1 / 31

Detecting Logic Vulnerabilities in E-Commerce Applications

Detecting Logic Vulnerabilities in E-Commerce Applications. Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of William & Mary. Outline. Introduction Logic Vulnerabilities in E-Commerce Web Applications Key Challenge Related Work

xanti
Download Presentation

Detecting Logic Vulnerabilities in E-Commerce Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Logic Vulnerabilities in E-Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of William & Mary

  2. Outline • Introduction • Logic Vulnerabilities in E-Commerce Web Applications • Key Challenge • Related Work • Attack Examples • Approach • Definitions • Taint Rules • Vulnerability Detection Example • Vulnerability Detection Algorithm • Implementation • Evaluation • Conclusion

  3. Logic Vulnerabilities inE-Commerce Web Applications Merchant • Third-party cashiers • Bridge the trustiness gap between customers and merchants • Complicate logic flows during checkout • Logic vulnerabilities • Both track payment status, miscommunication • Insufficient or missing checks on payment status • Purchase with incorrect or no payment User Payment of order total in currency for order ID to merchant ID Cashier

  4. Key Challenge • Logic vulnerabilities in e-commerce web applications are application-specific • Thorough code review of all possible logic flows is non-trivial • Various application-specific logic flows, cashier APIs and security checks make automated detection difficult • Key challenge of automated detection

  5. Related Work • Wang et al. [30, 33] • First to perform security analysis on Cashier-as-a-Service based e-commerce applications. • Found several serious logic vulnerabilities in a few popular e-commerce applications via manual code reviews • Proposed a proxy-based approach to dynamically secure third-party web service integrations which include the integration of cashiers • This paper • provide an application-independent invariant • propose the first static analysis to detect logic vulnerabilities

  6. Key Insight • A common invariant for automated detection

  7. Outline • Introduction • Logic Vulnerabilities in E-Commerce Web Applications • Key Challenge • Related Work • Attack Examples • Approach • Definitions • Taint Rules • Vulnerability Detection Example • Vulnerability Detection Algorithm • Implementation • Evaluation • Conclusion

  8. Attack on Currency

  9. Attack on Order ID

  10. Attack on Merchant ID

  11. Illustrative Example Payment module Luottokunta (version 1.3)

  12. Outline • Introduction • Logic Vulnerabilities in E-Commerce Web Applications • Key Challenge • Related Work • Attack Examples • Approach • Definitions • Taint Rules • Vulnerability Detection Example • Vulnerability Detection Algorithm • Implementation • Evaluation • Conclusion

  13. Approach • Combines symbolic execution and taint analysis • to detect violations of the invariant by tracking tainted payment status and analyzing critical logic flows among merchants, cashiers and users. • A symbolic execution • framework that explores critical control flows exhaustively • Tracking taint annotations for the critical components • Payment status • Order ID, Order total, Merchant ID, Currency • Exposed signed token • An encrypted value that is signed with a cashier-merchant secret • Act as cashier’s signature

  14. Approach - Definitions • Merchant • Cashier • User • Logic Flows in E-commerce Applications : • Communications between merchantnodes, cashiernodesand user. • represented as II = {(ni , Qi) -> (nj , Qj) | 0 <i, j<k}. • Logic State • Consists of taint annotations and links to other valid nodes of a checkout process. • Logic state stores taint annotations for the following payment status components and exposed signed tokens.( OrderID, OrderTotal, MerchantID, Currency, exposed signed tokens( Secret_key ) ) • Logic Vulnerabilities in E-commerce Applications • Exists when for any accepted order ID, the merchant cannot verify that the user has correctly paid the cashier the amount of order total in the expected currency to merchant ID.

  15. Taint Removal Rules Initially  all tainted. When correctly verifies the taint should be removed • Conditional checks of (in)equality • When an untrusted value is verified against a trusted one • Example of removing taint from order totalmd5(SECRET . $_SESSION[‘order’] [‘total’]) == md5(SECRET . $_GET[‘oTotal’]) • Writes to merchant databases • When an untrusted value is included in an INSERT/UPDATE query • Merchant employee can easily spot tampered values • Secure communication channels • For synchronous merchant-to-cashier cURLrequests • Remove when payment components are present in request parameters • Synchronous requests are sent via secure communication channels, guarantee the authenticity of payment status

  16. Taint Addition Rules • When a conditional check for a cashier-to-merchant request relies on an exposed signed token, add taint to the exposed signed token. • Example • Hidden HTML form element: md5($secret . $orderId . $orderTotal) • $_GET['hash'] == md5($secret . $_GET['oId'] . $_GET['oTotal']) • This exposedsignedtokenmd5($secret . $orderId . $orderTotal) nullifieschecks on order ID and order total

  17. Vulnerability Detection Example

  18. Vulnerability Detection Algorithm • It integrates symbolic execution of merchant nodes and taint analysis, and connects individual nodes to explore valid logic flows in e-commerce applications.

  19. Outline • Introduction • Logic Vulnerabilities in E-Commerce Web Applications • Key Challenge • Related Work • Attack Examples • Approach • Definitions • Taint Rules • Vulnerability Detection Example • Vulnerability Detection Algorithm • Implementation • Evaluation • Conclusion

  20. Implementation Asymbolic execution framework that integrates taint analysis for PHP

  21. Outline • Introduction • Logic Vulnerabilities in E-Commerce Web Applications • Key Challenge • Related Work • Attack Examples • Approach • Definitions • Taint Rules • Vulnerability Detection Example • Vulnerability Detection Algorithm • Implementation • Evaluation • Conclusion

  22. Evaluation • Subjects: 22 unique payment modules of osCommerce • More than 14,000 registered websites, 928 payment modules, 13 years of history (osCommerce v2.3) • 20 out of 46 default modules with distinct CFGs • 2 Luottokunta payment modules (v1.2 & v1.3) • Metrics • Effectiveness: Detected 12 logicvulnerabilities (11 new) withno false positives • Performance

  23. Outline • Introduction • Logic Vulnerabilities in E-Commerce Web Applications • Key Challenge • Related Work • Attack Examples • Approach • Definitions • Taint Rules • Vulnerability Detection Example • Vulnerability Detection Algorithm • Implementation • Evaluation • Conclusion

  24. Conclusion • First static detection of logic vulnerabilities in e-commerce applications • Based on an application-independent invariant • A scalable symbolic execution framework for PHP applications, incorporating taint tracking of payment status • Three responsible proof-of-concept experiments on live websites • Evaluated our tool on 22 unique payment modules and detected 12 logic vulnerabilities (11 are new)

  25. End Thanks! Q&A

More Related