detecting logic vulnerabilities in e-commerce applications

1

Detecting Logic Vulnerabilities in E-Commerce Applications

Presenter: Liu YinSlides Adapted from Fangqi Sun

Computer Science DepartmentCollege of William & Mary

2

Outline Introduction

Logic Vulnerabilities in E-Commerce Web Applications Key Challenge Related Work

Attack Examples Approach

Definitions Taint Rules Vulnerability Detection Example Vulnerability Detection Algorithm

Implementation Evaluation Conclusion

3

Logic Vulnerabilities in E-Commerce Web Applications

Third-party cashiers Bridge the trustiness gap

between customers and merchants

Complicate logic flows during checkout

Logic vulnerabilities Both track payment status,

miscommunication Insufficient or missing checks

on payment status Purchase with incorrect or no

payment

User

Merchant

CashierPayment of order total in currency for order ID to merchant ID

4

Key Challenge Logic vulnerabilities in e-commerce web applications are

application-specific Thorough code review of all possible logic flows is non-trivial Various application-specific logic flows, cashier APIs and security

checks make automated detection difficult

Key challenge of automated detection

5

Related Work Wang et al. [30, 33]

First to perform security analysis on Cashier-as-a-Service based e-commerce applications.

Found several serious logic vulnerabilities in a few popular e-commerce applications via manual code reviews

Proposed a proxy-based approach to dynamically secure third-party web service integrations which include the integration of cashiers

This paper provide an application-independent invariant propose the first static analysis to detect logic vulnerabilities

6

Key Insight A common invariant for automated detection

7






8

Attack on Currency

9

Attack on Order ID

10

Attack on Merchant ID

11

Illustrative Example

Payment module Luottokunta (version 1.3)

12






13

Approach Combines symbolic execution and taint analysis

to detect violations of the invariant by tracking tainted payment status and analyzing critical logic flows among merchants, cashiers and users.

A symbolic execution framework that explores critical control flows exhaustively

Tracking taint annotations for the critical components Payment status

Order ID, Order total, Merchant ID, Currency Exposed signed token

An encrypted value that is signed with a cashier-merchant secret Act as cashier’s signature

14

Approach - Definitions Merchant Cashier User Logic Flows in E-commerce Applications :

Communications between merchant nodes, cashier nodes and user. represented as II = {(ni , Qi) -> (nj , Qj) | 0 <i , j<k}.

Logic State Consists of taint annotations and links to other valid nodes of a checkout

process. Logic state stores taint annotations for the following payment status

components and exposed signed tokens.( OrderID, OrderTotal, MerchantID, Currency, exposed signed tokens( Secret_key ) )

Logic Vulnerabilities in E-commerce Applications Exists when for any accepted order ID, the merchant cannot verify that

the user has correctly paid the cashier the amount of order total in the expected currency to merchant ID.

15

Taint Removal RulesInitially all tainted. When correctly verifies the taint should be removed Conditional checks of (in)equality

When an untrusted value is verified against a trusted one Example of removing taint from order total

md5(SECRET . $_SESSION[‘order’] [‘total’]) == md5(SECRET . $_GET[‘oTotal’])

Writes to merchant databases When an untrusted value is included in an INSERT/UPDATE

query Merchant employee can easily spot tampered values

Secure communication channels For synchronous merchant-to-cashier cURL requests Remove when payment components are present in request parameters Synchronous requests are sent via secure communication channels,

guarantee the authenticity of payment status

16

Taint Addition Rules When a conditional check for a cashier-to-merchant

request relies on an exposed signed token, add taint to the exposed signed token.

Example Hidden HTML form element: md5($secret . $orderId . $orderTotal) $_GET['hash'] == md5($secret . $_GET['oId'] . $_GET['oTotal']) This exposed signed token md5($secret . $orderId . $orderTotal)

nullifies checks on order ID and order total

17

Vulnerability Detection Example

20

Vulnerability Detection Algorithm It integrates symbolic execution of merchant nodes

and taint analysis, and connects individual nodes to explore valid logic flows in e-commerce applications.

22






23

ImplementationA symbolic execution framework that integrates taint analysis for PHP

24






25

Evaluation Subjects: 22 unique payment modules of osCommerce

More than 14,000 registered websites, 928 payment modules, 13 years of history (osCommerce v2.3)

20 out of 46 default modules with distinct CFGs 2 Luottokunta payment modules (v1.2 & v1.3)

Metrics Effectiveness: Detected 12 logic vulnerabilities (11 new) with no false

positives Performance

29






30

Conclusion First static detection of logic vulnerabilities in e-

commerce applications Based on an application-independent invariant A scalable symbolic execution framework for PHP applications,

incorporating taint tracking of payment status

Three responsible proof-of-concept experiments on live websites

Evaluated our tool on 22 unique payment modules and detected 12 logic vulnerabilities (11 are new)

31

End

Thanks!Q&A

detecting logic vulnerabilities in e-commerce applications

Documents

serious logic vulnerabilities

possible logic flows

logic vulnerability

ecommerce web ap plications

payment statuspurchase

merchant id

key insighta common

secure checkout processes