TC: Small: Plugging Logic Loopholes in Hybrid Web Applications to Secure Web Commerce

TC：小：堵塞混合 Web 应用程序中的逻辑漏洞以保护 Web 商务

• 批准号: 1117106
• 负责人: XiaoFeng Wang
• 金额: $ 50万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-09-01 至 2015-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1117106&HistoricalAwards=false
• 关键词: TC; Small; Plugging; Logic; Loopholes

With the increasing popularity of third-party services integrated in hybrid web applications, come new security challenges posed by the complexity in coordinating these individual services and the web client. Such complexity often brings in program logic flaws that can be exploited to induce inconsistencies among different services' internal states, causing the security control within these applications to fail. A preliminary study of this research investigated the security implications of the problem to online merchants that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout). It revealed stunning logic loopholes within leading merchant applications, popular online stores and a prestigious payment service provider, which can be exploited to purchase an item at an arbitrarily low price, shop for free after paying for one item, or even completely avoid payment. These findings point to a disturbing lack of understanding of the logic flaws within the integrations of web services, and an urgent need for significant research efforts on this important problem. This project endeavors to gain an in-depth understanding about the scope and the magnitude of the security threat posed by the logic flaws in hybrid web applications and the common design pitfalls that lead to such vulnerability. Based upon this understanding, it will study novel technologies to facilitate detection and patching of these flaws when developing merchant software, security analysis of other parties' applications and black-box testing of merchant websites. New techniques will also be developed to enable web-service providers to better support secure integrations of their services into merchant systems, and to automatically detect the attempts to exploit these logic flaws in web transactions. This research involves industry collaborators and will also contribute to the improvement of security protection in other domains that utilize hybrid web applications.

随着在混合Web应用程序中集成到的第三方服务的日益普及，由于协调这些个人服务和Web客户端的复杂性带来了新的安全挑战。这种复杂性通常会带来程序逻辑缺陷，可以利用这些缺陷来引起不同服务的内部状态之间的矛盾，从而导致这些应用程序内的安全控制失败。 对这项研究的初步研究调查了该问题对通过第三方出纳员（例如PayPal，Amazon Payments和Google Checkout）接受付款的在线商人的安全含义。 它揭示了领先的商户应用程序，受欢迎的在线商店和享有声望的支付服务提供商中令人惊叹的逻辑漏洞，可以利用以任意低价购买商品，在购买一件商品后免费购物，甚至完全避免付款。这些发现表明，缺乏对Web服务集成中逻辑缺陷的理解，迫切需要对这一重要问题进行重大研究工作。该项目努力获得对混合Web应用程序中逻辑缺陷和导致这种脆弱性的常见设计陷阱所构成的范围和安全威胁的幅度的深入了解。 基于这种理解，它将研究新型技术，以促进开发商户软件时这些缺陷的检测和修补，对其他各方应用程序的安全分析以及商户网站的黑盒测试。 还将开发新技术，以使网络服务提供商能够更好地支持其服务的安全集成到商家系统中，并自动检测在Web交易中利用这些逻辑缺陷的尝试。这项研究涉及行业合作者，还将有助于改善利用混合Web应用程序的其他领域的安全保护。