Assessing of Web Application Resiliency against Flooding DoS Attacks in the Business Layer

According to IMPERVA report, application layer DoS attacks have involved about 60 percent of total DoS attacks. Today, attacks have been transferred to the business layer. Web application vulnerability scanners cannot detect business logic vulnerabilities (vulnerabilities related to logic). This paper presents BLDAST, A dynamic and black-box vulnerability analysis approach that identify business logic vulnerabilities of a web application against flooding DoS attacks. BLDAST assesses web application resiliency against flooding DoS attacks in the business layer. BLDAST first extracts business logic processes of a web application. Business logic processes with high overload are selected and finally, based on selected processes, BLDAST runs business layer DoS test scenarios. The evaluation conducted on four well-known open source web applications shows that BLDAST is able to detect business logic vulnerabilities. In addition, we show that an attacker in business logic attacks can exhaust target by consuming only one percent of his resources in comparison to other layers attacks. Therefore, business logic attacks are very dangerous and BLDAST is able to identify vulnerable web applications against these attacks.