Business Rules Discovery in Web Application through Process Mining

Abstract

Advances in information technologies have allowed businesses to deliver their services to new markets that did not exist before, especially in fields such as e-commerce, healthcare, e-education, and cloud services. Web technologies, in particular, have revolutionized the way solutions are built and deployed by enabling the development of platform-independent systems. However, as web applications grow in terms of features and popularity, their complexity also increases accordingly. Aspects of such complexity include role management and decision-making processes, which are formally defined through business rules. More importantly, maintaining the business rules along with code changes is a key factor here, as they formalize how the system should behave. Neglecting or failing to maintain them over time increases the chance of faulty application logic, as the system implementation continues to diverge from its specifications. Therefore, degrading the confidence in these business rules and opening the door for potential Business Logic Vulnerabilities (BLV). BLVs are considered one of the most critical web flaws. Traditional scanning techniques fail to detect them as their detection requires a deep understanding of business processes. The absence of formal specifications defining the expected system behavior represents a significant challenge for detecting BLVs. In this research, we propose a novel black-box approach for discovering business rules in e-commerce web applications through process mining. Our proposed solution is capable of recovering system specifications while under normal usage addressing the major difficulty toward detecting BLVs. This provides a better understanding of business logic and helps evaluate if they are maintained during the application execution. This research presents a novel framework for capturing and converting HTTP traffic into high fidelity event logs that complies with the IEEE 1849-2016 XES standard. The proposed solution allows users and developers to build and utilize many process mining techniques. Moreover, using the new framework, we introduced advanced black-box automated approaches for discovering authorization and if-then business rules from the web application’s dynamic artifact (HTTP traffic) only. The results of our evaluation indicate high precision in recovering business rules based on perceived behavior.