Online citations, reference lists, and bibliographies.

Attack Patterns For Black-Box Security Testing Of Multi-Party Web Applications

Avinash Sudhodanan, A. Armando, R. Carbone, L. Compagna
Published 2016 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
The advent of Software-as-a-Service (SaaS) has led to the development of multi-party web applications (MPWAs). MPWAs rely on core trusted third-party systems (e.g., payment servers, identity providers) and protocols such as Cashier-as-aService (CaaS), Single Sign-On (SSO) to deliver business services to users. Motivated by the large number of attacks discovered against MPWAs and by the lack of a single general-purpose application-agnostic technique to support their discovery, we propose an automatic technique based on attack patterns for black-box, security testing of MPWAs. Our approach stems from the observation that attacks against popular MPWAs share a number of similarities, even if the underlying protocols and services are different. In this paper, we target six different replay attacks, a login CSRF attack and a persistent XSS attack. Firstly, we propose a methodology in which security experts can create attack patterns from known attacks. Secondly, we present a security testing framework that leverages attack patterns to automatically generate test cases for testing the security of MPWAs. We implemented our ideas on top of OWASP ZAP (a popular, open-source penetration testing tool), created seven attack patterns that correspond to thirteen prominent attacks from the literature and discovered twenty one previously unknown vulnerabilities in prominent MPWAs (e.g., twitter.com, developer.linkedin.com, pinterest.com), including MPWAs that do not belong to SSO and CaaS families.
This paper references
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities
Y. Zhou (2014)
10.14722/NDSS.2014.23021
Toward Black-Box Detection of Logic Flaws in Web Applications
G. Pellegrino (2014)
The ZAP Zest Add-on. https://code.google.com/p/zap-extensions/wiki/ AddOn Zest
AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
Guangdong Bai (2013)
Vulnerability Reawards Program Rules. https://hackerone.com/twitter
Log In with PayPal demo site. https://lipp.ebaystratus.com/ loginwithpaypal-live
The most common oauth2 vulnerability. http://homakov.blogspot.it/ 2012/07/saferweb-most-common-oauth2.html
Integrate Log In with PayPal. https://developer.paypal.com/docs/ integration/direct/identity/log-in-with-paypal
Stripe Checkout. https://stripe.com/docs/checkout
10.1145/1456396.1456397
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
10.1145/1866307.1866375
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
P. Bisht (2010)
10.1109/SP.2011.26
How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores
Rui Wang (2011)
10.1109/EuroSP.2016.33
Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on
C. Mainka (2016)
10.1109/CSF.2010.27
Towards a Formal Foundation of Web Security
Devdatta Akhawe (2010)
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
10.17487/RFC6819
OAuth 2.0 Threat Model and Security Considerations
T. Lodderstedt (2013)
OAuth 2.0 Playground. https://developers.google.com/ oauthplayground
On Breaking SAML: Be Whoever You Want to Be
Juraj Somorovsky (2012)
10.1145/2593501.2593502
Attack pattern-based combinatorial testing
Josip Bozic (2014)
OAuth Security Advisory: 2009.1. http://oauth.net/advisories
https://apigee.com/console/instagram
Api Instagram
Account hijacking by leaking authorization code
10.1109/SP.2012.30
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
PayPal Payments Standard. https://www.paypal.com/webapps/mpp/ paypal-payments-standard
LogIn to experience INstant
0 Technical Overview. http://wiki. oasis-open.org/security/Saml2TechOverview
Consortium (2008)
Token Fixation in PayPal. http://homakov.blogspot.it/2014/01/ token-fixation-in-paypal.html
http://oauth.net/advisories/2014-1-covert-redirect
Covert Redirect
10.1109/SP.2015.56
Securing Multiparty Online Services Via Certification of Symbolic Transactions
Eric Y. Chen (2015)
10.1145/310889.310919
A graph-based system for network-vulnerability analysis
C. Phillips (1998)
10.1145/1455770.1455782
Robust defenses for cross-site request forgery
A. Barth (2008)
The Jython Project
10.1007/978-3-642-21424-0_6
From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?
A. Armando (2011)
10.14722/NDSS.2014.23351
Detecting Logic Vulnerabilities in E-commerce Applications
Fangqi Sun (2014)
InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations
Luyi Xing (2013)
10.1109/CSF.2012.27
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)



This paper is referenced by
Il Futuro della Cybersecurity in Italia: Ambiti Progettuali Strategici
Anglano Cosimo (2018)
10.1109/EuroSP.2017.32
SoK: Single Sign-On Security — An Evaluation of OpenID Connect
C. Mainka (2017)
10.1109/EuroSP.2017.45
Large-Scale Analysis & Detection of Authentication Cross-Site Request Forgeries
Avinash Sudhodanan (2017)
10.1007/978-3-319-89722-6_8
Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
Giada Sciarretta (2018)
10.1109/SP.2018.00039
Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities
Abner Mendoza (2018)
10.1145/3029806.3029813
Aegis: Automatic Enforcement of Security Policies in Workflow-driven Web Applications
Luca Compagna (2017)
10.2991/aeecs-18.2018.56
Model-driven Security Testing of SAML Single Sign-On System
Weitao Hou (2018)
10.1109/AITEST49225.2020.00024
Ontology-driven Security Testing of Web Applications
Josip Bozic (2020)
10.1007/978-3-319-78813-5_24
Inferring Implicit Assumptions and Correct Usage of Mobile Payment Protocols
Quanqi Ye (2017)
10.1007/978-3-030-59028-4
Database and Expert Systems Applications: DEXA 2020 International Workshops BIOKDD, IWCFS and MLKgraphs, Bratislava, Slovakia, September 14–17, 2020, Proceedings
Mohit Kumar (2020)
10.1016/j.cose.2017.04.011
Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
Giada Sciarretta (2017)
10.1109/SmartWorld-UIC-ATC-SCALCOM-IOP-SCI.2019.00304
Analyzing the Validation Flaws of Online Shopping Systems Based on Coloured Petri Nets
Wangyang Yu (2019)
10.14722/NDSS.2017.23091
Show Me the Money! Finding Flawed Implementations of Third-party In-app Payment in Android Apps
W. Yang (2017)
10.1007/s11219-019-09469-y
Planning-based security testing of web applications with attack grammars
Josip Bozic (2020)
10.1145/2995959.2995966
A Grey-Box Approach for Detecting Malicious User Interactions in Web Applications
Wafa Ben Jaballah (2016)
10.1016/J.JISA.2019.102358
Security analysis of third-party in-app payment in mobile applications
Wenbo Yang (2019)
On message-level security
C. Mainka (2017)
10.1007/978-3-319-47443-4_5
A Combinatorial Approach to Analyzing Cross-Site Scripting (XSS) Vulnerabilities in Web Application Security Testing
Dimitris E. Simos (2016)
Semantic Scholar Logo Some data provided by SemanticScholar