Lom: discovering logic flaws within MongoDB-based web applications

Wen, S, Xue, Y, Xu, J, Yuan, L-Y, Song, W-L, Yang, H and Si, G-N (2017) 'Lom: discovering logic flaws within MongoDB-based web applications.' International Journal of Automation and Computing, 14 (1). pp. 106-118. ISSN 1476-8186

9345.pdf - Accepted Version
Repository Terms Apply.

Download (761kB) | Preview
Official URL: http://doi.org/10.1007/s11633-016-1051-x


Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language (SQL) statement construction and cannot be applied to the new generation of web applications that use not only structured query language (NoSQL) databases as the storage tier. In this paper, we present Lom, a black-box approach for discovering many categories of logic flaws within MongoDBbased web applications. Our approach introduces a MongoDB operation model to support new features of MongoDB and models the application logic as a mealy finite state machine. During the testing phase, test inputs which emulate state violation attacks are constructed for identifying logic flaws at each application state. We apply Lom to several MongoDB-based web applications and demonstrate its effectiveness.

Item Type: Article
Keywords: Logic flaw; web application security; not only structured query language (NoSQL) database; black-box; MongoDB
Divisions: Bath School of Design
Identification Number: https://doi.org/10.1007/s11633-016-1051-x
Date Deposited: 03 Mar 2017 11:53
Last Modified: 05 Jan 2022 16:07
URI / Page ID: https://researchspace.bathspa.ac.uk/id/eprint/9345
Request a change to this item or report an issue Request a change to this item or report an issue
Update item (repository staff only) Update item (repository staff only)