Online citations, reference lists, and bibliographies.

Attack Patterns For Black-Box Security Testing Of Multi-Party Web Applications

Avinash Sudhodanan, A. Armando, R. Carbone, L. Compagna
Published 2016 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
The advent of Software-as-a-Service (SaaS) has led to the development of multi-party web applications (MPWAs). MPWAs rely on core trusted third-party systems (e.g., payment servers, identity providers) and protocols such as Cashier-as-aService (CaaS), Single Sign-On (SSO) to deliver business services to users. Motivated by the large number of attacks discovered against MPWAs and by the lack of a single general-purpose application-agnostic technique to support their discovery, we propose an automatic technique based on attack patterns for black-box, security testing of MPWAs. Our approach stems from the observation that attacks against popular MPWAs share a number of similarities, even if the underlying protocols and services are different. In this paper, we target six different replay attacks, a login CSRF attack and a persistent XSS attack. Firstly, we propose a methodology in which security experts can create attack patterns from known attacks. Secondly, we present a security testing framework that leverages attack patterns to automatically generate test cases for testing the security of MPWAs. We implemented our ideas on top of OWASP ZAP (a popular, open-source penetration testing tool), created seven attack patterns that correspond to thirteen prominent attacks from the literature and discovered twenty one previously unknown vulnerabilities in prominent MPWAs (e.g.,,,, including MPWAs that do not belong to SSO and CaaS families.
This paper references
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities
Y. Zhou (2014)
Toward Black-Box Detection of Logic Flaws in Web Applications
G. Pellegrino (2014)
The ZAP Zest Add-on. AddOn Zest
AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
Guangdong Bai (2013)
Vulnerability Reawards Program Rules.
Log In with PayPal demo site. loginwithpaypal-live
The most common oauth2 vulnerability. 2012/07/saferweb-most-common-oauth2.html
Integrate Log In with PayPal. integration/direct/identity/log-in-with-paypal
Stripe Checkout.
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
P. Bisht (2010)
How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores
Rui Wang (2011)
Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on
C. Mainka (2016)
Towards a Formal Foundation of Web Security
Devdatta Akhawe (2010)
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
OAuth 2.0 Threat Model and Security Considerations
T. Lodderstedt (2013)
OAuth 2.0 Playground. oauthplayground
On Breaking SAML: Be Whoever You Want to Be
Juraj Somorovsky (2012)
Attack pattern-based combinatorial testing
Josip Bozic (2014)
OAuth Security Advisory: 2009.1.
Api Instagram
Account hijacking by leaking authorization code
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
PayPal Payments Standard. paypal-payments-standard
LogIn to experience INstant
0 Technical Overview. http://wiki.
Consortium (2008)
Token Fixation in PayPal. token-fixation-in-paypal.html
Covert Redirect
Securing Multiparty Online Services Via Certification of Symbolic Transactions
Eric Y. Chen (2015)
A graph-based system for network-vulnerability analysis
C. Phillips (1998)
Robust defenses for cross-site request forgery
A. Barth (2008)
The Jython Project
From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?
A. Armando (2011)
Detecting Logic Vulnerabilities in E-commerce Applications
Fangqi Sun (2014)
InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations
Luyi Xing (2013)
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)

This paper is referenced by
Il Futuro della Cybersecurity in Italia: Ambiti Progettuali Strategici
Anglano Cosimo (2018)
SoK: Single Sign-On Security — An Evaluation of OpenID Connect
C. Mainka (2017)
Large-Scale Analysis & Detection of Authentication Cross-Site Request Forgeries
Avinash Sudhodanan (2017)
Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
Giada Sciarretta (2018)
Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities
Abner Mendoza (2018)
Aegis: Automatic Enforcement of Security Policies in Workflow-driven Web Applications
Luca Compagna (2017)
Model-driven Security Testing of SAML Single Sign-On System
Weitao Hou (2018)
Ontology-driven Security Testing of Web Applications
Josip Bozic (2020)
Inferring Implicit Assumptions and Correct Usage of Mobile Payment Protocols
Quanqi Ye (2017)
Database and Expert Systems Applications: DEXA 2020 International Workshops BIOKDD, IWCFS and MLKgraphs, Bratislava, Slovakia, September 14–17, 2020, Proceedings
Mohit Kumar (2020)
Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
Giada Sciarretta (2017)
Analyzing the Validation Flaws of Online Shopping Systems Based on Coloured Petri Nets
Wangyang Yu (2019)
Show Me the Money! Finding Flawed Implementations of Third-party In-app Payment in Android Apps
W. Yang (2017)
Planning-based security testing of web applications with attack grammars
Josip Bozic (2020)
A Grey-Box Approach for Detecting Malicious User Interactions in Web Applications
Wafa Ben Jaballah (2016)
Security analysis of third-party in-app payment in mobile applications
Wenbo Yang (2019)
On message-level security
C. Mainka (2017)
A Combinatorial Approach to Analyzing Cross-Site Scripting (XSS) Vulnerabilities in Web Application Security Testing
Dimitris E. Simos (2016)
Semantic Scholar Logo Some data provided by SemanticScholar