Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Access Control Rules Tester

1,006 views

Published on

This talk was given OWASP EU Summit 2008 in Portugal. More details here:
http://www.owasp.org/index.php/OWASP_EU_Summit_2008

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Access Control Rules Tester

  1. 1. Access Control Rules Tester <ul><li>Andrew Petukhov </li></ul><ul><li>Department of Computer Science </li></ul><ul><li>Moscow State University </li></ul><ul><li>[email_address] </li></ul>
  2. 2. Contents <ul><li>‘ About box’ </li></ul><ul><li>Motivation: what is flawed access control in web apps? </li></ul><ul><li>Model: how do we view web application? </li></ul><ul><li>Method: how to detect inconsistency of access control? </li></ul><ul><li>Implementation: the AcCoRuTe tool </li></ul><ul><li>Features and Limitations </li></ul><ul><li>Future work </li></ul>
  3. 3. Web Security group at Computing Systems Lab, Moscow State University Andrew Petukhov Dmitry Kozlov Igor Konnov MSU Computer Science faculty students who participate in our projects: Georgy Klimov, Edward Toroschin, Denis Zalivin, Alexander Mischenkko
  4. 4. Our contributions to OWASP <ul><ul><li>Python tainted mode (SoC 2007) </li></ul></ul><ul><ul><li>Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing (AppSecEU08) </li></ul></ul><ul><ul><li>Static analysis of Python web applications (SoC 2008) </li></ul></ul><ul><ul><li>Teachable Static Analysis Workbench (SoC 2008) </li></ul></ul><ul><ul><li>Access Control Rules Tester (SoC 2008) </li></ul></ul><ul><ul><li>OWASP Site Generator Refresh (SoC 2008) </li></ul></ul>
  5. 5. What is flawed access control?
  6. 6. What is flawed access control? -- continued --
  7. 7. What is flawed access control? -- continued --
  8. 8. Web Application Model <ul><li>Web application is not a simple union of Sitemaps available to its users </li></ul><ul><li>Web application is indeed a State transition system: </li></ul><ul><ul><li>State is a set of all accessible resources through GET-requests </li></ul></ul><ul><ul><li>States are changed by POST-requests called actions </li></ul></ul><ul><ul><li>Access control rules are constraints on the set of resources and actions that should be available to particular user at certain time </li></ul></ul><ul><li>So how do we infer access control rules having the black-box scope of view? </li></ul><ul><li>Assumption : if user is not presented a link to resource or action, he is not supposed to access it </li></ul>
  9. 9. Tasks of access control tester <ul><li>Be able to build a set of GET- resources and POST-actions accessible through HTML user interface to a user at a given web application state </li></ul><ul><li>Given sets of accessible resources and actions (R a and R b ) for two different users at certain web application state: </li></ul><ul><ul><li>Be able to verify whether inaccessible resources via user interface are indeed inaccessible through direct requests </li></ul></ul><ul><ul><li>Issue direct requests for {R b R a } while logged in as user a and for {R a R b } while logged in as user b </li></ul></ul><ul><li>Be able to perform checks for different web application states for different users </li></ul>
  10. 10. Deliveries of the Project <ul><li>A formal model and algorithm for web application access control assessment </li></ul><ul><li>A guide how to decompose web application into states and transitions </li></ul><ul><li>A workflow how to build Sitemap for a given web application state </li></ul><ul><li>A command line tool, which actually performs access control testing: </li></ul><ul><ul><li>Input: an XML file describing web application States and Transitions and Sitemaps representing each state </li></ul></ul><ul><ul><li>Output: an HTML report (XML is in near future) specifying broken access control URIs and participating users </li></ul></ul>
  11. 11. Sitemap Building Workflow
  12. 12. Access Control Testing Workflow
  13. 13. Features and Limitations <ul><li>Automatically maintains the logged-in state while performing access control testing, relogins after forceful session expiration </li></ul><ul><li>Always submits current values extracted from the latest HTTP-responses (instead of recorded ones) for such parameters as session IDs, ASP.NET __EVENTVALIDATION and __EVENTSTATE variables. The set of non-replayable parameters is customizable </li></ul><ul><li>100% result on the HacMe Bank v2.0 web application </li></ul><ul><li>No support for AJAX </li></ul><ul><li>No support for multi-factor authentication </li></ul><ul><li>No support for anti-automation (CAPTCHAs) </li></ul><ul><li>Toilsome Sitemap building process for web applications containing JavaScript –based navigation and lots of forms </li></ul>
  14. 14. Future work <ul><li>Perform in-depth evaluation on real-world web applications </li></ul><ul><li>Add XSD schema for WebApplication.xml and perform validation against it </li></ul><ul><li>Make the tool generate XML reports, create XSLT transformation style sheets </li></ul><ul><li>Implement GUI for creating WebApplication.xml file </li></ul><ul><li>Fix mistakes in English in the documentation (need help form native speakers!!!) </li></ul>
  15. 15. Thank You! Any questions?

×