Logic vulnerabilities are due to defects in the application logic implementation such that the application logic is not the logic that was expected. Indeed, such vulnerabilities pattern depends on the design and business logic of the application. There are no specific and common patterns for application logic vulnerabilities in commercial applications. In this study, a method named FINAD is introduced to detect application logic vulnerabilities using an activity flow graph (AFG) to find the incompatibilities of an implemented application with its design. In this work, the AFG, consisting of the activity diagram (AD) and control flow graph (CFG), is presented for the first time. Investigation of different common types of application logic vulnerabilities indicated that the majority of such vulnerabilities could be detected through conducting a static analysis on an AFG. The FINAD method is independent of the language and can be used for vulnerability detection for any programming language, provided that the AD is available, and the CFG of the program can be created. Implementation of FINAD for PHP language showed its effectiveness in detecting known logic vulnerabilities in CVE vulnerability database.

中文翻译：

---

通过查找应用程序设计与实现之间的不兼容性来检测应用程序逻辑漏洞

逻辑漏洞是由于应用程序逻辑实现中的缺陷导致的，因此应用程序逻辑不是预期的逻辑。确实，这种漏洞模式取决于应用程序的设计和业务逻辑。商业应用程序中没有针对应用程序逻辑漏洞的特定且通用的模式。在这项研究中，引入了一种名为FINAD的方法，该方法使用活动流图（AFG）来检测应用程序逻辑漏洞，以发现已实现的应用程序与其设计之间的不兼容性。在这项工作中，AFG首次由活动图（AD）和控制流程图（CFG）组成。对不同常见类型的应用程序逻辑漏洞的研究表明，可以通过对AFG进行静态分析来检测到大多数此类漏洞。FINAD方法独立于语言，并且可以用于任何编程语言的漏洞检测，前提是AD可用，并且可以创建程序的CFG。FINAD for PHP语言的实现显示了其在CVE漏洞数据库中检测已知逻辑漏洞的有效性。