Identification of web security threats to online business models
Online business models have become increasingly popular in recent years, providing new opportunities for entrepreneurs and established companies alike.
However, along with these opportunities come new risks, particularly in the realm of web security.
While traditional threats typically affect the backend systems that provide web services, attackers nowadays can also target the actual business model itself to make financial damage.
The threats are becoming more difficult to discover because of the wide-scaled and complex web ecosystem that involves multiple parties.
In this dissertation, we present proposals to identify web security threats to online business models.
Specifically, we first introduce a novel ad budget draining attack, AdBudgetKiller, in order to demonstrate a possible attack scenario with real-world cases and to come up with prevention methods.
AdBudgetKiller automatically discloses a targeting strategy of an advertiser, then fabricate browsing profiles to dispatch advertisements from the targeted advertiser.
We also present a testing-based approach to automatically identify client-side business flow tampering vulnerabilities.
In particular, our method systematically analyzes websites to gather potential tampering locations by using dynamic execution data collection.
We then test the websites with tampering proposals to identify any business flow tampering vulnerabilities.
Further, we present an enhanced detection method for digital content services that detects business flow tampering vulnerabilities.
We perform differential analysis on collected execution traces to determine how the business flow begins to differ. Then we test if the divergence points can be tampered with.