Business-layer client-side racer: dynamic security testing of the web application against client-side race condition in the business layer

被引：0

作者：

Alidoosti, Mitra ^{[1
]}

Nowroozi, Alireza ^{[2
]}

Nickabadi, Ahmad ^{[3
]}

机构：

[1] Iran Univ Sci & Technol, Tehran, Iran

[2] IRIB Univ Tehran, Tehran, Iran

[3] Amirkabir Univ Tehran, Tehran, Iran

来源：

INTERNATIONAL JOURNAL OF INFORMATION SECURITY | 2023年 / 22卷 / 04期

关键词：

Dynamic testing; Vulnerability analysis; Web application; Business process; Race condition; AJAX events;

D O I：

10.1007/s10207-023-00671-5

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

Understanding the business logic of the application helps to detect the race conditions in web applications. There is no logic-aware approach for detecting race conditions. Current solutions can detect only a few race conditions or they have false positives. They also result in DoS because they send a large number of requests in parallel to the application for creating a race condition. In this paper, various client-side race conditions in a web application are classified and described. In addition, we present business-layer client-side racer (BLCSR), a black-box solution for dynamic security testing to detect client-side race conditions in the business layer of the web applications. Experiments showed that BLCSR can detect client-side race conditions. It improved the vulnerability detection time by about 96.7%. The amount of traffic generated to identify vulnerabilities has been lowered by 98.29%. Thus, BLCSR does not result in DoS.

引用

页码：1029 / 1054

页数：26

共 26 条

[1]

Adamsen C.Q., 2018, P 26 ACM JOINT M EUR

[2] Practical initialization race detection for JavaScript web applications [J].