IDOT: Black-Box Detection of Access Control Violations in Web Applications

M. A. Hadavi, Arash Bagherdaei, Simin Ghasemi
{"title":"IDOT: Black-Box Detection of Access Control Violations in Web Applications","authors":"M. A. Hadavi, Arash Bagherdaei, Simin Ghasemi","doi":"10.22042/isecure.2021.254089.580","DOIUrl":null,"url":null,"abstract":"Automatic detection of access control violations in software applications is a challenging problem. Insecure Direct Object Reference (IDOR) is among top-ranked vulnerabilities, which violates access control policies and cannot be yet detected by automated vulnerability scanners. While such tools may detect the absence of access control by static or dynamic testing, they cannot verify if it is properly functioning when it is present. When a tool detects requesting access to an object, it is not aware of access control policies to infer whether the request is permitted. This completely depends on the access control logic and there is no automatic way to fully and precisely capture it from software behavior. Taking this challenge into consideration, this article proposes a black-box method to detect IDOR vulnerabilities in web applications without knowing access control logic. To this purpose, we first, gather information from the web application by a semi-automatic crawling process. Then, we tricksily manipulate legal requests to create effective attacks on the web application. Finally, we analyze received responses to check whether the requests are vulnerable to IDOR. The detection process in the analysis phase is supported by our set theory based formal modeling of such vulnerabilities. The proposed method has been implemented as an IDOR detection tool (IDOT) and evaluated on a couple of vulnerable web applications. Evaluation results show that the method can effectively detect IDOR vulnerabilities provided that enough information is gathered in the crawling phase.","PeriodicalId":436674,"journal":{"name":"ISC Int. J. Inf. Secur.","volume":"16 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ISC Int. J. Inf. Secur.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.22042/isecure.2021.254089.580","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Automatic detection of access control violations in software applications is a challenging problem. Insecure Direct Object Reference (IDOR) is among top-ranked vulnerabilities, which violates access control policies and cannot be yet detected by automated vulnerability scanners. While such tools may detect the absence of access control by static or dynamic testing, they cannot verify if it is properly functioning when it is present. When a tool detects requesting access to an object, it is not aware of access control policies to infer whether the request is permitted. This completely depends on the access control logic and there is no automatic way to fully and precisely capture it from software behavior. Taking this challenge into consideration, this article proposes a black-box method to detect IDOR vulnerabilities in web applications without knowing access control logic. To this purpose, we first, gather information from the web application by a semi-automatic crawling process. Then, we tricksily manipulate legal requests to create effective attacks on the web application. Finally, we analyze received responses to check whether the requests are vulnerable to IDOR. The detection process in the analysis phase is supported by our set theory based formal modeling of such vulnerabilities. The proposed method has been implemented as an IDOR detection tool (IDOT) and evaluated on a couple of vulnerable web applications. Evaluation results show that the method can effectively detect IDOR vulnerabilities provided that enough information is gathered in the crawling phase.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
IDOT: Web应用程序中访问控制违规的黑盒检测
软件应用中访问控制违规的自动检测是一个具有挑战性的问题。不安全直接对象引用(IDOR)是排名靠前的漏洞之一,它违反了访问控制策略,目前还不能被自动漏洞扫描器检测到。虽然这些工具可以通过静态或动态测试检测访问控制的缺失,但它们无法验证访问控制存在时是否正常工作。当工具检测到请求访问对象时,它不知道访问控制策略来推断请求是否被允许。这完全取决于访问控制逻辑,并且没有自动的方法可以完全准确地从软件行为中捕获它。考虑到这一挑战,本文提出了一种黑盒方法,在不知道访问控制逻辑的情况下检测web应用中的IDOR漏洞。为此,我们首先通过半自动爬行过程从web应用程序收集信息。然后,我们巧妙地操纵合法请求来对web应用程序进行有效的攻击。最后,我们分析收到的响应,以检查请求是否容易受到IDOR攻击。分析阶段的检测过程由我们基于集合理论的此类漏洞形式化建模来支持。该方法已作为IDOT检测工具实现,并在几个易受攻击的web应用程序上进行了评估。评估结果表明,只要在爬行阶段收集到足够的信息,该方法可以有效地检测到IDOR漏洞。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
One-Shot Achievable Secrecy Rate Regions for Quantum Interference Wiretap Channel Quantum Multiple Access Wiretap Channel: On the One-Shot Achievable Secrecy Rate Regions Towards a Formal Approach for Detection of Vulnerabilities in the Android Permissions System Towards event aggregation for reducing the volume of logged events during IKC stages of APT attacks A Time Randomization-Based Countermeasure Against the Template Side-Channel Attack
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1