Web Logic Vulnerability

By Eric Jizba and Yan Chen

With slides from Fangqi Sun and Giancarlo Pellegrino

Outline

! Background and Motivation

! Related Work

! Whitebox approach
! Detecting Logic Vulnerabilities in E-Commerce Applications
! Fangqi Sun, Liang Xu, Zhendong Su

! Blackbox approach
! Toward Black-box Detection of Logic Flaws in Web
Applications
! Giancarlo Pellegrino, Davide Balzarotti
Background and motivation
Logic Flaws

 Also known as design flaws/errors, business/application logic

errors/flaws
 Lack a formal definition
● CWE-ID 840: Business logic errors are “weaknesses […]
that commonly allow attackers to manipulate the business
logic of an application”
 Mainly caused by insufficient validation of the application
workflow and data flow
 Can exhibit patterns, e.g.
● Improper authentication/authorization

3
 Logic Vulnerabilities
in E-Commerce Web Applications
! Third-party cashiers
! Bridge the trustiness gap between customers and merchants

! Complicate logic flows during checkout

Payment
! Logic vulnerabilities in e-commerce web applications status
! Abuse application-specific functionality
Consistent status?
! Allow attackers to purchase products or services
with incorrect or no payment
! Have multiple attack vectors Payment
Status
" Assumptions of user inputs and user actions should be
explicitly checked
! Example
" CVE-2009-2039 is reported for Luottokunta (v1.2) but the patched
Luottokunta (v1.3) is still vulnerable
Attack on Currency

currency = British Pound Sterling (GBP)

GBP £6.25 (equals $10.43)

Consistent status? NO

currency = US Dollar (USD)

USD $6.25
Attack on Order ID

Current order (ID 1002)

orderID = has been paid
1002

Payment tokens for

Consistent status? NO order ID 1001 can
be replayed for
orderID = future orders
1001
Received payment
for order ID 1001 only
Attack on Merchant ID

Payee is
merchantID = chocolateDelight
chocolateDelight

Consistent status? NO
Payee is
merchantID= attackerAlice
attackerAlice
Setting up a PayPal
merchant account
for Alice is easy
Related Work
Problem
Explicit Documentation
Yes No

Yes
White-box White-box
Source code
No

 White-box testing [BalzarottiCCS07, FelmetsgerUSENIX10, ...]

● Source code of WA may not be available → White-box not applicable!

5
Problem
Explicit Documentation
Yes No

Yes
White-box White-box
Source code
Design verification
No

Design verification

 White-box testing [BalzarottiCCS07, FelmetsgerUSENIX10, ...]

● Source code of WA may not be available → White-box not applicable!
 Design verification [LoweCSF97, ArmandoCSF07, ...]
● Specification of WA may not be available → DV not applicable!

6
Problem
Explicit Documentation
Yes No

Black-box Black-box

Yes
White-box White-box
Source code
Design verification

Black-box Black-box
No

Design verification

 White-box testing [BalzarottiCCS07, FelmetsgerUSENIX10, ...]

● Source code of WA may not be available → White-box not applicable!
 Design verification [LoweCSF97, ArmandoCSF07, ...]
● Specification of WA may not be available → DV not applicable!
 Black-box testing, e.g., web scanners [DoupèDIMVA10, WangS&P11, WangS&P12]
● Cannot automatically detect logic flaws
➔Testing for logic flaws is done manually

7
 Comparing testing methods

Whitebox Blackbox Design Verification

Coverage Fair Poor Good

Scalability Fair Good Poor

Efficiency Fair Good Poor

Requires source Yes No No

code
Requires app No No Yes
specification
Design Verification
BrowserID SSO Analysis

! Daniel Fett, Ralf Küsters, and Guido Schmitz created

expressive model for web infrastructure
! Manual analysis: more comprehensive and accurate

! Discovered logic vulnerability in BrowserID

! Allows attacker to sign-in to any service that supports
BrowserID using the email address of any user without know
their credentials
! Proposed fix adopted by Mozilla simply involves verifying the
email address is correct
Blackbox Approach
InteGuard: Web Service Integration
Security

! Third party APIs are more and more popular

! SSO, Cashier Services, Maps, Search, etc.

! Key Insight: most web APIs require small number of simple

input parameters that are usually set by the user

! InteGuard looks at web traffic between the app and third

part service to analyze invariants (e.g. orderID, price)
! Does not require source code
! Mostly automatic
! Cannot handle more complex invariant relations (such as the
relation between signed content and its signature)
Blackbox Approach
Parameter Pollution Vulnerabilities

! Common attack vector used in Logic Vulnerabilities

! E.g. using the same OrderID for two transactions

! Different from workflow attack vector (also used in Logic

Vulnerabilities)
! E.g. bypassing a required page in a payment application

! NoTamper detects insufficient server-side validations where

the server fails to replicate validations on the client side

! PAPAS uses a blackbox scanning technique for vulnerable

parameters
Whitebox Approach
Basic Problem
Key Challenge
! Logic vulnerabilities in e-commerce web applications are
application-specific
! Thorough code review of all possible logic flows is non-trivial
! Various application-specific logic flows, cashier APIs and
security checks make automated detection difficult

! Key challenge of automated detection

The lack of a general and precise notion

of correct payment logic
Key Insight
! A common invariant for automated detection

A checkout is secure when it guarantees the

integrity and authenticity of critical payment status
(order ID, order total, merchant ID and currency)

Consistent payment status

Whitebox Approach
Main Ideas
Our Approach Logic flow:
(ni, Qi) # (nj, Qj)

! A symbolic execution
framework that explores spec,
ns, qs PHP ASTi IR
critical control flows Lexer
Constructor
& Parser
exhaustively
nj, Qj IRi

! Tracking taint annotations Qi

Symbolic
Execution
Navigator
across checkout nodes Engine
! Payment status nf, Qf
! Exposed signed token
(signed with a cashier-merchant Logic Vulnerability
secret) Analyzer Report
 Taint Removal Rules
! Conditional checks of (in)equality
! When an untrusted value is verified against a trusted one
! Example of removing taint from order total
md5(SECRET . $_SESSION[‘order’]#info[‘total’]) == md5(SECRET . $_GET[‘oTotal’])

! Writes to merchant databases

! When an untrusted value is included in an INSERT/UPDATE query
! Merchant employee can easily spot tampered values

! Secure communication channels

(merchant-to-cashier cURL requests)
! Remove taint from order ID, order total, merchant ID or currency
when such components are present in request parameters
 Taint Addition Rule
! Add an exposed signed token when used in a conditional
check of a cashier-to-merchant request
! Security by obscurity is insufficient

! Example
! Hidden HTML form element: md5($secret . $orderId . $orderTotal)
! $_GET['hash'] == md5($secret . $_GET['oId'] . $_GET['oTotal'])

! This exposed signed token md5($secret . $orderId . $orderTotal)

nullifies checks on order ID and order total
 Vulnerability Detection Example
R1. Checkout
! R1. User # Merchant(checkoutConfirmation.php) Confirmation
(Begin
! Symbolic HTML form contains two URLs: cashier URL and return Checkout)
URL(checkoutProcess.php).
R2. Cashier
! R2. User # Cashier(https://dmp2.luottokunta.fi) Luottokunta
! Modeling cashier as trusted black box (Make
Payment)

! R3. User # Merchant(checkoutProcess.php), redirection

R3. Checkout
! Representing all possible cashier responses with symbolic inputs Process
(Confirm
Order)
! R4. User # Merchant(checkoutSuccess.php), redirection
! Analyzing logic states at this destination node (end of checkout) to
R4. Checkout
detect logic vulnerabilities Success
(Thanks for
Luottokunta (v1.3) your order)
 R1. Checkout R3. Checkout R4. Checkout
Confirmation Process Success
(Begin (Confirm (Thanks for
Checkout) Order) your order)
orderID =
1002

Consistent status? NO

orderID = R2. Cashier

1001 Luottokunta
(Make
Payment)

Should be
SecretMD5
R3 for order ID 1002: http://merchant.com/checkoutProcess.php? For1002
orderID=1001&LKMAC=SecretMD5For1001
Whitebox Approach
Evaluation and Results
Evaluation
! Subjects: 22 unique payment modules of
osCommerce
! More than 14,000 registered websites, 928 payment
modules, 13 years of history (osCommerce v2.3)
! 20 out of 46 default modules with distinct CFGs
! 2 Luottokunta payment modules (v1.2 & v1.3)

! Metrics
! Effectiveness:Detected 12 logic vulnerabilities (11 new)
with no false positives
! Performance
 Logic Vulnerability Analysis Results
Payment Module Safe Payment Module Safe

2Checkout PayPal Pro - Direct Payments

Authorize.net CC AIM PayPal (Payflow) - Direct Payments

Authorize.net CC SIM PayPal (Payflow) - Express Checkout

ChronoPay PayPal Standard

inpay PayPoint.net SECPay

iPayment
PSiGate
(Credit Card)
Luottokunta (v1.2) RBS WorldPay Hosted
Luottokunta (v1.3) Sage Pay Direct

Moneybookers Sage Pay Form

NOCHEX Sage Pay Server

PayPal Express Sofortüberweisung Direkt *
 Taint Annotations of 12 Vulnerable Payment Modules

Order Order Merchant Signed

Payment Module Currency
Id Total Id Tokens
2Checkout
Authorize.net SIM
ChronoPay
iPayment (Credit card)
Luottokunta (v1.2)
Luottokunta (v1.3)
NOCHEX
PayPal Standard
PayPoint.net SECPay
PSiGate
RBS WorldPay Hosted
Sage Pay Form
Total 9 7 6 10 2
 Performance Results of 12 Vulnerable Payment Modules
Payment Module Files Nodes Edges Stmts States Flows Time(s)
2Checkout 105 5,194 6,176 8,385 40 4 16.04
Authorize.net SIM 105 5,221 6,221 8,435 46 4 16.89
ChronoPay 99 5,013 5,969 8,084 69 5 31.51
iPayment (Credit card) 99 4,999 5,932 7,918 38 5 21.86
Luottokunta (v1.2) 105 5,158 6,127 8,291 34 4 15.33
Luottokunta (v1.3) 105 5,164 6,135 8,308 35 4 15.33
NOCHEX 105 5,145 6,111 8,237 33 4 15.03
PayPal Standard 99 5,040 6,006 8,170 68 6 33.01
PayPoint.net SECPay 105 5,174 6,152 8,332 40 4 15.80
PSiGate 106 5,231 6,228 8,436 44 4 16.82
RBS WorldPay Hosted 99 5,019 5,977 8,121 79 5 36.12
Sage Pay Form 106 5,315 6,329 8,762 55 4 19.96
Average of 22 102.73 5,173 6,162 8,376 67.27 5.05 31.43
Conclusion
! First static detection of logic vulnerabilities in e-
commerce applications
! Based on an application-independent invariant
! A scalable symbolic execution framework for PHP
applications, incorporating taint tracking of payment status

! Three responsible proof-of-concept experiments on live

websites

! Evaluated our tool on 22 unique payment modules and

detected 12 logic vulnerabilities (11 are new)
Open Issues

! Cannot identify all logic vulnerabilities

! Does not support JavaScript analysis

! Limited analysis of dynamic language features

Questions?
Blackbox Approach
Basic Problem
Blackbox Approach
Main Ideas
Overview

1) Model Inference
r 1,3

r 1,2
r 1,1 r 1,2 r 1,3 r 1,4
74.125.230.240 > 192.168.1.89
Resource Resource r 1,4
r 2,2
192.168.1.89 > 74.125.230.240 Clustering I
r 1,1
F
74.125.230.240 > 192.168.1.89 Abstraction r 2,1 r 2,2 r 2,3
r 2,1

r 2,3

2) Behavioral Patterns
r 1,1 r 1,2 r 1,3 r 1,4
Rp
r 1,3 r 1,3 St
r 2,1 r 2,2 r 2,3
PChain 1 r 1,2
TrWPrr
Data flow Workflow
1,2
r 1,4 1,4
r 2,2 r 2,2
r 1,3
Patterns I
r 1,1
r 2,1 F Patterns I
r 1,1
r 2,1 F
r 1,2
r 1,4
r 2,2
r 2,3 r 2,3
r 1,1
I r 2,1 F
TrWP
r 2,3 PChain 2 MWP

3) Test Cases Generation 4) Test Cases Execution

r 1,1 r 1,2 r 1,3 r 1,4

r 2,1 r 2,2 r 2,3

74.125.230.240 > 192.168.1.89

Rp r 1,1 r 1,2 r 1,3 r 1,4

Execution 192.168.1.89 > 74.125.230.240

r 1,3 St Test Cases r 1,1 r 1,2 r 1,3 r 1,4 74.125.230.240 > 192.168.1.89 Verdict:
Flaw found
TrWPrr 1,2
1,4 r 1,1 r 1,2 r 1,3 r 1,4 in test
r 2,2
r 1,1 Oracle 1 and 2
I r 2,1 F

r 2,3

TrWP
MWP

9
Model Inference

1) Model Inference
r 1,3

r 1,2
r 1,1 r 1,2 r 1,3 r 1,4
74.125.230.240 > 192.168.1.89
Resource Resource r 1,4
r 2,2
192.168.1.89 > 74.125.230.240 Clustering I
r 1,1
F
74.125.230.240 > 192.168.1.89 Abstraction r 2,1 r 2,2 r 2,3
r 2,1

r 2,3

2) Behavioral Patterns
r 1,1 r 1,2 r 1,3 r 1,4
Rp
r 1,3 r 1,3 St
r 2,1 r 2,2 r 2,3
PChain 1 r 1,2
TrWPrr
Data flow Workflow
1,2
r 1,4 1,4
r 2,2 r 2,2
r 1,3
Patterns I
r 1,1
r 2,1 F Patterns I
r 1,1
r 2,1 F
r 1,2
r 1,4
r 2,2
r 2,3 r 2,3
r 1,1
I r 2,1 F
TrWP
r 2,3 PChain 2 MWP

3) Test Cases Generation 4) Test Cases Execution

r 1,1 r 1,2 r 1,3 r 1,4

r 2,1 r 2,2 r 2,3

74.125.230.240 > 192.168.1.89

Rp r 1,1 r 1,2 r 1,3 r 1,4

Execution 192.168.1.89 > 74.125.230.240

r 1,3 St Test Cases r 1,1 r 1,2 r 1,3 r 1,4 74.125.230.240 > 192.168.1.89 Verdict:
Flaw found
TrWPrr 1,2
1,4 r 1,1 r 1,2 r 1,3 r 1,4 in test
r 2,2
r 1,1 Oracle 1 and 2
I r 2,1 F

r 2,3

TrWP
MWP

10
Behavioral Patterns Extraction

1) Model Inference
r 1,3

r 1,2
r 1,1 r 1,2 r 1,3 r 1,4
74.125.230.240 > 192.168.1.89
Resource Resource r 1,4
r 2,2
192.168.1.89 > 74.125.230.240 Clustering I
r 1,1
F
74.125.230.240 > 192.168.1.89 Abstraction r 2,1 r 2,2 r 2,3
r 2,1

r 2,3

2) Behavioral Patterns
r 1,1 r 1,2 r 1,3 r 1,4
Rp
r 1,3 r 1,3 St
r 2,1 r 2,2 r 2,3
PChain 1 r 1,2
TrWPrr
Data flow Workflow
1,2
r 1,4 1,4
r 2,2 r 2,2
r 1,3
Patterns I
r 1,1
r 2,1 F Patterns I
r 1,1
r 2,1 F
r 1,2
r 1,4
r 2,2
r 2,3 r 2,3
r 1,1
I r 2,1 F
TrWP
r 2,3 PChain 2 MWP

3) Test Cases Generation 4) Test Cases Execution

r 1,1 r 1,2 r 1,3 r 1,4

r 2,1 r 2,2 r 2,3

74.125.230.240 > 192.168.1.89

Rp r 1,1 r 1,2 r 1,3 r 1,4

Execution 192.168.1.89 > 74.125.230.240

r 1,3 St Test Cases r 1,1 r 1,2 r 1,3 r 1,4 74.125.230.240 > 192.168.1.89 Verdict:
Flaw found
TrWPrr 1,2
1,4 r 1,1 r 1,2 r 1,3 r 1,4 in test
r 2,2
r 1,1 Oracle 1 and 2
I r 2,1 F

r 2,3

TrWP
MWP

11
Workflow Patterns

Traces: Model:
a

b
c

e f

12
Workflow Patterns

Traces: Model:
TrWP Rp a

b Rp
c
TrWP

TrWP Rp e f TrWP Rp

TrWP : Trace Waypoints

Rp : Repeatable Operations

13
Data flow Patterns

Trace 1: Trace 2:

http://store.com/index.php http://store.com/index.php
<HTML> <HTML>

1
1

<a href=“/view.php?tok=8AFFB0”> […] <a href=“/add.php?tok=DDA124”> […]

http://store.com/view.php?tok=8AFFB0 http://store.com/add.php?tok=DDA124
<HTML> <HTML>

2
2

<a href=“/add.php?tok=8AFFB0”> […] <a href=“/checkout”> […]

http://store.com/add.php?tok=8AFFB0
<HTML>
3

<a href=“/checkout”> […]

14
Test Case Generation

1) Model Inference
r 1,3

r 1,2
r 1,1 r 1,2 r 1,3 r 1,4
74.125.230.240 > 192.168.1.89
Resource Resource r 1,4
r 2,2
192.168.1.89 > 74.125.230.240 Clustering I
r 1,1
F
74.125.230.240 > 192.168.1.89 Abstraction r 2,1 r 2,2 r 2,3
r 2,1

r 2,3

2) Behavioral Patterns
r 1,1 r 1,2 r 1,3 r 1,4
Rp
r 1,3 r 1,3 St
r 2,1 r 2,2 r 2,3 Extraction PChain 1 r 1,2
TrWPrr
Data flow Workflow
1,2
r 1,4 1,4
r 2,2 r 2,2
r 1,3
Patterns I
r 1,1
r 2,1 F Patterns I
r 1,1
r 2,1 F
r 1,2
r 1,4
r 2,2
r 2,3 r 2,3
r 1,1
I r 2,1 F
TrWP
r 2,3 PChain 2 MWP

3) Test Cases Generation 4) Test Cases Execution

r 1,1 r 1,2 r 1,3 r 1,4

r 2,1 r 2,2 r 2,3

74.125.230.240 > 192.168.1.89

Rp r 1,1 r 1,2 r 1,3 r 1,4

Execution 192.168.1.89 > 74.125.230.240

r 1,3 St Test Cases r 1,1 r 1,2 r 1,3 r 1,4 74.125.230.240 > 192.168.1.89 Verdict:
Flaw found
TrWPrr 1,2
1,4 r 1,1 r 1,2 r 1,3 r 1,4 in test
r 2,2
r 1,1 Oracle 1 and 2
I r 2,1 F

r 2,3

TrWP
MWP

15
Attack Pattern-based Test Case Generation

16
Attack Pattern-based Test Case Generation

17
Test Case Execution and Oracle

1) Model Inference
r 1,3

r 1,2
r 1,1 r 1,2 r 1,3 r 1,4
74.125.230.240 > 192.168.1.89
Resource Resource r 1,4
r 2,2
192.168.1.89 > 74.125.230.240 Clustering I
r 1,1
F
74.125.230.240 > 192.168.1.89 Abstraction r 2,1 r 2,2 r 2,3
r 2,1

r 2,3

2) Behavioral Patterns
r 1,1 r 1,2 r 1,3 r 1,4
Rp
r 1,3 r 1,3 St
r 2,1 r 2,2 r 2,3
PChain 1 r 1,2
TrWPrr
Data flow Workflow
1,2
r 1,4 1,4
r 2,2 r 2,2
r 1,3
Patterns I
r 1,1
r 2,1 F Patterns I
r 1,1
r 2,1 F
r 1,2
r 1,4
r 2,2
r 2,3 r 2,3
r 1,1
I r 2,1 F
TrWP
r 2,3 PChain 2 MWP

3) Test Cases Generation 4) Test Cases Execution

r 1,1 r 1,2 r 1,3 r 1,4

r 2,1 r 2,2 r 2,3

74.125.230.240 > 192.168.1.89

Rp r 1,1 r 1,2 r 1,3 r 1,4

Execution 192.168.1.89 > 74.125.230.240

r 1,3 St Test Cases r 1,1 r 1,2 r 1,3 r 1,4 74.125.230.240 > 192.168.1.89 Verdict:
Flaw found
TrWPrr 1,2
1,4 r 1,1 r 1,2 r 1,3 r 1,4 in test
r 2,2
r 1,1 Oracle 1 and 2
I r 2,1 F

r 2,3

TrWP
MWP

18
Test Case Execution and Oracle

1) Model Inference
r 1,3

r 1,2
r 1,1 r 1,2 r 1,3 r 1,4
74.125.230.240 > 192.168.1.89
Resource Resource r 1,4
r 2,2
192.168.1.89 > 74.125.230.240 Clustering I
r 1,1
F
74.125.230.240 > 192.168.1.89 Abstraction r 2,1 r 2,2 r 2,3
r 2,1

r 2,3

2) Behavioral Patterns Security Property:

r 1,1 r 1,2 r 1,3 r 1,4
Rp
r 1,3 r 1,3 St
r 2,1 r 2,2 r 2,3
PChain 1 r 1,2
TrWPrr
Data flow Workflow
1,2
r 1,4 1,4
r 2,2 r 2,2
r 1,3
Patterns I
r 1,1
r 2,1 F Patterns I
r 1,1
r 2,1 F
r 1,2
r 1,4
r 2,2
r 2,3 r 2,3
r 1,1
I r 2,1 F
TrWP
r 2,3 PChain 2 MWP

3) Test Cases Generation 4) Test Cases Execution

r 1,1 r 1,2 r 1,3 r 1,4

r 2,1 r 2,2 r 2,3

74.125.230.240 > 192.168.1.89

Rp r 1,1 r 1,2 r 1,3 r 1,4

Execution 192.168.1.89 > 74.125.230.240

r 1,3 St Test Cases r 1,1 r 1,2 r 1,3 r 1,4 74.125.230.240 > 192.168.1.89 Verdict:
Flaw found
TrWPrr 1,2
1,4 r 1,1 r 1,2 r 1,3 r 1,4 in test
r 2,2
r 1,1 Oracle 1 and 2
I r 2,1 F

r 2,3

TrWP
MWP

19
Case Study: Shopping Cart Web Applications

Online Store

r der
O
Customers

Cashier-as-a-Service
Pa
y

Trace Collection

21
Blackbox Approach
Evaluation and Results
Experiments and Results

 Target: 7 popular eCommerce Web Applications

● Deployed by >13M online stores

 Testbed: created 12 Paypal sandbox configurations

In total 3,145

test cases

22
Experiments and Results

 Target: 7 popular eCommerce Web Applications

● Deployed by >13M online stores

 Testbed: created 12 Paypal sandbox configurations

1,253 “misuse” detected

In total 3,145

test cases
1,892 were
executed

23
Experiments and Results

 Target: 7 popular eCommerce Web Applications

● Deployed by >13M online stores

 Testbed: created 12 Paypal sandbox configurations

1,253 “misuse” detected

983 not violations

In total 3,145

test cases
1,892 were
executed
909 violation

24
Experiments and Results

 Target: 7 popular eCommerce Web Applications

● Deployed by >13M online stores

 Testbed: created 12 Paypal sandbox configurations

1,253 “misuse” detected

983 not violations

In total 3,145 849 caused by

test cases bugs in the GUI
1,892 were
executed
909 violation
90 caused by
logic flaws

25
Vulnerabilities

 10 previously-unknown vulnerabilities
● Allowing to shop for free or pay less

Application Shop for Pay less Session

free Fixation

AbanteCart x Notified
Notified Devel.
Devel.

Magento
Notified
Notified Devel.
OpenCart xx Devel.

osCommerce x x CVE-2012-2991
CVE-2012-2991

PrestaShop

TomatoCart x xx x CVE-2012-4934
CVE-2012-4934

CS-Cart x CVE-2013-0118
CVE-2013-0118

26
Conclusion

 Proposed a black-box technique to detect logic flaws in web

applications

 Combined passive model inference and attacker pattern-based test

case generation

 Developed a prototype
● assessed against 7 popular eCommerce web applications

 Discovered 10 previously-unknown logic flaws

● allow an attacker to shop for free or pay less

28
Open Issues

! Only tests attacks through data flow and workflow

! E.g. does not test unauthorized access to resources

! Automation favors efficiency over coverage

Questions?