Successfully reported this slideshow.
Your SlideShare is downloading. ×

Access Control Rules Tester

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 15 Ad
Advertisement

More Related Content

Viewers also liked (9)

Similar to Access Control Rules Tester (20)

Advertisement

Recently uploaded (20)

Access Control Rules Tester

  1. 1. Access Control Rules Tester <ul><li>Andrew Petukhov </li></ul><ul><li>Department of Computer Science </li></ul><ul><li>Moscow State University </li></ul><ul><li>[email_address] </li></ul>
  2. 2. Contents <ul><li>‘ About box’ </li></ul><ul><li>Motivation: what is flawed access control in web apps? </li></ul><ul><li>Model: how do we view web application? </li></ul><ul><li>Method: how to detect inconsistency of access control? </li></ul><ul><li>Implementation: the AcCoRuTe tool </li></ul><ul><li>Features and Limitations </li></ul><ul><li>Future work </li></ul>
  3. 3. Web Security group at Computing Systems Lab, Moscow State University Andrew Petukhov Dmitry Kozlov Igor Konnov MSU Computer Science faculty students who participate in our projects: Georgy Klimov, Edward Toroschin, Denis Zalivin, Alexander Mischenkko
  4. 4. Our contributions to OWASP <ul><ul><li>Python tainted mode (SoC 2007) </li></ul></ul><ul><ul><li>Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing (AppSecEU08) </li></ul></ul><ul><ul><li>Static analysis of Python web applications (SoC 2008) </li></ul></ul><ul><ul><li>Teachable Static Analysis Workbench (SoC 2008) </li></ul></ul><ul><ul><li>Access Control Rules Tester (SoC 2008) </li></ul></ul><ul><ul><li>OWASP Site Generator Refresh (SoC 2008) </li></ul></ul>
  5. 5. What is flawed access control?
  6. 6. What is flawed access control? -- continued --
  7. 7. What is flawed access control? -- continued --
  8. 8. Web Application Model <ul><li>Web application is not a simple union of Sitemaps available to its users </li></ul><ul><li>Web application is indeed a State transition system: </li></ul><ul><ul><li>State is a set of all accessible resources through GET-requests </li></ul></ul><ul><ul><li>States are changed by POST-requests called actions </li></ul></ul><ul><ul><li>Access control rules are constraints on the set of resources and actions that should be available to particular user at certain time </li></ul></ul><ul><li>So how do we infer access control rules having the black-box scope of view? </li></ul><ul><li>Assumption : if user is not presented a link to resource or action, he is not supposed to access it </li></ul>
  9. 9. Tasks of access control tester <ul><li>Be able to build a set of GET- resources and POST-actions accessible through HTML user interface to a user at a given web application state </li></ul><ul><li>Given sets of accessible resources and actions (R a and R b ) for two different users at certain web application state: </li></ul><ul><ul><li>Be able to verify whether inaccessible resources via user interface are indeed inaccessible through direct requests </li></ul></ul><ul><ul><li>Issue direct requests for {R b a } while logged in as user a and for {R a b } while logged in as user b </li></ul></ul><ul><li>Be able to perform checks for different web application states for different users </li></ul>
  10. 10. Deliveries of the Project <ul><li>A formal model and algorithm for web application access control assessment </li></ul><ul><li>A guide how to decompose web application into states and transitions </li></ul><ul><li>A workflow how to build Sitemap for a given web application state </li></ul><ul><li>A command line tool, which actually performs access control testing: </li></ul><ul><ul><li>Input: an XML file describing web application States and Transitions and Sitemaps representing each state </li></ul></ul><ul><ul><li>Output: an HTML report (XML is in near future) specifying broken access control URIs and participating users </li></ul></ul>
  11. 11. Sitemap Building Workflow
  12. 12. Access Control Testing Workflow
  13. 13. Features and Limitations <ul><li>Automatically maintains the logged-in state while performing access control testing, relogins after forceful session expiration </li></ul><ul><li>Always submits current values extracted from the latest HTTP-responses (instead of recorded ones) for such parameters as session IDs, ASP.NET __EVENTVALIDATION and __EVENTSTATE variables. The set of non-replayable parameters is customizable </li></ul><ul><li>100% result on the HacMe Bank v2.0 web application </li></ul><ul><li>No support for AJAX </li></ul><ul><li>No support for multi-factor authentication </li></ul><ul><li>No support for anti-automation (CAPTCHAs) </li></ul><ul><li>Toilsome Sitemap building process for web applications containing JavaScript –based navigation and lots of forms </li></ul>
  14. 14. Future work <ul><li>Perform in-depth evaluation on real-world web applications </li></ul><ul><li>Add XSD schema for WebApplication.xml and perform validation against it </li></ul><ul><li>Make the tool generate XML reports, create XSLT transformation style sheets </li></ul><ul><li>Implement GUI for creating WebApplication.xml file </li></ul><ul><li>Fix mistakes in English in the documentation (need help form native speakers!!!) </li></ul>
  15. 15. Thank You! Any questions?

×