A denial‐of‐service (DoS) attack is a serious attack that targets web applications. According to Imperva, DoS attacks in the application layer comprise 60% of all the DoS attacks. Nowadays, attacks have grown into application‐ and business‐layer attacks, and vulnerability‐analysis tools are unable to detect business‐layer vulnerabilities (logic‐related vulnerabilities). This paper presents the business‐layer dynamic application security tester (BLDAST) as a dynamic, black‐box vulnerability‐analysis approach to identify the business‐logic vulnerabilities of a web application against DoS attacks. BLDAST evaluates the resiliency of web applications by detecting vulnerable business processes. The evaluation of six widely used web applications shows that BLDAST can detect the vulnerabilities with 100% accuracy. BLDAST detected 30 vulnerabilities in the selected web applications; more than half of the detected vulnerabilities were new and unknown. Furthermore, the precision of BLDAST for detecting the business processes is shown to be 94%, while the generated user navigation graph is improved by 62.8% because of the detection of similar web pages.

中文翻译：

---

评估Web应用程序对业务层DoS攻击的恢复能力

拒绝服务（DoS）攻击是针对Web应用程序的严重攻击。根据Imperva的说法，应用程序层中的DoS攻击占所有DoS攻击的60％。如今，攻击已发展成应用程序和业务层攻击，并且漏洞分析工具无法检测业务层漏洞（与逻辑相关的漏洞）。本文将业务层动态应用程序安全测试器（BLDAST）提出为一种动态的黑匣子漏洞分析方法，用于识别Web应用程序针对DoS攻击的业务逻辑漏洞。BLDAST通过检测易受攻击的业务流程来评估Web应用程序的弹性。对六个广泛使用的Web应用程序的评估表明，BLDAST可以100％的准确性检测漏洞。BLDAST在选定的Web应用程序中检测到30个漏洞；超过一半的检测到的漏洞是新的和未知的。此外，BLDAST用于检测业务流程的精度显示为94％，而由于检测到相似的网页，生成的用户导航图提高了62.8％。