Abstract
AbstractThe importance of automated and reproducible security testing of web applications is growing, driven by increasing security requirements, short software development cycles, and constraints with respect to time and budget. Existing automated security testing tools are already well suited to detect some types of vulnerabilities, e.g., SQL injection or cross-site scripting vulnerabilities. However, other vulnerability types are much harder to uncover in an automated way. One important representative of this type are access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect HTTP GET request-based access control vulnerabilities in web applications is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort, which in turn enables frequent and reproducible testing. An evaluation with seven web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives low.
Funder
Innosuisse - Schweizerische Agentur für Innovationsförderung
ZHAW Zurich University of Applied Sciences
Publisher
Springer Science and Business Media LLC
Reference32 articles.
1. Kushnir M, Favre O, Rennhard M, Esposito D, Zahnd V. Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications. In: Proceedings of the 7th International Conference on Information Systems Security and Privacy—ICISSP, Online, 2021; pp 204–216.
2. WhiteHat Security: 2019 application security statistics report 2019. https://info.whitehatsec.com/Content-2019-StatsReport_LP.html. Accessed 18 Sep 2021.
3. Chen S. SECTOOL Market. 2016.http://www.sectoolmarket.com. Accessed 18 Sep 2021.
4. Rennhard M, Esposito D, Ruf L, Wagner A. Improving the effectiveness of web application vulnerability scanning. Int J Adv Internet Technol. 2019;12(1/2):12–27.
5. OWASP. OWASP Top 10 2021. 2021. https://owasp.org/Top10/. Accessed 18 Sep 2021.
Cited by
4 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. An Investigation of Broken Access Control Types, Vulnerabilities, Protection, and Security;Signals and Communication Technology;2024
2. Security Testing for Web Applications: A Systematic Literature Review;2023 11th International Conference in Software Engineering Research and Innovation (CONISOFT);2023-11-06
3. Intelligent Information Technology for Identification of Remaining Defects in Software Products;2023 IEEE 12th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS);2023-09-07
4. Empirical analysis of security-related code reviews in npm packages;Journal of Systems and Software;2023-09