doi.org/10.1016/j.comnet.2017.03.018
  6. A. Wang et al., Capturing DDoS attack dynamics behind the scenes, in Proc. Int. Conf. DIMVA, Milan, Italy, July 9-10, 2015, pp. 205-215.
  7. D. Holmes, The F5DDoS protection reference architecture, F5, Seattle, WA, USA, 2014, available at https://f5.com/Portals/1/Cache/Pdfs/2421/the-f5-ddos-protection-reference-architecture.pdf (accessed 8 November 2018).
  8. OWASP, Owasp testing guide 2008, available at http://www.owasp.org/index.php/OWASP (accessed 8 November 2018).
  9. White Hat Security, Business logic assessments, San Jose, CA, USA, 2016, available at https://www.whitehatsec.com/wp-content/uploads/2016/01/Sentinel_Dynamic_Business_Logic_Assessment_Solution_Brief.pdf (accessed 8 November 2018).
  10. OWASP, Testing for business logic, available at https://www.owasp.org/index.php/Testing_for_business_logic (accessed 8 November 2018).
  11. G. Pellegrino and D. Balzarotti, Toward black-box detection of logic flaws in web applications, in Proc. Int. Conf. NDSS Symp., San Diego, CA, USA, Feb.2014, pp. 23-26.
  12. G. Deepa and P. S. Thilagam, Securing web applications from injection and logic vulnerabilities: Approaches and challenges, Inf. Softw. Technol. 74 (2016), 160-180. https://doi.org/10.1016/j.infsof.2016.02.005
  13. W. Meng et al., Rampart: Protecting web applications from CPU-exhaustion denial-of-service attacks, in Proc. 27th USENIX Secur. Symp, Baltimore, MD, USA, Aug. 2018, pp. 393-410.
  14. T. Petsios et al., Slowfuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities, in Proc Int. Conf. Comput. Commun. Secur., Dallas, TX, USA, 2017, pp. 2155-2168.
  15. J. Burnim, S. Juvekar and K. Sen, WISE: Automated test generation for worst-case complexity, in Proc. Int. Conf. Softw. Eng., Washington, DC, USA, May. 16-24, 2009, pp. 463-473.
  16. O. Olivo, I. Dillig and C. Lin, Detecting and exploiting second order denial-of-service vulnerabilities in web applications, in Proc. Int. Conf. Comput. Commun. Secur., Denver, CO, USA, Oct. 12-16, 2015, pp. 616-628.
  17. S. Son and V. Shmatikov, SAFERPHP, Finding semantic vulnerabilities in PHP applications, in Proc. Int. Conf. Programming, San Jose, CA, USA, June 2011, pp. 8:1-13.
  18. J. Burnim et al., Looper Lightweight detection of infinite loops at runtime, in Proc. Int. Conf. Automated Softw. Eng., Washington, DC, USA, Nov. 16-20, 2009, pp. 161-169.
  19. A. Gupta et al., Proving non-termination, in Proc. Int. Conf. Principles Programming Lang., San Francisco, CA, USA, Jan. 7-12, 2008, pp. 147-158.
  20. R. Chang et al., Inputs of coma: Static detection of denial-of-service vulnerabilities, in Proc. IEEE Comput. Secur. Foundations Symp., New York, NY, USA, July 8-10, 2009, pp. 186-199.
  21. M. Alidoosti and A. Nowroozi, BLProM: Business-layer process miner of the web application, in Proc. Int. Conf. Inf. Secur. Cryptol, Tehran, Iran, Aug, 2018, pp. 28-29.
  22. X. Li and Y. Xue, BLOCK: A black-box approach for detection of state violation attacks towards web applications, in Proc. Int. Conf. Comput. Secur. Appl., Orlando, FL, USA, Dec. 5-9, 2011, pp. 247-256.
  23. X. Li, W. Yan, and Y. Xue, SENTINEL: Securing database from logic flaws in web applications, in Proc. Int. Conf. Data Appl. Secur. Privacy, San Antonio, TX, USA, Feb. 7-9, 2012, pp. 25-36.
  24. A. Doupe et al., Enemy of the state: A state-aware black-box web vulnerability scanner, in Proc. USENIX Secur. Symp., Bellevue, WA, USA, Aug. 8-10, 2012, pp. 523-538.
  25. G. Pellegrino and D. Balzarotti, Toward black-box detection of logic flaws in web applications, in Proc. Netw. Distrib. Syst. Secur. Symp., San Diego, CA, USA, Feb. 2014, pp. 23-26.
  26. G. Deepa et al., DetLogic: A black-box approach for detecting logic vulnerabilities in web applications, J. Netw. Comput. Appl. 109 (2018), 89-109. https://doi.org/10.1016/j.jnca.2018.01.008
  27. F. Sun, L. Xu, and Z. Su, Detecting logic vulnerabilities in e-commerce applications, in Proc. Netw. Distrib. Syst. Secur. Symp., Los Angeles, CA, USA, 2014.
  28. J. C. Buijs, B. F. van Dongen, and W. M. P. van der Aalst, On the role of fitness, precision, generalization and simplicity in process discovery, in Proc. Int. Conf. Move Meaningful Internet Syst., Heidelberg, Berlin, 2012, pp. 305-322.

피인용 문헌

  1. Research on Crude Oil Trade Procurement Model Based on DEA-Malmquist Algorithm vol.2021, 2020, https://doi.org/10.1155/2021/6360439
  2. Deep Learning for the Industrial Internet of Things (IIoT): A Comprehensive Survey of Techniques, Implementation Frameworks, Potential Applications, and Future Directions vol.21, pp.22, 2020, https://doi.org/10.3390/s21227518