Identification of web security threats to online business models

<p>Online business models have become increasingly popular in recent years, providing new opportunities for entrepreneurs and established companies alike. </p> <p>However, along with these opportunities come new risks, particularly in the realm of web security.</p> <p>While traditional threats typically affect the backend systems that provide web services, attackers nowadays can also target the actual business model itself to make financial damage.</p> <p>The threats are becoming more difficult to discover because of the wide-scaled and complex web ecosystem that involves multiple parties.</p> <p><br></p> <p>In this dissertation, we present proposals to identify web security threats to online business models.</p> <p>Specifically, we first introduce a novel ad budget draining attack, AdBudgetKiller, in order to demonstrate a possible attack scenario with real-world cases and to come up with prevention methods.</p> <p>AdBudgetKiller automatically discloses a targeting strategy of an advertiser, then fabricate browsing profiles to dispatch advertisements from the targeted advertiser.</p> <p><br></p> <p>We also present a testing-based approach to automatically identify client-side business flow tampering vulnerabilities.</p> <p>In particular, our method systematically analyzes websites to gather potential tampering locations by using dynamic execution data collection.</p> <p>We then test the websites with tampering proposals to identify any business flow tampering vulnerabilities.</p> <p>Further, we present an enhanced detection method for digital content services that detects business flow tampering vulnerabilities.</p> <p>We perform differential analysis on collected execution traces to determine how the business flow begins to differ. Then we test if the divergence points can be tampered with.</p>