Detecting Logic Vulnerabilities in E-commerce Applications

E-commerce has become a thriving business model. With easy access to various tools and third-party cashiers, it is straightforward to create and launch e-commerce web applications. However, it remains difficult to create secure ones. While third-party cashiers help bridge the gap of trustiness between merchants and customers, the involvement of cashiers as a new party complicates logic flows of checkout processes. Even a small loophole in a checkout process may lead to financial loss of merchants, thus logic vulnerabilities pose serious threats to the security of e-commerce applications. Performing manual code reviews is challenging because of the diversity of logic flows and the sophistication of checkout processes. Consequently, it is important to develop automated detection techniques. This paper proposes the first static detection of logic vulnerabilities in e-commerce web applications. The main difficulty of automated detection is the lack of a general and precise notion of correct payment logic. Our key insight is that secure checkout processes share a common invariant: A checkout process is secure when it guarantees the integrity and authenticity of critical payment status (order ID, order total, merchant ID and currency). Our approach combines symbolic execution and taint analysis to detect violations of the invariant by tracking tainted payment status and analyzing critical logic flows among merchants, cashiers and users. We have implemented a symbolic execution framework for PHP. In our evaluation of 22 unique payment modules, our tool detected 12 logic vulnerabilities, 11 of which are new. We have also performed successful proof-ofconcept experiments on live websites to confirm our findings.