Protecting Third-Party Web Service Integrations with Service Automata

Nowadays, web applications often integrate third-party web services, such
as single-sign-on services from Facebook or Google, and checkout services
from PayPal or Amazon. Recent studies have shown real-world exploitations
of logic vulnerabilities within these critical three-party communications and
the first centralized prototypes have been shown to prevent these types of
attacks. The Service Automata Framework, a decentralized and dynamic
security policy enforcement mechanism, is instantiated both formally and
practically in order to take the latest countermeasures a step further onto
distributed web applications. Moreover, we present an empirical evaluation
on the effectiveness and the efficiency of various configurations of this approach
and show that our instantiation of the Service Automata Framework
protects the security of real world third-party web service integrations in
absence of its source code.