Evaluating the web‐application resiliency to business‐layer DoS attacks

A denial‐of‐service (DoS) attack is a serious attack that targets web applications. According to Imperva, DoS attacks in the application layer comprise 60% of all the DoS attacks. Nowadays, attacks have grown into application‐ and business‐layer attacks, and vulnerability‐analysis tools are unable t...

Full description

Bibliographic Details
Main Authors:	Mitra Alidoosti, Alireza Nowroozi, Ahmad Nickabadi
Format:	Article
Language:	English
Published:	Electronics and Telecommunications Research Institute (ETRI) 2019-12-01
Series:	ETRI Journal
Subjects:	black‐box testing business layer business process denial‐of‐service (dos) attack logic vulnerability web‐application security
Online Access:	https://doi.org/10.4218/etrij.2019-0164

_version_	1818837693022339072
author	Mitra Alidoosti Alireza Nowroozi Ahmad Nickabadi
author_facet	Mitra Alidoosti Alireza Nowroozi Ahmad Nickabadi
author_sort	Mitra Alidoosti
collection	DOAJ
description	A denial‐of‐service (DoS) attack is a serious attack that targets web applications. According to Imperva, DoS attacks in the application layer comprise 60% of all the DoS attacks. Nowadays, attacks have grown into application‐ and business‐layer attacks, and vulnerability‐analysis tools are unable to detect business‐layer vulnerabilities (logic‐related vulnerabilities). This paper presents the business‐layer dynamic application security tester (BLDAST) as a dynamic, black‐box vulnerability‐analysis approach to identify the business‐logic vulnerabilities of a web application against DoS attacks. BLDAST evaluates the resiliency of web applications by detecting vulnerable business processes. The evaluation of six widely used web applications shows that BLDAST can detect the vulnerabilities with 100% accuracy. BLDAST detected 30 vulnerabilities in the selected web applications; more than half of the detected vulnerabilities were new and unknown. Furthermore, the precision of BLDAST for detecting the business processes is shown to be 94%, while the generated user navigation graph is improved by 62.8% because of the detection of similar web pages.
first_indexed	2024-12-19T03:26:33Z
format	Article
id	doaj.art-b62697bfe57749699d3e27bc8685a3a0
institution	Directory Open Access Journal
issn	1225-6463
language	English
last_indexed	2024-12-19T03:26:33Z
publishDate	2019-12-01
publisher	Electronics and Telecommunications Research Institute (ETRI)
record_format	Article
series	ETRI Journal
spelling	doaj.art-b62697bfe57749699d3e27bc8685a3a02022-12-21T20:37:35ZengElectronics and Telecommunications Research Institute (ETRI)ETRI Journal1225-64632019-12-0142343344510.4218/etrij.2019-016410.4218/etrij.2019-0164Evaluating the web‐application resiliency to business‐layer DoS attacksMitra AlidoostiAlireza NowrooziAhmad NickabadiA denial‐of‐service (DoS) attack is a serious attack that targets web applications. According to Imperva, DoS attacks in the application layer comprise 60% of all the DoS attacks. Nowadays, attacks have grown into application‐ and business‐layer attacks, and vulnerability‐analysis tools are unable to detect business‐layer vulnerabilities (logic‐related vulnerabilities). This paper presents the business‐layer dynamic application security tester (BLDAST) as a dynamic, black‐box vulnerability‐analysis approach to identify the business‐logic vulnerabilities of a web application against DoS attacks. BLDAST evaluates the resiliency of web applications by detecting vulnerable business processes. The evaluation of six widely used web applications shows that BLDAST can detect the vulnerabilities with 100% accuracy. BLDAST detected 30 vulnerabilities in the selected web applications; more than half of the detected vulnerabilities were new and unknown. Furthermore, the precision of BLDAST for detecting the business processes is shown to be 94%, while the generated user navigation graph is improved by 62.8% because of the detection of similar web pages.https://doi.org/10.4218/etrij.2019-0164black‐box testingbusiness layerbusiness processdenial‐of‐service (dos) attacklogic vulnerabilityweb‐application security
spellingShingle	Mitra Alidoosti Alireza Nowroozi Ahmad Nickabadi Evaluating the web‐application resiliency to business‐layer DoS attacks ETRI Journal black‐box testing business layer business process denial‐of‐service (dos) attack logic vulnerability web‐application security
title	Evaluating the web‐application resiliency to business‐layer DoS attacks
title_full	Evaluating the web‐application resiliency to business‐layer DoS attacks
title_fullStr	Evaluating the web‐application resiliency to business‐layer DoS attacks
title_full_unstemmed	Evaluating the web‐application resiliency to business‐layer DoS attacks
title_short	Evaluating the web‐application resiliency to business‐layer DoS attacks
title_sort	evaluating the web application resiliency to business layer dos attacks
topic	black‐box testing business layer business process denial‐of‐service (dos) attack logic vulnerability web‐application security
url	https://doi.org/10.4218/etrij.2019-0164
work_keys_str_mv	AT mitraalidoosti evaluatingthewebapplicationresiliencytobusinesslayerdosattacks AT alirezanowroozi evaluatingthewebapplicationresiliencytobusinesslayerdosattacks AT ahmadnickabadi evaluatingthewebapplicationresiliencytobusinesslayerdosattacks

Evaluating the web‐application resiliency to business‐layer DoS attacks

Similar Items