BLProM: A black-box approach for detecting business-layer processes in the web applications

Mitra Alidoosti; Alireza Nowroozi; Ahmad Nickabadi

BLProM: A black-box approach for detecting business-layer processes in the web applications

محل انتشار: مجله محاسبات و امنیت، دوره: 6، شماره: 2

سال انتشار: 1398

نوع سند: مقاله ژورنالی

زبان: انگلیسی

مشاهده: 249

فایل این مقاله در 16 صفحه با فرمت PDF قابل دریافت می باشد

دریافت فایل کامل مقاله

صدور گواهی نمایه سازی
من نویسنده این مقاله هستم

استخراج به نرم افزارهای پژوهشی:

لینک ثابت به این مقاله:

https://civilica.com/doc/1151387

شناسه ملی سند علمی:

JR_JCSE-6-2_003

تاریخ نمایه سازی: 19 بهمن 1399

چکیده مقاله:

Web application vulnerability scanners cannot detect business logic vulnerabilities (vulnerabilities related to logic) because they are not able to understand the business logic of the web application. To identify the business logic of the web application, this paper presents BLProM, Business-Layer Process Miner, the black-box approach that identifies business processes of the web application. Detecting business processes of the web applications can be used in dynamic security testing to identify business logic vulnerabilities in web applications. BLProM first extracts the navigation graph of the web application then identifies business processes from the navigation graph. The evaluation conducted on three well-known open-source web applications shows that BLProM can detect business logic processes. Experimental results show that BLProM improves web application scanning because it clusters web application pages and prevents scanning similar pages. The proposed approach is compared to OWASP ZAP, an open-source web scanner. We show that BLProM improves web application scanning about %۹۶.

کلیدواژه ها:

Business layer ، business process ، navigation graph

نویسندگان

Mitra Alidoosti

Malek-Ashtar University of technology, Tehran, Iran.

Alireza Nowroozi

Malek-Ashtar University of technology, Tehran, Iran.

Ahmad Nickabadi

Amirkabir University of Tehran, Tehran, Iran.

مراجع و منابع این مقاله:

لیست زیر مراجع و منابع استفاده شده در این مقاله را نمایش می دهد. این مراجع به صورت کاملا ماشینی و بر اساس هوش مصنوعی استخراج شده اند و لذا ممکن است دارای اشکالاتی باشند که به مرور زمان دقت استخراج این محتوا افزایش می یابد. مراجعی که مقالات مربوط به آنها در سیویلیکا نمایه شده و پیدا شده اند، به خود مقاله لینک شده اند :

Common vulnerabilities and exposures. https://cve.mitre.org/cve/cve.html. [ bib ] ...
2015 ITRC. Identity Theft Resource Center Breach Report Hits Near ...
G. Pellegrino and D. Balzarotti. Toward Black-Box Detection of Logic Flaws in ...
Testing for business logic, OWASP. https://www.owasp.org/index.php/Testing_for_business_logic, Accessed Feb, 2017. [ bib ] ...
D. Balzarotti, M. Cova, V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of web-based ...
A. Doupé, B. Boe, C. Kruegel, and G. Vigna. Fear the EAR: discovering and ...
V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Business Logic Attacks – Bots ...
E. Chai. Business Logic Attacks – Bots and BATs, OWASP, 2009. ...
X. Li and Y. Xue. BLOCK: a black-box approach for detection of ...
M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the ...
X. Li, W. Yan, and Y. Xue. SENTINEL: securing database from logic flaws ...
M. Alidoosti and A. Nowroozi. BLDAST: business-layer Dynamic Application Security Tester of ...
M. Alidoosti, A. Nowroozi, and A. Nickabadi. Evaluating the Web-Application Resiliency to Business-Layer ...
M. Alidoosti and A. Nowroozi. BLTOCTTOU: business-layer dynamic application security tester of ...
M. Alidoosti and A. Nowroozi. BLProM: Business-layer process miner of the web ...
V. Crescenzi, P. Merialdo, and P. Missier. Clustering Web pages based on their ...

نمایش کامل مراجع