Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Sat 11 Jul 2020 16:47 - 16:59 at Baekje - A28-Android and Web Testing Chair(s): Reyhaneh Jabbarvand

The sheer complexity of web applications leaves open a large attack surface of business logic. Particularly, in some scenarios, developers have to expose a portion of the logic to the client-side in order to coordinate multiple parties (e.g. merchants, client users, and third-party payment services) involved in a business process. However, such client-side code can be tampered with on the fly, leading to business logic perturbations and financial loss. Although developers become familiar with concepts that the client should never be trusted, given the size and the complexity of the client-side code that may be even incorporated from third parties, it is extremely challenging to understand and pinpoint the vulnerability. To this end, we investigate client-side business flow tampering vulnerabilities and develop a dynamic analysis based approach to automatically identifying such vulnerabilities. We evaluate our technique on $200$ popular real-world websites. With negligible overhead, we have successfully identified $27$ unique vulnerabilities on $23$ websites, such as New York Times, HBO, and YouTube, where an adversary can interrupt business logic to bypass paywalls, disable adblocker detection, earn reward points illicitly, etc.

Sat 11 Jul

Displayed time zone: (UTC) Coordinated Universal Time change

16:05 - 17:05
A28-Android and Web TestingTechnical Papers / Demonstrations at Baekje
Chair(s): Reyhaneh Jabbarvand University of Illinois Urbana-Champaign
16:05
3m
Talk
AppTestMigrator: A Tool for Automated Test Migration for Android AppsDemo
Demonstrations
Farnaz Behrang Georgia Tech, Alessandro Orso Georgia Tech
16:08
12m
Talk
Revealing Injection Vulnerabilities by Leveraging Existing TestsArtifact ReusableTechnicalArtifact Available
Technical Papers
Katherine Hough George Mason University, Gebrehiwet Biyane Welearegai University of Potsdam, Germany, Christian Hammer University of Potsdam, A: Jonathan Bell Northeastern University
16:20
12m
Talk
Accessibility Issues in Android Apps: State of Affairs, Sentiments, and Ways ForwardTechnical
Technical Papers
Abdulaziz Alshayban University of California, Irvine, Iftekhar Ahmed University of California at Irvine, USA, Sam Malek University of California, Irvine
16:32
3m
Talk
WasmView: Visual Testing for WebAssembly ApplicationsDemo
Demonstrations
Alan Romano University at Buffalo, SUNY, Weihang Wang University at Buffalo, SUNY
16:35
12m
Talk
Extracting Taint Specifications for JavaScript LibrariesTechnical
Technical Papers
Cristian-Alexandru Staicu TU Darmstadt, Martin Toldam Torp Aarhus University, Max Schaefer GitHub, Inc., Anders Møller Aarhus University, Michael Pradel University of Stuttgart
Pre-print Media Attached
16:47
12m
Talk
Finding Client-side Business Flow Tampering VulnerabilitiesTechnical
Technical Papers
I Luk Kim Purdue University, Yunhui Zheng IBM Research, Hogun Park Purdue University, Weihang Wang University at Buffalo, SUNY, Wei You Renmin University of China, Yousra Aafer Purdue University, Xiangyu Zhang Purdue University