1
ACIDRain: Concurrency-Related
Attacks on Database-Backed Web
Applications
Todd Warszawski, Peter Bailis
Stanford University
Slide 2
Slide 2 text
2
Explore Real World Transaction
Usage
●
Do programmers use transactions correctly?
●
This paper: 22 new critical vulnerabilities due to
incorrect transaction usage
– Corrupt store inventory, overspend giftcards, steal
items
●
50% of eCommerce sites (2M+) at risk
Slide 3
Slide 3 text
3
Analyzed Popular Sites
Slide 4
Slide 4 text
5
Analyzed Popular Sites
Plus 9
more!
Slide 5
Slide 5 text
6
Companies Using These
Applications
Slide 6
Slide 6 text
7
Slide 7
Slide 7 text
8
Slide 8
Slide 8 text
9
Slide 9
Slide 9 text
10
What do these
vulnerabilities look like?
Slide 10
Slide 10 text
11
LIVE DEMO HERE
Invite Todd to talk at your
organization!
Slide 11
Slide 11 text
12
Slide 12
Slide 12 text
13
Slide 13
Slide 13 text
14
“By sending thousands of simultaneous
requests, the attacker was able to ‘move’
coins from one user account to another
until the sending account was
overdrawn, before balances were
updated.”
Slide 14
Slide 14 text
15
What's Happening?
●
Race condition – application exhibits behavior
under concurrent execution not possible
under serial execution
●
Can we exploit these behaviors?
●
Yes! We call this exploitation of non-
serializable API behavior an ACIDRain attack
Slide 15
Slide 15 text
16
Overview
●
Problem setup
●
New method for detecting latent potential for
non-serializable behavior
●
Evaluation – analysis of 12 eCommerce
platforms
Slide 16
Slide 16 text
17
Problem Setup: Attacking Websites
http POST request
SELECT ...
UPDATE ...
SELECT ...
http GET request
Application
Server
Database
Slide 17
Slide 17 text
18
Problem Setup: Attacking Websites
http POST request
SELECT ...
UPDATE ...
SELECT ...
http GET request
Application
Server
Database
Slide 18
Slide 18 text
19
Problem Setup: Attacking Websites
http POST request
SELECT ...
UPDATE ...
SELECT ...
http GET request
Application
Server
Database
Slide 19
Slide 19 text
20
Problem Setup: Attacking Websites
http POST request
SELECT ...
UPDATE ...
SELECT ...
http GET request
Application
Server
Database
Slide 20
Slide 20 text
21
Problem Setup: Attacking Websites
http POST request
SELECT ...
UPDATE ...
SELECT ...
http GET request
Application
Server
Application
Server
Database
Slide 21
Slide 21 text
22
Problem Setup: Attacking Websites
http POST request
SELECT ...
UPDATE ...
SELECT ...
http GET request
Database
Application
Server
Slide 22
Slide 22 text
23
Problem Setup: Attacking Websites
http POST request
SELECT ...
UPDATE ...
SELECT ...
http GET request
Serializability of
API Requests
Serializability of
Database Transactions
Application
Server
Database
Slide 23
Slide 23 text
24
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Slide 24
Slide 24 text
25
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
1
Bob Checkout
usage = 0
Application
Server
Database
Slide 25
Slide 25 text
26
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
1
Bob Checkout
usage = 0
Application
Server
Database
Slide 26
Slide 26 text
27
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
1
Bob Checkout
usage = 0
Application
Server
Database
Slide 27
Slide 27 text
28
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
1
Bob Checkout
usage = 1
Application
Server
Database
Slide 28
Slide 28 text
29
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
1
Bob Checkout
usage = 1
Application
Server
Database
Slide 29
Slide 29 text
30
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
1
Bob Checkout
usage = 1
Application
Server
Database
Slide 30
Slide 30 text
31
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
usage = 0
Application
Server
Database
Slide 31
Slide 31 text
32
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
usage = 0
Application
Server
Database
Slide 32
Slide 32 text
33
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
usage = 0
Application
Server
Database
Slide 33
Slide 33 text
34
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
usage = 0
Application
Server
Database
Slide 34
Slide 34 text
35
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
usage = 1
Application
Server
Database
Slide 35
Slide 35 text
36
Non-Transactional Implementation
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
usage = 1
Application
Server
Database
Slide 36
Slide 36 text
37
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Slide 37
Slide 37 text
38
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 0
Database
Application
Server
Slide 38
Slide 38 text
39
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 0
Database
Application
Server
Slide 39
Slide 39 text
40
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 0
Database
Application
Server
Slide 40
Slide 40 text
41
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 0
Database
Application
Server
Slide 41
Slide 41 text
42
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 0
Database
Application
Server
Slide 42
Slide 42 text
43
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 0
Database
Application
Server
Slide 43
Slide 43 text
44
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 1
Database
Application
Server
Slide 44
Slide 44 text
45
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 1
Database
Application
Server
Slide 45
Slide 45 text
46
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 1
Database
Application
Server
Slide 46
Slide 46 text
47
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 1
Database
Application
Server
Slide 47
Slide 47 text
48
Transactional Implementation
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Alice Checkout
SELECT
0
UPDATE
SELECT
0
Bob Checkout
UPDATE
BEGIN
BEGIN
COMMIT
COMMIT
usage = 1
Database
Application
Server
Will one of the
transactions fail?
It depends
Slide 48
Slide 48 text
49
= prevents anomaly
= exhibits anomaly
Many Databases Allow This Anomaly
Database Default Isolation Maximum Isolation
Actian Ingres 10.0/10S
Aerospike
Akiban Persistit
Clustrix CLX 4100
Greenplum 4.1
IBM DB2 10 for z/OS
MySQL 5.6
MemSQL 1b
MS SQL Server 2012
NuoDB
Oracle 11g
Oracle Berkeley DB
Oracle Berkeley DB JE
Postgres 9.2.2
SAP HANA
ScaleDB 1.02
VoltDB
Slide 49
Slide 49 text
50
Two Sources of Vulnerabilities
●
Databases providing weak isolation may exhibit
non-serializable behavior
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
def checkVoucher(code):
usage = readUsage(code)
if (usage == 0):
markUsed(code)
●
Programmers may code transactions
incorrectly
Slide 50
Slide 50 text
51
Overview
●
Problem setup
●
New method for detecting latent potential for
non-serializable behavior
●
Evaluation – analysis of 12 eCommerce
platforms
Slide 51
Slide 51 text
52
Analysis Challenges
●
Want to analyze web applications written in
multiple languages and frameworks
●
Anomalies only occur under concurrent
execution, but website activity is often serial
Slide 52
Slide 52 text
53
Approach: Abstract Anomaly
Detection (2AD)
Collect (possibly serial) logs from database
Build compact representation of history (abstract
history graph)
Search abstract history for cycles to generate
possible anomalous API calls
1.
2.
a
3.
Slide 53
Slide 53 text
Approach: Abstract Anomaly
Detection (2AD)
Slide 54
Slide 54 text
Approach: Abstract Anomaly
Detection (2AD)
Slide 55
Slide 55 text
Approach: Abstract Anomaly
Detection (2AD)
Slide 56
Slide 56 text
Approach: Abstract Anomaly
Detection (2AD)
Slide 57
Slide 57 text
Approach: Abstract Anomaly
Detection (2AD)
Slide 58
Slide 58 text
59
Approach: Abstract Anomaly
Detection (2AD)
Slide 59
Slide 59 text
60
Approach: Abstract Anomaly
Detection (2AD)
Collect (possibly serial) logs from database
Build compact representation of history (abstract
history graph)
Search abstract history for cycles to generate
possible anomalous API calls
1.
2.
a
3.
Slide 60
Slide 60 text
61
Abstract History Graph
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Slide 61
Slide 61 text
62
Abstract History Graph
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Slide 62
Slide 62 text
63
Abstract History Graph
r(voucher) w(voucher)
r(voucher) w(voucher)
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
= Operation
Add node for each operation
1.
Slide 63
Slide 63 text
64
Abstract History Graph
r(voucher) w(voucher)
r(voucher) w(voucher)
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
= Operation
= Transaction
Add node for each operation
Add supernode for each
transaction
1.
2.
Slide 64
Slide 64 text
65
Abstract History Graph
r(voucher) w(voucher)
r(voucher) w(voucher)
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
= Operation
= Transaction
= API Call
Add node for each operation
Add supernode for each
transaction
Add super-supernode for each
API call
1.
2.
3.
Slide 65
Slide 65 text
66
Abstract History Graph
r(voucher) w(voucher)
r(voucher) w(voucher)
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
= Operation
= Transaction
= API Call
= Conflict
Add node for each operation
Add supernode for each
transaction
Add super-supernode for each
API call
Add edge for each conflict
1.
2.
3.
4.
Slide 66
Slide 66 text
67
Abstract History Graph
r(voucher) w(voucher)
r(voucher) w(voucher)
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
= Operation
= Transaction
= API Call
= Conflict
Add node for each operation
Add supernode for each
transaction
Add super-supernode for each
API call
Add edge for each conflict
1.
2.
3.
4.
Slide 67
Slide 67 text
68
Abstract History Graph
r(voucher) w(voucher)
r(voucher) w(voucher)
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
= Operation
= Transaction
= API Call
= Conflict
Add node for each operation
Add supernode for each
transaction
Add super-supernode for each
API call
Add edge for each conflict
1.
2.
3.
4.
Slide 68
Slide 68 text
69
Abstract History Graph
r(voucher) w(voucher)
r(voucher) w(voucher)
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
= Operation
= Transaction
= API Call
= Conflict
Add node for each operation
Add supernode for each
transaction
Add super-supernode for each
API call
Add edge for each conflict
Search for cycles in the graph
1.
2.
3.
4.
5.
Slide 69
Slide 69 text
70
Abstract History Graph
r(voucher) w(voucher)
= Operation
= Transaction
= API Call
= Conflict
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
BEGIN TRANSACTION
SELECT usage FROM voucher WHERE code = HNUHY
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
UPDATE voucher SET usage = 1 WHERE code = HNUHY
COMMIT
Add node for each operation
Add supernode for each
transaction
Add super-supernode for each
API call
Add edge for each conflict
Search for cycles in the graph
1.
2.
3.
4.
5.
r(voucher) w(voucher)
Slide 70
Slide 70 text
71
Completeness Guarantees
●
Completeness: if there is a potential anomalous
execution, this approach will find it
●
Soundness: discussion in paper
Thm: Given a set of API calls, there exists an
anomalous execution of the API calls if and only
if there is a cycle in the abstract history.
Slide 71
Slide 71 text
72
Limitations
●
Does not take into account user level (i.e.,
"feral" [Bailis et al. 2015]) concurrency control
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
Slide 72
Slide 72 text
73
Limitations
●
Does not take into account user level (i.e.,
"feral" [Bailis et al. 2015]) concurrency control
def checkVoucher(code):
beginTxn()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
commit()
def checkVoucher(code):
appLock.lock()
usage = readUsage(code)
if (usage == 0):
markUsed(code)
appLock.release()
Slide 73
Slide 73 text
74
Overview
●
Problem setup
●
New method for detecting latent potential for
non-serializable behavior
●
Evaluation – analysis of 12 eCommerce
platforms
88
Analysis Results
Application Language Inventory Voucher Cart
Opencart PHP ✗ ✗ ✔
Prestashop PHP ✗ ✗ ✔
Magento PHP ✗ ✗ ✔
WooCommerce PHP ✗ ✗ ✔
Spree Ruby on Rails ✔ ✔ ✔
Ror_ecommerce Ruby on Rails ✗ N/A ✗
Shoppe Ruby on Rails ✗ N/A ✗
Oscar Python (Django) ✗ ✗ ✔
LFS Python (Django) ✗ ✗ ✗
Saleor Python (Django) ✗ ✗ N/A
Broadleaf Java (Spring) N/A ✗ ✗
Shopizer Java (Spring) N/A N/A ✗
✗ = vulnerable, ✔ = not vulnerable
22 new vulnerabilities!
2M+ sites
at risk
4 different
languages
Slide 88
Slide 88 text
89
Analysis Results
Application Language Inventory Voucher Cart
Opencart PHP ✗ ✗ ✔
Prestashop PHP ✗ ✗ ✔
Magento PHP ✗ ✗ ✔
WooCommerce PHP ✗ ✗ ✔
Spree Ruby on Rails ✔ ✔ ✔
Ror_ecommerce Ruby on Rails ✗ N/A ✗
Shoppe Ruby on Rails ✗ N/A ✗
Oscar Python (Django) ✗ ✗ ✔
LFS Python (Django) ✗ ✗ ✗
Saleor Python (Django) ✗ ✗ N/A
Broadleaf Java (Spring) N/A ✗ ✗
Shopizer Java (Spring) N/A N/A ✗
✗ = vulnerable, ✔ = not vulnerable
22 new vulnerabilities!
2M+ sites
at risk
4 different
languages
5 errors due
to DB default
isolation
Slide 89
Slide 89 text
90
Analysis Results
Application Language Inventory Voucher Cart
Opencart PHP ✗ ✗ ✔
Prestashop PHP ✗ ✗ ✔
Magento PHP ✗ ✗ ✔
WooCommerce PHP ✗ ✗ ✔
Spree Ruby on Rails ✔ ✔ ✔
Ror_ecommerce Ruby on Rails ✗ N/A ✗
Shoppe Ruby on Rails ✗ N/A ✗
Oscar Python (Django) ✗ ✗ ✔
LFS Python (Django) ✗ ✗ ✗
Saleor Python (Django) ✗ ✗ N/A
Broadleaf Java (Spring) N/A ✗ ✗
Shopizer Java (Spring) N/A N/A ✗
✗ = vulnerable, ✔ = not vulnerable
22 new vulnerabilities!
2M+ sites
at risk
4 different
languages
5 errors due
to DB default
isolation
17 errors due
to improper
transaction
usage
Slide 90
Slide 90 text
91
Developer Response
8 confirmed
Slide 91
Slide 91 text
92
Developer Response
8 confirmed
Slide 92
Slide 92 text
93
Developer Response
8 confirmed
Slide 93
Slide 93 text
94
Developer Response
8 confirmed
Slide 94
Slide 94 text
95
Developer Response
8 confirmed
Slide 95
Slide 95 text
96
Developer Response
8 confirmed
Slide 96
Slide 96 text
97
Slide 97
Slide 97 text
98
Slide 98
Slide 98 text
99
Developer Response
Slide 99
Slide 99 text
100
Developer Response
Slide 100
Slide 100 text
101
Related Work
●
[Bailis et al. 2015] Study user level (Feral)
invariants in Ruby on Rails applications
●
[Jorwekar et al. 2007] Provide analysis methods for
detecting potential anomalies in transaction
programs for Snapshot Isolation
●
[Fekete et al. 2009] Quantify Read Committed and
Snapshot Isolation anomalies
●
Our focus is on any non-serializable behavior in
API based web applications as observed in practice
Slide 101
Slide 101 text
102
Conclusions
●
Many popular eCommerce applications do not
use transactions correctly
●
2AD: a new, cross-language analysis tool to
check for potential anomalies
●
Using 2AD, we find 22 new vulnerabilities due
to incorrect transaction usage affecting up to
2M+ eCommerce sites
Slide 102
Slide 102 text
103
Conclusions
●
Many popular eCommerce applications do not
use transactions correctly
●
2AD: a new, cross-language analysis tool to
check for potential anomalies
●
Using 2AD, we find 22 new vulnerabilities due
to incorrect transaction usage affecting up to
2M+ eCommerce sites
Thanks!
[email protected]
https://github.com/stanford-futuredata/acidrain