Please use this identifier to cite or link to this item: https://doi.org/10.21256/zhaw-25347
Full metadata record
DC FieldValueLanguage
dc.contributor.authorRennhard, Marc-
dc.contributor.authorKushnir, Malte-
dc.contributor.authorFavre, Olivier-
dc.contributor.authorEsposito, Damiano-
dc.contributor.authorZahnd, Valentin-
dc.date.accessioned2022-07-27T08:28:30Z-
dc.date.available2022-07-27T08:28:30Z-
dc.date.issued2022-
dc.identifier.issn2661-8907de_CH
dc.identifier.urihttps://digitalcollection.zhaw.ch/handle/11475/25347-
dc.description.abstractThe importance of automated and reproducible security testing of web applications is growing, driven by increasing security requirements, short software development cycles, and constraints with respect to time and budget. Existing automated security testing tools are already well suited to detect some types of vulnerabilities, e.g., SQL injection or cross-site scripting vulnerabilities. However, other vulnerability types are much harder to uncover in an automated way. One important representative of this type are access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect HTTP GET request-based access control vulnerabilities in web applications is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort, which in turn enables frequent and reproducible testing. An evaluation with seven web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives low.de_CH
dc.language.isoende_CH
dc.publisherSpringerde_CH
dc.relation.ispartofSN Computer Sciencede_CH
dc.rightshttp://creativecommons.org/licenses/by/4.0/de_CH
dc.subjectAutomated testingde_CH
dc.subjectWeb application security testingde_CH
dc.subjectAccess control testingde_CH
dc.subjectBlack box security testingde_CH
dc.subjectDynamic web application security testingde_CH
dc.subject.ddc005: Computerprogrammierung, Programme und Datende_CH
dc.titleAutomating the detection of access control vulnerabilities in web applicationsde_CH
dc.typeBeitrag in wissenschaftlicher Zeitschriftde_CH
dcterms.typeTextde_CH
zhaw.departementSchool of Engineeringde_CH
zhaw.organisationalunitInstitut für Angewandte Informationstechnologie (InIT)de_CH
dc.identifier.doi10.1007/s42979-022-01271-1de_CH
dc.identifier.doi10.21256/zhaw-25347-
zhaw.funding.euNode_CH
zhaw.issue5de_CH
zhaw.originated.zhawYesde_CH
zhaw.pages.start376de_CH
zhaw.publication.statuspublishedVersionde_CH
zhaw.volume3de_CH
zhaw.publication.reviewPeer review (Publikation)de_CH
zhaw.webfeedInformation Securityde_CH
zhaw.funding.zhawFASTscan: Fully Automated Security Testing with scanmeterde_CH
zhaw.author.additionalNode_CH
zhaw.display.portraitYesde_CH
Appears in collections:Publikationen School of Engineering

Files in This Item:
File Description SizeFormat 
2022_Rennhard-etal_Automating-detection-access-control-vulnerabilities.pdf1.46 MBAdobe PDFThumbnail
View/Open


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.