On Business Logic Vulnerabilities Hunting: The APP_LogGIC Framework
作者: George Stergiopoulos , Bill Tsoumas , Dimitris Gritzalis
DOI: 10.1007/978-3-642-38631-2_18
关键词:
摘要: While considerable research effort has been put in the identification of technical vulnerabilities, such as buffer overflows or SQL injections, business logic vulnerabilities have drawn limited attention. Logic are an important class defects that result faulty application logic. Business refers to requirements implemented algorithms reflect intended functionality application, e.g. online shop a rule could be each cart must register only one discount coupon per product. In our paper, we extend novel heuristic and automated method for detection vulnerabilitieswhich presented previous publication. This detects asserts their criticality Java GUI applications using dynamic analysis static together with fuzzy system order compare rank its findings, minimize false positives negatives. An extensive code ranking is given along empirical results demonstrate potential.
springer.com
sci-hub.st 参考文章(15)
Christopher Kruegel, Viktoria Felmetsger, Ludovico Cavedon, Giovanni Vigna, Toward automated detection of logic vulnerabilities in web applications usenix security symposium. pp. 10- 10 ,(2010)
George Stergiopoulos, Bill Tsoumas, Dimitris Gritzalis, Hunting application-level logical errors international conference on engineering secure software and systems. pp. 135- 142 ,(2012) , 10.1007/978-3-642-28166-2_13
Dolores R. Wallace, Wendy W. Peng, Software error analysis ,(1995)
Gilbert A. Churchill, Basic Marketing Research ,(1987)
Vitaly Shmatikov, George Danezis, Yan Chen, Proceedings of the 18th ACM conference on Computer and communications security computer and communications security. ,(2011)
Michael Huth, Mark Ryan, Logic in Computer Science Cambridge University Press. ,(2004) , 10.1017/CBO9780511810275
Davide Balzarotti, Marco Cova, Viktoria V. Felmetsger, Giovanni Vigna, Multi-module vulnerability analysis of web-based applications computer and communications security. pp. 25- 35 ,(2007) , 10.1145/1315245.1315250
Adam Doupé, Bryce Boe, Christopher Kruegel, Giovanni Vigna, Fear the EAR Proceedings of the 18th ACM conference on Computer and communications security - CCS '11. pp. 251- 262 ,(2011) , 10.1145/2046707.2046736
Werner Van Leekwijck, Etienne E. Kerre, Defuzzification: criteria and classification Fuzzy Sets and Systems. ,vol. 108, pp. 159- 178 ,(1999) , 10.1016/S0165-0114(97)00337-0
Marianthi Theoharidou, Dimitris Gritazalis, Common Body of Knowledge for Information Security ieee symposium on security and privacy. ,vol. 5, pp. 64- 67 ,(2007) , 10.1109/MSP.2007.32