Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Awardee:TRUSTEES OF INDIANA UNIVERSITY
Doing Business As Name:Indiana University
PD/PI:
  • XiaoFeng Wang
  • (812) 856-1862
  • xw7@indiana.edu
Award Date:08/18/2011
Estimated Total Award Amount: $ 499,987
Funds Obligated to Date: $ 499,987
  • FY 2011=$499,987
Start Date:09/01/2011
End Date:08/31/2015
Transaction Type:Grant
Agency:NSF
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:TC: Small: Plugging Logic Loopholes in Hybrid Web Applications to Secure Web Commerce
Federal Award ID Number:1117106
DUNS ID:006046700
Parent DUNS ID:006046700
Program:TRUSTWORTHY COMPUTING
Program Officer:
  • Sol Greenspan
  • (703) 292-7841
  • sgreensp@nsf.gov

Awardee Location

Street:509 E 3RD ST
City:Bloomington
State:IN
ZIP:47401-3654
County:Bloomington
Country:US
Awardee Cong. District:09

Primary Place of Performance

Organization Name:Indiana University
Street:509 E 3RD ST
City:Bloomington
State:IN
ZIP:47401-3654
County:Bloomington
Country:US
Cong. District:09

Abstract at Time of Award

With the increasing popularity of third-party services integrated in hybrid web applications, come new security challenges posed by the complexity in coordinating these individual services and the web client. Such complexity often brings in program logic flaws that can be exploited to induce inconsistencies among different services' internal states, causing the security control within these applications to fail. A preliminary study of this research investigated the security implications of the problem to online merchants that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout). It revealed stunning logic loopholes within leading merchant applications, popular online stores and a prestigious payment service provider, which can be exploited to purchase an item at an arbitrarily low price, shop for free after paying for one item, or even completely avoid payment. These findings point to a disturbing lack of understanding of the logic flaws within the integrations of web services, and an urgent need for significant research efforts on this important problem. This project endeavors to gain an in-depth understanding about the scope and the magnitude of the security threat posed by the logic flaws in hybrid web applications and the common design pitfalls that lead to such vulnerability. Based upon this understanding, it will study novel technologies to facilitate detection and patching of these flaws when developing merchant software, security analysis of other parties' applications and black-box testing of merchant websites. New techniques will also be developed to enable web-service providers to better support secure integrations of their services into merchant systems, and to automatically detect the attempts to exploit these logic flaws in web transactions. This research involves industry collaborators and will also contribute to the improvement of security protection in other domains that utilize hybrid web applications.


Project Outcomes Report

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

With the increasing popularity of third-party services integrated in various hybrid web applications, including conventional browser-based web applications and mobile apps, come new security challenges posed by the complexity in coordinating these individual services and the web client on different platforms. Such complexity often brings in subtle program logic flaws that can be exploited by the knowledgeable adversary. Our prior research shows that leading merchant applications, popular online stores and a prestigious payment service provider can be attacked by the adversary to purchase an item at an arbitrarily low price, shop for free after paying for one item, or even completely avoid payment. These findings point to a disturbing lack of understanding of the logic flaws within the integrations of web services, and an urgent need for significant research efforts on this important problem. 

Intellectual Merit. In this project, we performed a series of in-depth security analysis of service integrations within conventional browser-based web commerce applications and emerging mobile web apps running on various mobile devices.  Our studies shed new light on the security challenges in service integrations.  On the conventional web platform, our study reveals serious integration flaws within the single-sign-on (SSO) systems provided by PayPal, Facebook, Google and other identity providers, which can be easily exploited by unauthorized parties to log into the victim’s accounts on popular websites. On mobile platforms, our research reveals the pervasiveness of security flaws in the integration of commercial mobile cloud services within apps (essentially hybrid web applications), particularly the push messaging services provided by Google, Amazon and other cloud service providers and device manufacturers.  Again, the complexity of such service integrations leads to the difficulty in ensuring the security qualities of the applications, causing security controls to fail.  Our further research along the line brought to light serious integration issues between mobile web apps and external devices and between apps and mobile operating systems, pointing to a new challenge in securing service integrations: the lack of serious effort in clarifying what need to be done by different service providers and the app developer to ensure that their individual security controls can be composed into an integrated mechanism that indeed serves the security need of an application. 

 

The impacts of our security analyses are significant and far-reaching.  Our work has been extensively reported by mainstream media (e.g., CNN, MSNBC, Fox News, Forbes, etc.).  The seriousness of the security flaws we found has been fully acknowledged by the industry (e.g., PayPal, Google, Amazon, Facebook, etc.), causing them to rethink the designs of hybrid web applications for payment, SSO and various mobile services.  Also, our study has inspired the follow-up research on analyzing and protecting those applications, which increasingly arouses the interest in the security community.

To mitigate those security risks and enhance the security qualities of hybrid web applications, we developed and released a suite of new techniques for different platforms.  Specifically, we built an analysis tool for finding security weaknesses in SSO and posted it online, together with a forum to facilitate the further research on this direction.  We developed a new system, called InteGuard, that automatically identifies the invariants from the traffic generated by a web application’s service integrations (e.g., payment) and protect them against the attempts to exploit their weaknesses.  We also came up with a series of program analysis tool...

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.