Detecting Logic Vulnerabilities in E

Detecting Logic Vulnerabilities in ECommerce Applications
Presenter: Liu Yin
Slides Adapted from Fangqi Sun
Computer Science Department
College of William & Mary
1
Outline

Introduction





Attack Examples
Approach







Logic Vulnerabilities in E-Commerce Web Applications
Key Challenge
Related Work
Definitions
Taint Rules
Vulnerability Detection Example
Vulnerability Detection Algorithm
Implementation
Evaluation
Conclusion
2
Logic Vulnerabilities in E-Commerce Web
Applications
Merchant

Third-party cashiers



Logic vulnerabilities

User


Payment of order total
in currency for order
ID to merchant ID
Cashier
Bridge the trustiness gap
between customers and
merchants
Complicate logic flows during
checkout
Both track payment status,
miscommunication
Insufficient or missing checks
on payment status
Purchase with incorrect or no
payment
3
Key Challenge

Logic vulnerabilities in e-commerce web applications are
application-specific



Thorough code review of all possible logic flows is non-trivial
Various application-specific logic flows, cashier APIs and security
checks make automated detection difficult
Key challenge of automated detection
4
Related Work

Wang et al. [30, 33]

First to perform security analysis on Cashier-as-a-Service based
e-commerce applications.

Found several serious logic vulnerabilities in a few popular ecommerce applications via manual code reviews
Proposed a proxy-based approach to dynamically secure thirdparty web service integrations which include the integration of
cashiers


This paper


provide an application-independent invariant
propose the first static analysis to detect logic vulnerabilities
5
Key Insight

A common invariant for automated detection
6
Outline

Introduction





Attack Examples
Approach







Logic Vulnerabilities in E-Commerce Web Applications
Key Challenge
Related Work
Definitions
Taint Rules
Vulnerability Detection Example
Vulnerability Detection Algorithm
Implementation
Evaluation
Conclusion
7
Attack on Currency
8
Attack on Order ID
9
Attack on Merchant ID
10
Illustrative Example
Payment module Luottokunta (version 1.3)
11
Outline

Introduction





Attack Examples
Approach







Logic Vulnerabilities in E-Commerce Web Applications
Key Challenge
Related Work
Definitions
Taint Rules
Vulnerability Detection Example
Vulnerability Detection Algorithm
Implementation
Evaluation
Conclusion
12
Approach

Combines symbolic execution and taint analysis


A symbolic execution


to detect violations of the invariant by tracking tainted
payment status and analyzing critical logic flows among
merchants, cashiers and users.
framework that explores critical control flows exhaustively
Tracking taint annotations for the critical components

Payment status


Order ID, Order total, Merchant ID, Currency
Exposed signed token


An encrypted value that is signed with a cashier-merchant secret
Act as cashier’s signature
13
Approach - Definitions




Merchant
Cashier
User
Logic Flows in E-commerce Applications :



Logic State



Communications between merchant nodes, cashier nodes and user.
represented as II = {(ni , Qi) -> (nj , Qj) | 0 <i , j<k}.
Consists of taint annotations and links to other valid nodes of a
checkout process.
Logic state stores taint annotations for the following payment status
components and exposed signed tokens.( OrderID, OrderTotal,
MerchantID, Currency, exposed signed tokens( Secret_key ) )
Logic Vulnerabilities in E-commerce Applications

Exists when for any accepted order ID, the merchant cannot verify that
the user has correctly paid the cashier the amount of order total in the
expected currency to merchant ID.
14
Taint Removal Rules
Initially  all tainted.
When correctly verifies the taint should be removed

Conditional checks of (in)equality


When an untrusted value is verified against a trusted one
Example of removing taint from order total
md5(SECRET . $_SESSION[‘order’] [‘total’]) == md5(SECRET . $_GET[‘oTotal’])

Writes to merchant databases



When an untrusted value is included in an INSERT/UPDATE
query
Merchant employee can easily spot tampered values
Secure communication channels



For synchronous merchant-to-cashier cURL requests
Remove when payment components are present in request parameters
Synchronous requests are sent via secure communication channels,
guarantee the authenticity of payment status
15
Taint Addition Rules

When a conditional check for a cashier-to-merchant
request relies on an exposed signed token, add taint to
the exposed signed token.

Example



Hidden HTML form element: md5($secret . $orderId . $orderTotal)
$_GET['hash'] == md5($secret . $_GET['oId'] . $_GET['oTotal'])
This exposed signed token md5($secret . $orderId . $orderTotal)
nullifies checks on order ID and order total
16
Vulnerability Detection Example
17
18
19
Vulnerability Detection Algorithm

It integrates symbolic execution of merchant nodes
and taint analysis, and connects individual nodes to
explore valid logic flows in e-commerce applications.
20
21
Outline

Introduction





Attack Examples
Approach







Logic Vulnerabilities in E-Commerce Web Applications
Key Challenge
Related Work
Definitions
Taint Rules
Vulnerability Detection Example
Vulnerability Detection Algorithm
Implementation
Evaluation
Conclusion
22
Implementation
A symbolic execution framework that
integrates taint analysis for PHP
23
Outline

Introduction





Attack Examples
Approach







Logic Vulnerabilities in E-Commerce Web Applications
Key Challenge
Related Work
Definitions
Taint Rules
Vulnerability Detection Example
Vulnerability Detection Algorithm
Implementation
Evaluation
Conclusion
24
Evaluation

Subjects: 22 unique payment modules of osCommerce




More than 14,000 registered websites, 928 payment modules, 13
years of history (osCommerce v2.3)
20 out of 46 default modules with distinct CFGs
2 Luottokunta payment modules (v1.2 & v1.3)
Metrics


Effectiveness: Detected 12 logic vulnerabilities (11 new) with no false
positives
Performance
25
26
27
28
Outline

Introduction





Attack Examples
Approach







Logic Vulnerabilities in E-Commerce Web Applications
Key Challenge
Related Work
Definitions
Taint Rules
Vulnerability Detection Example
Vulnerability Detection Algorithm
Implementation
Evaluation
Conclusion
29
Conclusion

First static detection of logic vulnerabilities in ecommerce applications


Based on an application-independent invariant
A scalable symbolic execution framework for PHP applications,
incorporating taint tracking of payment status

Three responsible proof-of-concept experiments on live
websites

Evaluated our tool on 22 unique payment modules and
detected 12 logic vulnerabilities (11 are new)
30
End
Thanks!
Q&A
31