Figure 1 - uploaded by Mitra Alidoosti
Content may be subject to copyright.
![The Three-Layer Architecture of a Web Application [8].](profile/Mitra-Alidoosti-2/publication/341111212/figure/fig1/AS:887076853669889@1588507011599/The-Three-Layer-Architecture-of-a-Web-Application-8.jpg)
Source publication
![Figure 1. The Three-Layer Architecture of a Web Application [8].](profile/Mitra-Alidoosti-2/publication/341111212/figure/fig1/AS:887076853669889@1588507011599/The-Three-Layer-Architecture-of-a-Web-Application-8_Q320.jpg)
Web application vulnerability scanners cannot detect business logic vulnerabilities (vulnerabilities related to logic) because they are not able to understand business logic of the web application. In order to identify business logic of the web application, this paper presents BLProM, Business-Layer Process Miner, the black box approach that identi...
Context in source publication
Citations
... The created graph should then identify business processes. In our previous work BLProM [21,23,24], we state how to extract business processes from web applications in great detail. The user navigation graph is first extracted from the stored traffic by BLProM. ...
Understanding the business logic of the application helps to detect the race conditions in web applications. There is no logic-aware approach for detecting race conditions. Current solutions can detect only a few race conditions or they have false positives. They also result in DoS because they send a large number of requests in parallel to the application for creating a race condition. In this paper, various client-side race conditions in a web application are classified and described. In addition, we present business-layer client-side racer (BLCSR), a black-box solution for dynamic security testing to detect client-side race conditions in the business layer of the web applications. Experiments showed that BLCSR can detect client-side race conditions. It improved the vulnerability detection time by about 96.7%. The amount of traffic generated to identify vulnerabilities has been lowered by 98.29%. Thus, BLCSR does not result in DoS.
... In contrast, Doupé et al. use a distance metric based on a prefix tree (Doupé et al., 2012). More recent works propose to measure the similarity between web pages by using their content, such as input fields (Lin et al., 2017), or buttons, anchors, and images (Alidoosti et al., 2019 (Oliver et al., 2013). When calculating the TLSH of an input, small changes in the input lead to small changes in the output hash. ...
... Due to exchanging essential information, applications need to be secure and available (even at peak hours and during adversary attack). [1][2][3][4][5][6][7][8][9][10][11][12] Race condition is a class of time-related vulnerabilities. Race condition occurs when access to a com-mon variable by various processes is not managed correctly. ...
... Then, the generated graph should be used to detect the business processes. We discussed extracting business processes in the web applications in our previous work BLProM [1,2] in details. Figure 10 depicts the steps involved in BLProM. ...
Parallel execution of multiple threads of a web application will result in server-side races if the web application is not synchronized correctly. Server-side race is susceptible to flaws in the relation between the server and the database. Detecting the race condition in the web applications depends on the business logic of the application. No logic-aware approach has been presented to deal with race conditions. Furthermore, most existing approaches either result in DoS or are not applicable with false positive. In this study, the session puzzling race conditions existing in a web application are classified and described. In addition, we present Business-Layer Session Puzzling Racer, a black-box approach for dynamic application security testing, to detect the business-layer vulnerability of the application against session puzzling race conditions. Experiments on well-known and widely used web applications showed that Business-Layer Session Puzzling Racer is able to detect the business layer vulnerabilities of these applications against race conditions. In addition, the amount of traffic generated to identify the vulnerabilities has been improved by about 94.38
The parallel execution of multiple threads of a web application will cause races if the web application is not synchronized correctly. Detecting the race condition in web applications depends on the application’s business logic. No logic-aware approach has been presented so far for detecting various race conditions in web applications. The existing approaches only detect part of server-side races or a few client-side race conditions. Most existing approaches result in DoS or they have a high vulnerability detection time.
In this study, various race conditions existing in a web application, both on the server-side and on the client-side, are classified and described. In addition, we present Semantic Web Racer, a black-box approach for dynamic application security testing, to detect the business-layer vulnerability of the web application against race conditions both on the server-side and on the client-side. Semantic Web Racer detects race conditions by identifying the business logic of the web application. First, it identifies the business processes in the web application and, by defining a trace pattern for each type of race condition, identifies critical business processes. The detected critical processes are performed in the defined race window in both normal mode and race-prone mode, and the results are checked to identify vulnerabilities.
The evaluation of well-known and widely used web applications and web pages shows that Semantic Web Racer can detect the business layer vulnerabilities of these applications against race conditions. Experiments showed that out of 38 detected race conditions by Semantic Web Racer in selected applications, 24 are new vulnerabilities that were not identified by related works. The amount of traffic generated to identify vulnerabilities has been improved by about 98.29% by identifying the business layer of the application. Thus, Semantic Web Racer does not result in DoS. Semantic Web Racer has improved race detection time by about 96.78%.
