Please use this identifier to cite or link to this item:
Publication type: Conference paper
Type of review: Peer review (publication)
Title: Automated black box detection of HTTP GET request-based access control vulnerabilities in web applications
Authors: Kushnir, Malte
Favre, Olivier
Rennhard, Marc
Esposito, Damiano
Zahnd, Valentin
et. al: No
DOI: 10.5220/0010300102040216
Proceedings: Proceedings of the 7th International Conference on Information Systems Security and Privacy
Page(s): 204
Pages to: 216
Conference details: ICISSP 2021, online, 11-13 February 2021
Issue Date: 2021
Publisher / Ed. Institution: SciTePress
ISBN: 978-989-758-491-6
Language: English
Subjects: Automated web application security testing; Access control security testing; Black box security testing
Subject (DDC): 005: Computer programming, programs and data
Abstract: Automated and reproducible security testing of web applications is getting more and more important, driven by short software development cycles and constraints with respect to time and budget. Some types of vulnerabilities can already be detected reasonably well by automated security scanners, e.g., SQL injection or cross-site scripting vulnerabilities. However, other types of vulnerabilities are much harder to uncover in an automated way. This includes access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect access control vulnerabilities in the context of HTTP GET requests is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort that enables frequent and reproducible testing. An evaluation using four web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives relatively low.
Fulltext version: Published version
License (according to publishing contract): CC BY-NC-ND 4.0: Attribution - Non commercial - No derivatives 4.0 International
Departement: School of Engineering
Organisational Unit: Institute of Applied Information Technology (InIT)
Published as part of the ZHAW project: scanmeter Next Generation
Appears in collections:Publikationen School of Engineering

Files in This Item:
File Description SizeFormat 
2021_Kushnir_etal_Automated-black-box-detection_ICISSP.pdf292.85 kBAdobe PDFThumbnail

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.