Document Type : Research Article

Authors

1 Malek-Ashtar University of Tehran, Tehran, Iran.

2 IRIB University of Tehran, Tehran, Iran.

3 Amirkabir University of Tehran, Tehran, Iran.

Abstract

Parallel execution of multiple threads of a web application will result in server-side races if the web application is not synchronized correctly. Server-side race is susceptible to flaws in the relation between the server and the database. Detecting the race condition in the web applications depends on the business logic of the application. No logic-aware approach has been presented to deal with race conditions. Furthermore, most existing approaches either result in DoS or are not applicable with false positive.
In this study, the session puzzling race conditions existing in a web application are classified and described. In addition, we present Business-Layer Session Puzzling Racer, a black-box approach for dynamic application security testing, to detect the business-layer vulnerability of the application against session puzzling race conditions. Experiments on well-known and widely used web applications showed that Business-Layer Session Puzzling Racer is able to detect the business layer vulnerabilities of these applications against race conditions. In addition, the amount of traffic generated to identify the vulnerabilities has been improved by about 94.38% by identifying the business layer of the application. Thus, Business-Layer Session Puzzling Racer does not result in DoS.

Keywords

[1] Mitra Alidoosti, Alireza Nowroozi, “BLProM: Business-layer Process Miner of the web application”, International Conference on Information Security and Cryptology, 2018.
[2] M. Alidoosti, A. Nowroozi, A. Nickabadi, “BLProM: A Black-Box Approach for Detecting Business-Layer Pro cesses in the Web Applications”, Journal of Computing and Security, vol.6, no.2, pp.65-80, july 2019.
[3] M. Alidoosti, A. Nowroozi, and A. Nickabadi, “Evaluating the Web-Application Resiliency to Business-Layer DoS Attacks,” ETRI Journal , vol.42, no.3, 2019. doi:10.4218/etrij.2019-0164.
[4] E. Brattli Srensen, Jingyue Li, “A Literatu re Review and Practitioner Survey on Using Vulnerability Detection Tools to Defend Against Access Control Vulnerabilities,” Technical Report, Department of Computer Science, Norwegian University of Science and Technology, December 2019
[5] S. Zeller, N. Khakpour, D. Weyns, D. Deogun, “Self-Protection Against Business Logic Vulnerabilities,” IEEE/ACM 15th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, Seoul, South Korea, May 2020.
[6] F. Nabi, J. Yong, and X. Tao, “A Novel Approach for Component based Application Logic Event Attack Modeling,” International Journal of Network Security, vol.22, no.3, pp.437-443, May 2020.
[7] Y. Chen, L. Xing, Y. Qin, X.Liao, X. Feng Wang, K. Chen, W. Zou, “Devils in the Guidance: Predicting Logic Vulnerabilities in Payment Syndication Services through Automated Documentation Analysis,” In28th USENIX Security Symposium Security, pp. 747-764, 2019.
[8] M. Ghorbanzadeh, HR. Shahriari, “Detecting application logic vulnerabilities via finding incompatibility between application design and implementation,” IET Software, vol. 14, no. 4, pp. 377-88, Mar 2020.
[9] H. Homaei, HR,. Shahriari, “Seven years of software vulnerabilities: The ebb and flow,” IEEE Security & Privacy, vol. 15, no. 1, pp. 58-65, Feb 2017.
[10] H. Homaei, HR,. Shahriari, “Athena: A framework to automatically generate security test oracle via extracting policies from source code and intended software behaviour.” Information and Software Technology, vol. 1, no. 107, pp.112-24, Mar 2019.
[11] M. Monshizadeh, P. Naldurg, VN. Venkatakrishnan, “Vulnerabilities for web applications using logic patcher,” In Sixth ACM Conference on Data and Application Security and Privacy, pp. 73-84, Mar 2016.
[12] Deepa G, Thilagam PS, Praseed A, Pais AR, “DetLogic: A black-box approach for detecting logic vulnerabilities in web applications. Journal of Network and Computer Applications,” Vol.109, no.1, pp. 89-109, May 2018
[13] RJ. Emous, “Towards systematic black-box testing for exploitable race conditions in web apps”, Master’s thesis, University of Twente.
[14] R. Paleari, D. Marrone, D. Bruschi, M. Monga. “On race vulnerabilities in web applications”. InInternational Conference on Detection of Intrusions and Malware, and Vulnerability Assessment , Springer, Berlin, Heidelberg. pp. 126-142, July 10 2008.
[15] W.G. Halfond , J. Viegas , A. Orso,: “A Classication of SQL-Injection Attacks and Countermeasure”s. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA ,March 2006.
[16] CERT: Advisory CA-2000-02: “Malicious HTML Tags Embedded in Client Web Requests” ,2002.
[17] Netzer RH., Miller BP., ”What are race conditions?: Some issues and formalizations”, Programming Languages and Systems, vol.1, no.1, pp.74-88, 1992.
[18] E. Pozniansky and A. Schuster, “Efficient onthe-fly data race detection in multihreaded C++ programs”, Proceedings of the Symposium on Principles and Practice of Parallel Programming, June 11-13, 2003, San Diego, Canada.
[19] D. Dean and A. J. Hu, ”Fixing races for fun and profit: how to use access(2)”, USENIX Security Symposium, vol.2, no.14, 2004.
[20] E. Tsyrklevich and B. Yee, ”Dynamic detection and prevention of race conditions in file accesses”, USENIX Security Symposium, vol.17, 2003.
[21] M. Bishop and M. Dilger, “Checking for Race Conditions in File AccessesComputing Systems”, vol. 9, no. 2, pp. 131-152, 1996.
[22] PA. Emrath, S. Ghosh, DA. Padua, “Detecting nondeterminacy in parallel programs”. IEEE Software, vol.9 no.1, pp:69-77, Jan 1992.
[23] C. Flanagan, SN. Freund, “Detecting race conditions in large programs”. InProceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software too Vol. 19, no.3 , pp. 234-243, May 1991.
[25] Shin Hong, Yongbae Park, and Moonzoo Kim. “Detecting Concurrency Errors in Client-Side JavaScript Web Applications”.In Proc. 7th IEEE International Conference on Software Testing, Veriication and Validation, 2014.
[26] James Ide, Rastislav Bodik, and Doug Kimelman.” Concurrency Concerns in Rich Internet Applications. In Proc. Workshop on Exploiting Concurrency Eiciently and Correctly, 2009.
[27] CS. Jensen, A. Mller, V. Raychev, D. Dimitrov, and M.T. Vechev. 2015. “Stateless Model Checking of Event-Driven Applications”. In Proc. 30th ACM SIGPLAN International Conference on Object-Oriented Pro-gramming, Systems,. Languages, and Applications , 2015
[28] B. Petrov,M. Vechev, M. Sridharan, J. Dolby. “Race detection for web applications”. InACM SIGPLAN Notices , Vol. 47, No. 6, pp. 251-262, June 2012.
[29] W. Wang, Y. Zheng, P. Liu, L. Xu, X. Zhang, and P. Eugster. “ARROW: Automated Repair of Races on Client-Side Web Pages”. In Proc. 25th International Symposium on Software Testing and Analysis , 2016.
[30] Y. Zheng, T. Bao, and X. Zhang, “Statically Locating Web Application Bugs Caused by Asynchronous Calls”. In Proc. 20th International Conference on World Wide Web, 2011.
[31] V. Raychev, M. Vechev, M. Sridharan. “Effective race detection for event-driven programs”. InACM SIGPLAN Notices ,Vol. 48, No. 10, pp. 151-166,. October 2013
[32] E. Mutlu, S. Tasiran, B. Livshits. “Detecting JavaScript races that matter”. InProceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pp. 381-392, August 2015.
[33] CQ . Adamsen, A. Mller A, F. Tip. “Practical AJAX race detection for JavaScript web applications”. InProceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2018.
[34] CQ . Adamsen, A. Mller A, F. Tip. “Practical initialization race detection for JavaScript web applications”. Proceedings of the ACM on Programming Languages. Vol. 1, issue. OOPSLA, October 2017.
[35] W. Wang, Y. Zheng, P. Liu, L. Xu, X. Zhang, and P. Eugster. “ARROW: Automated Repair of Races on Client-Side Web Pages”. In Proc. 25th International Symposium on Software Testing and Analysis , 2016.
[36] L. Zhang, C. Wang. “RClassify: classifying race conditions in web applications via deterministic replay”. InProceedings of the 39th International Conference on Software Engineering , pp. 278-288, 2017.
[37] CQ. Adamsen, A. Mller, R. Karim, M. Sridharan, F. Tip, K. Sen. “Repairing event race errors by controlling nondeterminism”. In2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE) ,pp. 289-299, May
2017.
[38] S. Chen.” Session Puzzling and Session Race Con-ditions”, 2011. [Online]. Available: http://sectooladdict.blogspot.com/
2011/09/session-puzzling-and-sessionrace.html.
[39] R. Veselin, M. T. Vechev, and Manu Sridharan. “ Efective Race Detection for Event-Driven Programs”. InProc. 28th ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages, 2013.
[40] S. Ramachandran. “Web metrics: Size and counter for resources”. https://developers. google.com/speed/articles/web-metrics. Last updated: 26 May 2010.
[41] Deepa G, Thilagam PS, Praseed A, Pais AR. DetLogic: A black-box approach for detecting logic vulnerabilities in web applications. Journal of Network and Computer Applications. Vol.109, no.1, pp. 89-109, May 2018.
[42] R. Abbott, J. Chin, J. Donnelley, W. Konigsford, S. Tokubo, and D. Webb, “Security Analysis and Enhancements of Computer Operating Systems,” National Bureau of standards Washington, D.C., Technical report, 1976.
[43] M. Jadon. (2018) Race Condition Bug In Web App: A Use Case. [Online]. Available: https://medium.com/@ciph3r7r0ll/racecondition-bug-in-web-app-a-use-case21fd4df71f0e.
[44] W. E. Howden, “Reliability of the Path Analysis Testing Strategy,” IEEE Transactions on Software Engineering, no. 3, pp. 208215, 1976.
[45] Hallvord Reiar Michaelsen Steen. 2009. Websites playing timing roulette. https://hallvors.wordpress.com/2009/ 03/07/websites-playing-timingroulette/. (2009).
[46] OpenCart. https://www.opencart.com/.
[47] ror˙ecommerce. https://github.com/drhenner/ror_ecommerce.
[48] Shop, Lightning Fast. https://github.com/diefenbach/django-lfs.
[49] Commerce, Broadleaf. https://github.com/BroadleafCommerce/BroadleafCommerce.
[50] MYBB. https://mybb.com/.
[51] oxid. www.oxid-esales.com.