Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Sat 11 Jul 2020 16:47 - 16:59 at Baekje - A28-Android and Web Testing Chair(s): Reyhaneh Jabbarvand

The sheer complexity of web applications leaves open a large attack surface of business logic. Particularly, in some scenarios, developers have to expose a portion of the logic to the client-side in order to coordinate multiple parties (e.g. merchants, client users, and third-party payment services) involved in a business process. However, such client-side code can be tampered with on the fly, leading to business logic perturbations and financial loss. Although developers become familiar with concepts that the client should never be trusted, given the size and the complexity of the client-side code that may be even incorporated from third parties, it is extremely challenging to understand and pinpoint the vulnerability. To this end, we investigate client-side business flow tampering vulnerabilities and develop a dynamic analysis based approach to automatically identifying such vulnerabilities. We evaluate our technique on $200$ popular real-world websites. With negligible overhead, we have successfully identified $27$ unique vulnerabilities on $23$ websites, such as New York Times, HBO, and YouTube, where an adversary can interrupt business logic to bypass paywalls, disable adblocker detection, earn reward points illicitly, etc.

Sat 11 Jul
Times are displayed in time zone: (UTC) Coordinated Universal Time change

16:05 - 17:05: A28-Android and Web TestingPaper Presentations / Technical Papers / Demonstrations at Baekje
Chair(s): Reyhaneh JabbarvandUniversity of Illinois Urbana-Champaign
16:05 - 16:08
AppTestMigrator: A Tool for Automated Test Migration for Android AppsDemo
Farnaz BehrangGeorgia Tech, Alessandro OrsoGeorgia Tech
16:08 - 16:20
Revealing Injection Vulnerabilities by Leveraging Existing TestsArtifact ReusableTechnicalArtifact Available
Technical Papers
Katherine HoughGeorge Mason University, Gebrehiwet Biyane WelearegaiUniversity of Potsdam, Germany, Christian HammerUniversity of Potsdam, A: Jonathan BellNortheastern University
16:20 - 16:32
Accessibility Issues in Android Apps: State of Affairs, Sentiments, and Ways ForwardTechnical
Technical Papers
Abdulaziz AlshaybanUniversity of California, Irvine, Iftekhar AhmedUniversity of California at Irvine, USA, Sam MalekUniversity of California, Irvine
16:32 - 16:35
WasmView: Visual Testing for WebAssembly ApplicationsDemo
Alan RomanoUniversity at Buffalo, SUNY, Weihang WangUniversity at Buffalo, SUNY
16:35 - 16:47
Extracting Taint Specifications for JavaScript LibrariesTechnical
Technical Papers
Cristian-Alexandru StaicuTU Darmstadt, Martin Toldam TorpAarhus University, Max SchaeferGitHub, Inc., Anders MøllerAarhus University, Michael PradelUniversity of Stuttgart
Pre-print Media Attached
16:47 - 16:59
Finding Client-side Business Flow Tampering VulnerabilitiesTechnical
Technical Papers
I Luk KimPurdue University, Yunhui ZhengIBM Research, Hogun ParkPurdue University, Weihang WangUniversity at Buffalo, SUNY, Wei YouRenmin University of China, Yousra AaferPurdue University, Xiangyu ZhangPurdue University