Defying Logic - Theory, Design, And Implementation Of Complex Systems For Testing Application Logic presented at Blackhat Europe 2011

by Rafal Los (hewlett packard ),

Tags: Security

Summary : Flaws in the business logic of web-based applications have long been ignored, partly because they are so difficult to explain to developers, but mainly because they are so difficult to test for in a consistent manner. Today, security testing for business logic flaws is done manually, and it is painstakingly difficult work which requires an in-depth understanding of application purpose and function as well as underlying logic. This talk will feature research which focuses on automating, (as much as possible), the modeling and detection of business logic flaws in web-based applications. What are the principles behind partially and fully automated business logic flaw detection?
While it may never be possible to fully automate business logic flaw detection, (a la artificial intelligence), the research hypothesizes that it IS possible to create a framework tool which allows a tester armed with appropriate application knowledge to ‘fuzz business logic’ in a meaningful way. The research will present a proof-of-concept framework tool that enables this type of modular testing. A theoretical perspective, as well as practical implementation will be shared, balancing theory and reality in one of the most difficult areas of application security.