E-commerce has become a thriving business model.
With easy access to various tools and third-party cashiers, it is
straightforward to create and launch e-commerce web applications.
However, it remains difficult to create secure ones. While
third-party cashiers help bridge the gap of trustiness between
merchants and customers, the involvement of cashiers as a new
party complicates logic flows of checkout processes. Even a small
loophole in a checkout process may lead to financial loss of
merchants, thus logic vulnerabilities pose serious threats to the
security of e-commerce applications. Performing manual code
reviews is challenging because of the diversity of logic flows
and the sophistication of checkout processes. Consequently, it
is important to develop automated detection techniques.
This paper proposes the first static detection of logic
vulnerabilities in e-commerce web applications. The main difficulty
of automated detection is the lack of a general and precise
notion of correct payment logic. Our key insight is that secure
checkout processes share a common invariant: A checkout process
is secure when it guarantees the integrity and authenticity of
critical payment status (order ID, order total, merchant ID
and currency). Our approach combines symbolic execution and
taint analysis to detect violations of the invariant by tracking
tainted payment status and analyzing critical logic flows among
merchants, cashiers and users. We have implemented a symbolic
execution framework for PHP. In our evaluation of 22 unique
payment modules, our tool detected 12 logic vulnerabilities, 11
of which are new. We have also performed successful proof-of-concept
experiments on live websites to confirm our findings.
more here............http://www.internetsociety.org/sites/default/files/04_4_1.pdf
With easy access to various tools and third-party cashiers, it is
straightforward to create and launch e-commerce web applications.
However, it remains difficult to create secure ones. While
third-party cashiers help bridge the gap of trustiness between
merchants and customers, the involvement of cashiers as a new
party complicates logic flows of checkout processes. Even a small
loophole in a checkout process may lead to financial loss of
merchants, thus logic vulnerabilities pose serious threats to the
security of e-commerce applications. Performing manual code
reviews is challenging because of the diversity of logic flows
and the sophistication of checkout processes. Consequently, it
is important to develop automated detection techniques.
This paper proposes the first static detection of logic
vulnerabilities in e-commerce web applications. The main difficulty
of automated detection is the lack of a general and precise
notion of correct payment logic. Our key insight is that secure
checkout processes share a common invariant: A checkout process
is secure when it guarantees the integrity and authenticity of
critical payment status (order ID, order total, merchant ID
and currency). Our approach combines symbolic execution and
taint analysis to detect violations of the invariant by tracking
tainted payment status and analyzing critical logic flows among
merchants, cashiers and users. We have implemented a symbolic
execution framework for PHP. In our evaluation of 22 unique
payment modules, our tool detected 12 logic vulnerabilities, 11
of which are new. We have also performed successful proof-of-concept
experiments on live websites to confirm our findings.
more here............http://www.internetsociety.org/sites/default/files/04_4_1.pdf