Bitte benutzen Sie diese Kennung, um auf die Ressource zu verweisen:
https://doi.org/10.21256/zhaw-21946| Publikationstyp: | Konferenz: Paper |
| Art der Begutachtung: | Peer review (Publikation) |
| Titel: | Automated black box detection of HTTP GET request-based access control vulnerabilities in web applications |
| Autor/-in: | Kushnir, Malte Favre, Olivier Rennhard, Marc Esposito, Damiano Zahnd, Valentin |
| et. al: | No |
| DOI: | 10.5220/0010300102040216 10.21256/zhaw-21946 |
| Tagungsband: | Proceedings of the 7th International Conference on Information Systems Security and Privacy |
| Seite(n): | 204 |
| Seiten bis: | 216 |
| Angaben zur Konferenz: | ICISSP 2021, online, 11-13 February 2021 |
| Erscheinungsdatum: | 2021 |
| Verlag / Hrsg. Institution: | SciTePress |
| ISBN: | 978-989-758-491-6 |
| Sprache: | Englisch |
| Schlagwörter: | Automated web application security testing; Access control security testing; Black box security testing |
| Fachgebiet (DDC): | 005: Computerprogrammierung, Programme und Daten |
| Zusammenfassung: | Automated and reproducible security testing of web applications is getting more and more important, driven by short software development cycles and constraints with respect to time and budget. Some types of vulnerabilities can already be detected reasonably well by automated security scanners, e.g., SQL injection or cross-site scripting vulnerabilities. However, other types of vulnerabilities are much harder to uncover in an automated way. This includes access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect access control vulnerabilities in the context of HTTP GET requests is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort that enables frequent and reproducible testing. An evaluation using four web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives relatively low. |
| URI: | https://digitalcollection.zhaw.ch/handle/11475/21946 |
| Volltext Version: | Publizierte Version |
| Lizenz (gemäss Verlagsvertrag): | CC BY-NC-ND 4.0: Namensnennung - Nicht kommerziell - Keine Bearbeitungen 4.0 International |
| Departement: | School of Engineering |
| Organisationseinheit: | Institut für Informatik (InIT) |
| Publiziert im Rahmen des ZHAW-Projekts: | scanmeter Next Generation |
| Enthalten in den Sammlungen: | Publikationen School of Engineering |
Dateien zu dieser Ressource:
| Datei | Beschreibung | Größe | Format | |
|---|---|---|---|---|
| 2021_Kushnir_etal_Automated-black-box-detection_ICISSP.pdf | 292.85 kB | Adobe PDF |  Öffnen/Anzeigen |
Zur Langanzeige
Kushnir, M., Favre, O., Rennhard, M., Esposito, D., & Zahnd, V. (2021). Automated black box detection of HTTP GET request-based access control vulnerabilities in web applications [Conference paper]. Proceedings of the 7th International Conference on Information Systems Security and Privacy, 204–216. https://doi.org/10.5220/0010300102040216
Kushnir, M. et al. (2021) ‘Automated black box detection of HTTP GET request-based access control vulnerabilities in web applications’, in Proceedings of the 7th International Conference on Information Systems Security and Privacy. SciTePress, pp. 204–216. Available at: https://doi.org/10.5220/0010300102040216.
M. Kushnir, O. Favre, M. Rennhard, D. Esposito, and V. Zahnd, “Automated black box detection of HTTP GET request-based access control vulnerabilities in web applications,” in Proceedings of the 7th International Conference on Information Systems Security and Privacy, 2021, pp. 204–216. doi: 10.5220/0010300102040216.
KUSHNIR, Malte, Olivier FAVRE, Marc RENNHARD, Damiano ESPOSITO und Valentin ZAHND, 2021. Automated black box detection of HTTP GET request-based access control vulnerabilities in web applications. In: Proceedings of the 7th International Conference on Information Systems Security and Privacy. Conference paper. SciTePress. 2021. S. 204–216. ISBN 978-989-758-491-6
Kushnir, Malte, Olivier Favre, Marc Rennhard, Damiano Esposito, and Valentin Zahnd. 2021. “Automated Black Box Detection of HTTP GET Request-Based Access Control Vulnerabilities in Web Applications.” Conference paper. In Proceedings of the 7th International Conference on Information Systems Security and Privacy, 204–16. SciTePress. https://doi.org/10.5220/0010300102040216.
Kushnir, Malte, et al. “Automated Black Box Detection of HTTP GET Request-Based Access Control Vulnerabilities in Web Applications.” Proceedings of the 7th International Conference on Information Systems Security and Privacy, SciTePress, 2021, pp. 204–16, https://doi.org/10.5220/0010300102040216.
Alle Ressourcen in diesem Repository sind urheberrechtlich geschützt, soweit nicht anderweitig angezeigt.