Detecting application logic vulnerabilities via finding incompatibility between application design and implementation

Abstract

Logic vulnerabilities are due to defects in the application logic implementation such that the application logic is not the logic that was expected. Indeed, such vulnerabilities pattern depends on the design and business logic of the application. There are no specific and common patterns for application logic vulnerabilities in commercial applications. In this study, a method named FINAD is introduced to detect application logic vulnerabilities using an activity flow graph (AFG) to find the incompatibilities of an implemented application with its design. In this work, the AFG, consisting of the activity diagram (AD) and control flow graph (CFG), is presented for the first time. Investigation of different common types of application logic vulnerabilities indicated that the majority of such vulnerabilities could be detected through conducting a static analysis on an AFG. The FINAD method is independent of the language and can be used for vulnerability detection for any programming language, provided that the AD is available, and the CFG of the program can be created. Implementation of FINAD for PHP language showed its effectiveness in detecting known logic vulnerabilities in CVE vulnerability database.