Abstract:

Web applications have become the principal model of the internet and enterprise information management. With their popularity, attackers launch malicious attacks via their vulnerability. Security assessment of web applications is a major information security concern. In this paper, we first discuss the formal description of software attack surface via business logic of web applications, and then construct an attack graph model. On such basis, we realize the security assessment in web applications. Based on   current general vulnerability detection model, the proposed security assessment model introduces correlation analysis of  business logic security. Our proposal overcomes the defects of current testing models of business logic assessment, and achieves fast and comprehensive security assessment of web applications.

Key words: web applications;software attack surface;attack graph;security assessment