Please use this identifier to cite or link to this item:
https://doi.org/10.21256/zhaw-25347
Full metadata record
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Rennhard, Marc | - |
dc.contributor.author | Kushnir, Malte | - |
dc.contributor.author | Favre, Olivier | - |
dc.contributor.author | Esposito, Damiano | - |
dc.contributor.author | Zahnd, Valentin | - |
dc.date.accessioned | 2022-07-27T08:28:30Z | - |
dc.date.available | 2022-07-27T08:28:30Z | - |
dc.date.issued | 2022 | - |
dc.identifier.issn | 2661-8907 | de_CH |
dc.identifier.uri | https://digitalcollection.zhaw.ch/handle/11475/25347 | - |
dc.description.abstract | The importance of automated and reproducible security testing of web applications is growing, driven by increasing security requirements, short software development cycles, and constraints with respect to time and budget. Existing automated security testing tools are already well suited to detect some types of vulnerabilities, e.g., SQL injection or cross-site scripting vulnerabilities. However, other vulnerability types are much harder to uncover in an automated way. One important representative of this type are access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect HTTP GET request-based access control vulnerabilities in web applications is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort, which in turn enables frequent and reproducible testing. An evaluation with seven web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives low. | de_CH |
dc.language.iso | en | de_CH |
dc.publisher | Springer | de_CH |
dc.relation.ispartof | SN Computer Science | de_CH |
dc.rights | http://creativecommons.org/licenses/by/4.0/ | de_CH |
dc.subject | Automated testing | de_CH |
dc.subject | Web application security testing | de_CH |
dc.subject | Access control testing | de_CH |
dc.subject | Black box security testing | de_CH |
dc.subject | Dynamic web application security testing | de_CH |
dc.subject.ddc | 005: Computerprogrammierung, Programme und Daten | de_CH |
dc.title | Automating the detection of access control vulnerabilities in web applications | de_CH |
dc.type | Beitrag in wissenschaftlicher Zeitschrift | de_CH |
dcterms.type | Text | de_CH |
zhaw.departement | School of Engineering | de_CH |
zhaw.organisationalunit | Institut für Informatik (InIT) | de_CH |
dc.identifier.doi | 10.1007/s42979-022-01271-1 | de_CH |
dc.identifier.doi | 10.21256/zhaw-25347 | - |
zhaw.funding.eu | No | de_CH |
zhaw.issue | 5 | de_CH |
zhaw.originated.zhaw | Yes | de_CH |
zhaw.pages.start | 376 | de_CH |
zhaw.publication.status | publishedVersion | de_CH |
zhaw.volume | 3 | de_CH |
zhaw.publication.review | Peer review (Publikation) | de_CH |
zhaw.webfeed | Information Security | de_CH |
zhaw.funding.zhaw | FASTscan: Fully Automated Security Testing with scanmeter | de_CH |
zhaw.author.additional | No | de_CH |
zhaw.display.portrait | Yes | de_CH |
Appears in collections: | Publikationen School of Engineering |
Files in This Item:
File | Description | Size | Format | |
---|---|---|---|---|
2022_Rennhard-etal_Automating-detection-access-control-vulnerabilities.pdf | 1.46 MB | Adobe PDF | View/Open |
Show simple item record
Rennhard, M., Kushnir, M., Favre, O., Esposito, D., & Zahnd, V. (2022). Automating the detection of access control vulnerabilities in web applications. SN Computer Science, 3(5), 376. https://doi.org/10.1007/s42979-022-01271-1
Rennhard, M. et al. (2022) ‘Automating the detection of access control vulnerabilities in web applications’, SN Computer Science, 3(5), p. 376. Available at: https://doi.org/10.1007/s42979-022-01271-1.
M. Rennhard, M. Kushnir, O. Favre, D. Esposito, and V. Zahnd, “Automating the detection of access control vulnerabilities in web applications,” SN Computer Science, vol. 3, no. 5, p. 376, 2022, doi: 10.1007/s42979-022-01271-1.
RENNHARD, Marc, Malte KUSHNIR, Olivier FAVRE, Damiano ESPOSITO und Valentin ZAHND, 2022. Automating the detection of access control vulnerabilities in web applications. SN Computer Science. 2022. Bd. 3, Nr. 5, S. 376. DOI 10.1007/s42979-022-01271-1
Rennhard, Marc, Malte Kushnir, Olivier Favre, Damiano Esposito, and Valentin Zahnd. 2022. “Automating the Detection of Access Control Vulnerabilities in Web Applications.” SN Computer Science 3 (5): 376. https://doi.org/10.1007/s42979-022-01271-1.
Rennhard, Marc, et al. “Automating the Detection of Access Control Vulnerabilities in Web Applications.” SN Computer Science, vol. 3, no. 5, 2022, p. 376, https://doi.org/10.1007/s42979-022-01271-1.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.