With the increasing popularity of third-party services integrated in hybrid web applications, come new security challenges posed by the complexity in coordinating these individual services and the web client. Such complexity often brings in program logic flaws that can be exploited to induce inconsistencies among different services' internal states, causing the security control within these applications to fail. A preliminary study of this research investigated the security implications of the problem to online merchants that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout). It revealed stunning logic loopholes within leading merchant applications, popular online stores and a prestigious payment service provider, which can be exploited to purchase an item at an arbitrarily low price, shop for free after paying for one item, or even completely avoid payment. These findings point to a disturbing lack of understanding of the logic flaws within the integrations of web services, and an urgent need for significant research efforts on this important problem.
This project endeavors to gain an in-depth understanding about the scope and the magnitude of the security threat posed by the logic flaws in hybrid web applications and the common design pitfalls that lead to such vulnerability. Based upon this understanding, it will study novel technologies to facilitate detection and patching of these flaws when developing merchant software, security analysis of other parties' applications and black-box testing of merchant websites. New techniques will also be developed to enable web-service providers to better support secure integrations of their services into merchant systems, and to automatically detect the attempts to exploit these logic flaws in web transactions. This research involves industry collaborators and will also contribute to the improvement of security protection in other domains that utilize hybrid web applications.
