December 2, 2016
Avinash Sudhodanan
The advent of Software-as-a-Service (SaaS) has led to the development of Multi-Party Web Applications (MPWAs). MPWAs rely on core trusted third-party systems (e.g., payment servers, identity providers) and protocols such as Single Sign-On and Cashier-as-a-Service, to deliver business services to users. Motivated by the large number of attacks discovered in MPWAs and by the lack of a single, general-purpose, application-agnostic technique to support their discovery, we propose an automatic technique based on attack patterns for black-box security testing of MPWAs. Our approach stems from the observation that attacks against MPWAs share a number of similarities, even if the underlying protocols and services are different. First, we present a methodology in which security experts can create attack patterns from known attacks. Second, we present a security testing framework that leverages attack patterns to automatically generate attack test cases against a target MPWA. We created 7 attack patterns (targeting 6 different replay attacks and a CSRF attack) that corresponds to 13 prominent attacks from the literature, implemented our security testing framework on top of OWASP ZAP (a popular, open-source penetration testing tool) and discovered 21 previously-unknown vulnerabilities in many prominent MPWAs (e.g., developer.linkedin.com, pinterest.com, stripe checkout).