Business-layer client-side racer: dynamic security testing of the web application against client-side race condition in the business layer

Business-layer client-side racer: dynamic security testing of the web application against client-side race condition in the business layer

연구 분야: Analysis

학회: International Journal of Information Security

Understanding the business logic of the application helps to detect the race conditions in web applications. There is no logic-aware approach for detecting race conditions. Current solutions can detect only a few race conditions or they have false positives. They also result in DoS because they send a large number of requests in parallel to the application for creating a race condition. In this paper, various client-side race conditions in a web application are classified and described. In addition, we present business-layer client-side racer (BLCSR), a black-box solution for dynamic security testing to detect client-side race conditions in the business layer of the web applications. Experiments showed that BLCSR can detect client-side race conditions. It improved the vulnerability detection time by about 96.7%. The amount of traffic generated to identify vulnerabilities has been lowered by 98.29%. Thus, BLCSR does not result in DoS.