Team for Research in
Ubiquitous Secure Technology

BLOCK: a black-box approach for detection of state violation attacks towards web applications
Xiaowei Li, Yuan Xue

Citation
Xiaowei Li, Yuan Xue. "BLOCK: a black-box approach for detection of state violation attacks towards web applications". Proceedings of the 27th Annual Computer Security Applications Conference, 2011.

Abstract
State violation attacks towards web applications exploit logic flaws and allow restrictive functions and sensitive information to be accessed at inappropriate states. Since application logic flaws are specific to the intended functionality of a particular web application, it is difficult to develop a general approach that addresses state violation attacks. To date, existing approaches all require web application source code for analysis or instrumentation in order to detect state violations.

In this paper, we present BLOCK, a BLack-bOx approach for detecting state violation attaCKs. We regard the web application as a stateless system and infer the intended web application behavior model by observing the interactions between the clients and the web application. We extract a set of invariants from the web request/response sequences and their associated session variable values during its attack-free execution. The set of invariants is then used for evaluating web requests and responses at runtime. Any web request or response that violates the associated invariants is identified as a potential state violation attack. We develop a system prototype based on the WebScarab proxy and evaluate our detection system using a set of real-world web applications. The experiment results demonstrate that our approach is effective at detecting state violation attacks and incurs acceptable performance overhead. Our approach is valuable in that it is independent of the web application source code and can easily scale up.

Electronic downloads

Citation formats  
  • HTML
    Xiaowei Li, Yuan Xue. <a
    href="http://www.truststc.org/pubs/883.html"
    >BLOCK: a black-box approach for detection of state
    violation attacks towards web applications</a>,
    Proceedings of the 27th Annual Computer Security
    Applications Conference, 2011.
  • Plain text
    Xiaowei Li, Yuan Xue. "BLOCK: a black-box approach for
    detection of state violation attacks towards web
    applications". Proceedings of the 27th Annual Computer
    Security Applications Conference, 2011.
  • BibTeX
    @inproceedings{LiXue11_BLOCKBlackboxApproachForDetectionOfStateViolationAttacks,
        author = {Xiaowei Li and Yuan Xue},
        title = {BLOCK: a black-box approach for detection of state
                  violation attacks towards web applications},
        booktitle = {Proceedings of the 27th Annual Computer Security
                  Applications Conference},
        year = {2011},
        abstract = {State violation attacks towards web applications
                  exploit logic flaws and allow restrictive
                  functions and sensitive information to be accessed
                  at inappropriate states. Since application logic
                  flaws are specific to the intended functionality
                  of a particular web application, it is difficult
                  to develop a general approach that addresses state
                  violation attacks. To date, existing approaches
                  all require web application source code for
                  analysis or instrumentation in order to detect
                  state violations. <p> In this paper, we present
                  BLOCK, a BLack-bOx approach for detecting state
                  violation attaCKs. We regard the web application
                  as a stateless system and infer the intended web
                  application behavior model by observing the
                  interactions between the clients and the web
                  application. We extract a set of invariants from
                  the web request/response sequences and their
                  associated session variable values during its
                  attack-free execution. The set of invariants is
                  then used for evaluating web requests and
                  responses at runtime. Any web request or response
                  that violates the associated invariants is
                  identified as a potential state violation attack.
                  We develop a system prototype based on the
                  WebScarab proxy and evaluate our detection system
                  using a set of real-world web applications. The
                  experiment results demonstrate that our approach
                  is effective at detecting state violation attacks
                  and incurs acceptable performance overhead. Our
                  approach is valuable in that it is independent of
                  the web application source code and can easily
                  scale up.},
        URL = {http://www.truststc.org/pubs/883.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.