Service interruption on Monday 11 July from 12:30 to 13:00: all the sites of the CCSD (HAL, EpiSciences, SciencesConf, AureHAL) will be inaccessible (network hardware connection).
Skip to Main content Skip to Navigation

Detection of logic flaws in multi-party business applications via security testing

Abstract : Multi-party business applications are distributed computer programs implementing collaborative business functions. These applications are one of the main target of attackers who exploit vulnerabilities in order to perform malicious activities. The most prevalent classes of vulnerabilities are the consequence of insufficient validation of the user-provided input. However, the less-known class of logic vulnerabilities recently attracted the attention of researcher. According to the availability of software documentation, two testing techniques can be used: design verification via model checking, and black-box security testing. However, the former offers no support to test real implementations and the latter lacks the sophistication to detect logic flaws. In this thesis, we present two novel security testing techniques to detect logic flaws in multi-party business applicatons that tackle the shortcomings of the existing techniques. First, we present the verification via model checking of two security protocols. We then address the challenge of extending the results of the model checker to automatically test protocol implementations. Second, we present a novel black-box security testing technique that combines model inference, extraction of workflow and data flow patterns, and an attack pattern-based test case generation algorithm. Finally, we discuss the application of the technique developed in this thesis in an industrial setting. We used these techniques to discover previously-unknown design errors in SAML SSO and OpenID protocols, and ten logic vulnerabilities in eCommerce applications allowing an attacker to pay less or shop for free.
Document type :
Complete list of metadata
Contributor : ABES STAR :  Contact
Submitted on : Monday, September 7, 2015 - 5:17:21 PM
Last modification on : Friday, July 31, 2020 - 10:44:08 AM
Long-term archiving on: : Wednesday, April 26, 2017 - 6:35:08 PM


Version validated by the jury (STAR)


  • HAL Id : tel-01194884, version 1


Giancarlo Pellegrino. Detection of logic flaws in multi-party business applications via security testing. Cryptography and Security [cs.CR]. Télécom ParisTech, 2013. English. ⟨NNT : 2013ENST0064⟩. ⟨tel-01194884⟩



Record views


Files downloads