1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

Slides:

Advertisements

Similar presentations

Configuration management

Advertisements

Software change management

Configuration management

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Chapter 14 – Authentication Applications

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Operating System Security

Detecting Logic Vulnerabilities in E- Commerce Applications FANGQI SUN, LIANG XU, ZHENDONG SU UNIVERSITY OF CALIFORNIA, DAVIS NDSS (FEBRUARY,2014) 1.

An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities Vasant Tendulkar NC State University William.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

1 Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

FIT3105 Smart card based authentication and identity management Lecture 4.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Design, Implementation, and Experimentation on Mobile Agent Security for Electronic Commerce Applications Anthony H. W. Chan, Caris K. M. Wong, T. Y. Wong,

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

Copyright © 2002 Pearson Education, Inc.

LYU9901 TravelNet Final Presentation Supervisor: Prof. Michael R. Lyu Members: Ho Chi Ho Malcolm Lau Chi Ho Arthur On

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2

Secure Electronic Transaction (SET)

Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.

SQL INJECTION COUNTERMEASURES &

Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Cryptography and Network Security

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

OHT 11.1 © Marketing Insights Limited 2004 Chapter 9 Analysis and Design EC Security.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Case Study: Interspire and PayPal Express. Case: Interspire and PayPal Express Interspire is an eCommerce merchant software Can be integrated with PayPal.

Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.

New Cryptographic Techniques for Active Networks Sandra Murphy Trusted Information Systems March 16, 1999.

Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson

Web Logic Vulnerability By Eric Jizba and Yan Chen With slides from Fangqi Sun and Giancarlo Pellegrino.

Loop Analysis and Repair Nafi Diallo Computer Science NJIT Advisor: Dr. Ali Mili.

Payment in Identity Federations David J. Lutz Universitaet Stuttgart.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.

Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.

Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.

AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.

Authentication Presenter Meteor Advisory Team Member Version 1.1.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.

SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

BY: SHIVI AGRAWAL ( ) CSE-(6)C

Analyzing WebView Vulnerabilities in Android Applications

Providing Secure Storage on the Internet

X-Road as a Platform to Exchange MyData

Presentation transcript:

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of William & Mary

2 Outline  Introduction Logic Vulnerabilities in E-Commerce Web Applications Key Challenge Related Work  Attack Examples  Approach Definitions Taint Rules Vulnerability Detection Example Vulnerability Detection Algorithm  Implementation  Evaluation  Conclusion

3 Logic Vulnerabilities in E-Commerce Web Applications  Third-party cashiers Bridge the trustiness gap between customers and merchants Complicate logic flows during checkout  Logic vulnerabilities Both track payment status, miscommunication Insufficient or missing checks on payment status Purchase with incorrect or no payment User Merchant Cashier Payment of order total in currency for order ID to merchant ID

4 Key Challenge  Logic vulnerabilities in e-commerce web applications are application-specific Thorough code review of all possible logic flows is non-trivial Various application-specific logic flows, cashier APIs and security checks make automated detection difficult  Key challenge of automated detection

5 Related Work  Wang et al. [30, 33] First to perform security analysis on Cashier-as-a-Service based e-commerce applications. Found several serious logic vulnerabilities in a few popular e- commerce applications via manual code reviews Proposed a proxy-based approach to dynamically secure third- party web service integrations which include the integration of cashiers  This paper provide an application-independent invariant propose the first static analysis to detect logic vulnerabilities

6 Key Insight  A common invariant for automated detection

7 Outline  Introduction Logic Vulnerabilities in E-Commerce Web Applications Key Challenge Related Work  Attack Examples  Approach Definitions Taint Rules Vulnerability Detection Example Vulnerability Detection Algorithm  Implementation  Evaluation  Conclusion

8 Attack on Currency

9 Attack on Order ID

10 Attack on Merchant ID

11 Illustrative Example Payment module Luottokunta (version 1.3)

12 Outline  Introduction Logic Vulnerabilities in E-Commerce Web Applications Key Challenge Related Work  Attack Examples  Approach Definitions Taint Rules Vulnerability Detection Example Vulnerability Detection Algorithm  Implementation  Evaluation  Conclusion

13 Approach  Combines symbolic execution and taint analysis to detect violations of the invariant by tracking tainted payment status and analyzing critical logic flows among merchants, cashiers and users.  A symbolic execution framework that explores critical control flows exhaustively  Tracking taint annotations for the critical components Payment status  Order ID, Order total, Merchant ID, Currency Exposed signed token  An encrypted value that is signed with a cashier-merchant secret  Act as cashier’s signature

14 Approach - Definition s Merchant Cashier User Logic Flows in E-commerce Applications :  Communications between merchant nodes, cashier nodes and user.  represented as II = {(ni, Qi) -> (nj, Qj) | 0 <i, j<k}. Logic State  Consists of taint annotations and links to other valid nodes of a checkout process.  Logic state stores taint annotations for the following payment status components and exposed signed tokens.( OrderID, OrderTotal, MerchantID, Currency, exposed signed tokens( Secret_key ) ) Logic Vulnerabilities in E-commerce Applications  Exists when for any accepted order ID, the merchant cannot verify that the user has correctly paid the cashier the amount of order total in the expected currency to merchant ID.

15 Taint Removal Rules Initially  all tainted. When correctly verifies  the taint should be removed  Conditional checks of (in)equality When an untrusted value is verified against a trusted one Example of removing taint from order total md5(SECRET. $_SESSION[‘order’]  [‘total’]) == md5(SECRET. $_GET[‘oTotal’])  Writes to merchant databases When an untrusted value is included in an INSERT/UPDATE query Merchant employee can easily spot tampered values  Secure communication channels For synchronous merchant-to-cashier cURL requests Remove when payment components are present in request parameters Synchronous requests are sent via secure communication channels, guarantee the authenticity of payment status

16 Taint Addition Rules  When a conditional check for a cashier-to-merchant request relies on an exposed signed token, add taint to the exposed signed token.  Example Hidden HTML form element: md5($secret. $orderId. $orderTotal) $_GET['hash'] == md5($secret. $_GET['oId']. $_GET['oTotal']) This exposed signed token md5($secret. $orderId. $orderTotal) nullifies checks on order ID and order total

17 Vulnerability Detection Example

18

19

20 Vulnerability Detection Algorithm  It integrates symbolic execution of merchant nodes and taint analysis, and connects individual nodes to explore valid logic flows in e-commerce applications.

21

22 Outline  Introduction Logic Vulnerabilities in E-Commerce Web Applications Key Challenge Related Work  Attack Examples  Approach Definitions Taint Rules Vulnerability Detection Example Vulnerability Detection Algorithm  Implementation  Evaluation  Conclusion

23 Implementation A symbolic execution framework that integrates taint analysis for PHP

24 Outline  Introduction Logic Vulnerabilities in E-Commerce Web Applications Key Challenge Related Work  Attack Examples  Approach Definitions Taint Rules Vulnerability Detection Example Vulnerability Detection Algorithm  Implementation  Evaluation  Conclusion

25 Evaluation  Subjects: 22 unique payment modules of osCommerce More than 14,000 registered websites, 928 payment modules, 13 years of history (osCommerce v2.3) 20 out of 46 default modules with distinct CFGs 2 Luottokunta payment modules (v1.2 & v1.3)  Metrics Effectiveness: Detected 12 logic vulnerabilities (11 new) with no false positives Performance

26

27

28

29 Outline  Introduction Logic Vulnerabilities in E-Commerce Web Applications Key Challenge Related Work  Attack Examples  Approach Definitions Taint Rules Vulnerability Detection Example Vulnerability Detection Algorithm  Implementation  Evaluation  Conclusion

30 Conclusion  First static detection of logic vulnerabilities in e- commerce applications Based on an application-independent invariant A scalable symbolic execution framework for PHP applications, incorporating taint tracking of payment status  Three responsible proof-of-concept experiments on live websites  Evaluated our tool on 22 unique payment modules and detected 12 logic vulnerabilities (11 are new)

31 End Thanks! Q&A