SlideShare a Scribd company logo
Access Control Rules Tester Andrew Petukhov Department of Computer Science Moscow State University [email_address]
Contents ‘ About box’ Motivation: what is flawed access control in web apps? Model: how do we view web application? Method: how to detect inconsistency of access control? Implementation: the AcCoRuTe tool Features and Limitations Future work
Web Security group at  Computing Systems Lab, Moscow State University Andrew Petukhov Dmitry Kozlov Igor Konnov MSU Computer Science faculty students who participate in our projects: Georgy Klimov, Edward Toroschin, Denis Zalivin, Alexander Mischenkko
Our contributions to OWASP Python tainted mode (SoC 2007) Detecting Security Vulnerabilities  in Web Applications Using Dynamic Analysis with Penetration Testing (AppSecEU08) Static analysis of Python web applications (SoC 2008) Teachable Static Analysis Workbench (SoC 2008) Access Control Rules Tester (SoC 2008) OWASP Site Generator Refresh (SoC 2008)
What is flawed access control?
What is flawed access control?  -- continued --
What is flawed access control?  -- continued --
Web Application Model Web application is not a simple union of Sitemaps available to its users Web application is indeed a State transition system:  State is a set of all accessible resources through GET-requests States are changed by POST-requests called actions Access control rules are constraints on the set of resources and actions that should be available to particular user at certain time So how do we infer access control rules having the black-box scope of view? Assumption : if user is not presented a link to resource or action, he is not supposed to access it
Tasks of access control tester Be able to build a set of GET- resources and POST-actions accessible through HTML user interface to a user at a given web application state Given sets of accessible resources and actions (R a  and R b ) for two different users at certain web application state:  Be able to verify whether inaccessible resources via user interface are indeed inaccessible through direct requests Issue direct requests for {R b  a } while logged in as user  a  and for {R a  b } while logged in as user  b Be able to perform checks for different web application states for different users
Deliveries of the Project A formal model and algorithm for web application access control assessment A guide how to decompose web application into states and transitions A workflow how to build Sitemap for a given web application state A command line tool, which actually performs access control testing: Input: an XML file describing web application States and Transitions and Sitemaps representing each state Output: an HTML report (XML is in near future) specifying broken access control URIs and participating users
Sitemap Building Workflow
Access Control Testing Workflow
Features and Limitations Automatically maintains the logged-in state while performing access control testing, relogins after forceful session expiration Always submits current values extracted from the latest HTTP-responses (instead of recorded ones) for such parameters as session IDs, ASP.NET __EVENTVALIDATION and __EVENTSTATE variables. The set of non-replayable parameters is customizable 100% result on the HacMe Bank v2.0 web application No support for AJAX No support for multi-factor authentication No support for anti-automation (CAPTCHAs) Toilsome Sitemap building process for web applications containing JavaScript –based navigation and lots of forms
Future work Perform in-depth evaluation on real-world web applications Add XSD schema for WebApplication.xml and perform validation against it Make the tool generate XML reports, create XSLT transformation style sheets  Implement GUI for creating WebApplication.xml file Fix mistakes in English in the documentation (need help form native speakers!!!)
Thank You! Any questions?

More Related Content

Viewers also liked

Detecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web ApplicationsDetecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web Applications
Andrew Petukhov
 
Обнаружение уязвимостей в механизме авторизации веб-приложении
Обнаружение уязвимостей в механизме авторизации веб-приложенииОбнаружение уязвимостей в механизме авторизации веб-приложении
Обнаружение уязвимостей в механизме авторизации веб-приложении
Andrew Petukhov
 
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииАрмия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Andrew Petukhov
 
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Andrew Petukhov
 
Benchmark сканеров SQL injection
Benchmark сканеров SQL injectionBenchmark сканеров SQL injection
Benchmark сканеров SQL injection
Andrew Petukhov
 
Обеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системахОбеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системах
Andrew Petukhov
 
Безопасность веб-приложений: starter edition
Безопасность веб-приложений: starter editionБезопасность веб-приложений: starter edition
Безопасность веб-приложений: starter edition
Andrew Petukhov
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
Andrew Petukhov
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Andrew Petukhov
 

Viewers also liked (9)

Detecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web ApplicationsDetecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web Applications
 
Обнаружение уязвимостей в механизме авторизации веб-приложении
Обнаружение уязвимостей в механизме авторизации веб-приложенииОбнаружение уязвимостей в механизме авторизации веб-приложении
Обнаружение уязвимостей в механизме авторизации веб-приложении
 
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииАрмия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
 
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
 
Benchmark сканеров SQL injection
Benchmark сканеров SQL injectionBenchmark сканеров SQL injection
Benchmark сканеров SQL injection
 
Обеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системахОбеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системах
 
Безопасность веб-приложений: starter edition
Безопасность веб-приложений: starter editionБезопасность веб-приложений: starter edition
Безопасность веб-приложений: starter edition
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
 

Similar to Access Control Rules Tester

A model for performance testing of ajax based web applications
A model for performance testing of ajax based web applicationsA model for performance testing of ajax based web applications
A model for performance testing of ajax based web applications
eSAT Publishing House
 
API & Backend Integration
API & Backend IntegrationAPI & Backend Integration
API & Backend Integration
Elewayte
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
hearme limited company
 
System requirements engineering
System requirements engineeringSystem requirements engineering
System requirements engineering
Animesh Chaturvedi
 
Mirri5
Mirri5Mirri5
Mirri5
Simon Harper
 
A novel approach for evaluation of applying ajax in the web site
A novel approach for evaluation of applying ajax in the web siteA novel approach for evaluation of applying ajax in the web site
A novel approach for evaluation of applying ajax in the web site
eSAT Publishing House
 
Reliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software ApplicationsReliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software Applications
CSEIJJournal
 
Preetham Paulose
Preetham PaulosePreetham Paulose
Preetham Paulose
Preetham Paulose
 
Selenium Testing Training in Bangalore
Selenium Testing Training in BangaloreSelenium Testing Training in Bangalore
Selenium Testing Training in Bangalore
rajkamal560066
 
Ajax
AjaxAjax
Components of a Generic Web Application Architecture
Components of  a Generic Web Application ArchitectureComponents of  a Generic Web Application Architecture
Components of a Generic Web Application Architecture
MadonnaLamin1
 
Testing Web Apps and API's
Testing Web Apps and API'sTesting Web Apps and API's
Testing Web Apps and API's
PractiTest
 
Testing Web Apps and APIs (1)
Testing Web Apps and APIs (1)Testing Web Apps and APIs (1)
Testing Web Apps and APIs (1)
AAron EvaNS
 
Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Building enterprise web applications with spring 3
Building enterprise web applications with spring 3
Abdelmonaim Remani
 
Parallel verification of software architecture design
Parallel verification of software architecture designParallel verification of software architecture design
Parallel verification of software architecture design
Nacha Chondamrongkul
 
Automated Fixing of Web UI Tests via Iterative Element Matching
Automated Fixing of Web UI Tests via Iterative Element MatchingAutomated Fixing of Web UI Tests via Iterative Element Matching
Automated Fixing of Web UI Tests via Iterative Element Matching
YuanzhangLin
 
Edit Event: Automated Fixing of Web UI Tests via Iterative Element Matching
Edit Event: Automated Fixing of Web UI Tests via Iterative Element MatchingEdit Event: Automated Fixing of Web UI Tests via Iterative Element Matching
Edit Event: Automated Fixing of Web UI Tests via Iterative Element Matching
YuanzhangLin
 
Yii Framework Security
Yii Framework SecurityYii Framework Security
Yii Framework Security
Ilko Kacharov
 
Scale and Load Testing of Micro-Service
Scale and Load Testing of Micro-ServiceScale and Load Testing of Micro-Service
Scale and Load Testing of Micro-Service
IRJET Journal
 
Client Side MVC & Angular
Client Side MVC & AngularClient Side MVC & Angular
Client Side MVC & Angular
Alexe Bogdan
 

Similar to Access Control Rules Tester (20)

A model for performance testing of ajax based web applications
A model for performance testing of ajax based web applicationsA model for performance testing of ajax based web applications
A model for performance testing of ajax based web applications
 
API & Backend Integration
API & Backend IntegrationAPI & Backend Integration
API & Backend Integration
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
 
System requirements engineering
System requirements engineeringSystem requirements engineering
System requirements engineering
 
Mirri5
Mirri5Mirri5
Mirri5
 
A novel approach for evaluation of applying ajax in the web site
A novel approach for evaluation of applying ajax in the web siteA novel approach for evaluation of applying ajax in the web site
A novel approach for evaluation of applying ajax in the web site
 
Reliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software ApplicationsReliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software Applications
 
Preetham Paulose
Preetham PaulosePreetham Paulose
Preetham Paulose
 
Selenium Testing Training in Bangalore
Selenium Testing Training in BangaloreSelenium Testing Training in Bangalore
Selenium Testing Training in Bangalore
 
Ajax
AjaxAjax
Ajax
 
Components of a Generic Web Application Architecture
Components of  a Generic Web Application ArchitectureComponents of  a Generic Web Application Architecture
Components of a Generic Web Application Architecture
 
Testing Web Apps and API's
Testing Web Apps and API'sTesting Web Apps and API's
Testing Web Apps and API's
 
Testing Web Apps and APIs (1)
Testing Web Apps and APIs (1)Testing Web Apps and APIs (1)
Testing Web Apps and APIs (1)
 
Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Building enterprise web applications with spring 3
Building enterprise web applications with spring 3
 
Parallel verification of software architecture design
Parallel verification of software architecture designParallel verification of software architecture design
Parallel verification of software architecture design
 
Automated Fixing of Web UI Tests via Iterative Element Matching
Automated Fixing of Web UI Tests via Iterative Element MatchingAutomated Fixing of Web UI Tests via Iterative Element Matching
Automated Fixing of Web UI Tests via Iterative Element Matching
 
Edit Event: Automated Fixing of Web UI Tests via Iterative Element Matching
Edit Event: Automated Fixing of Web UI Tests via Iterative Element MatchingEdit Event: Automated Fixing of Web UI Tests via Iterative Element Matching
Edit Event: Automated Fixing of Web UI Tests via Iterative Element Matching
 
Yii Framework Security
Yii Framework SecurityYii Framework Security
Yii Framework Security
 
Scale and Load Testing of Micro-Service
Scale and Load Testing of Micro-ServiceScale and Load Testing of Micro-Service
Scale and Load Testing of Micro-Service
 
Client Side MVC & Angular
Client Side MVC & AngularClient Side MVC & Angular
Client Side MVC & Angular
 

Recently uploaded

Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 

Recently uploaded (20)

Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 

Access Control Rules Tester

  • 1. Access Control Rules Tester Andrew Petukhov Department of Computer Science Moscow State University [email_address]
  • 2. Contents ‘ About box’ Motivation: what is flawed access control in web apps? Model: how do we view web application? Method: how to detect inconsistency of access control? Implementation: the AcCoRuTe tool Features and Limitations Future work
  • 3. Web Security group at Computing Systems Lab, Moscow State University Andrew Petukhov Dmitry Kozlov Igor Konnov MSU Computer Science faculty students who participate in our projects: Georgy Klimov, Edward Toroschin, Denis Zalivin, Alexander Mischenkko
  • 4. Our contributions to OWASP Python tainted mode (SoC 2007) Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing (AppSecEU08) Static analysis of Python web applications (SoC 2008) Teachable Static Analysis Workbench (SoC 2008) Access Control Rules Tester (SoC 2008) OWASP Site Generator Refresh (SoC 2008)
  • 5. What is flawed access control?
  • 6. What is flawed access control? -- continued --
  • 7. What is flawed access control? -- continued --
  • 8. Web Application Model Web application is not a simple union of Sitemaps available to its users Web application is indeed a State transition system: State is a set of all accessible resources through GET-requests States are changed by POST-requests called actions Access control rules are constraints on the set of resources and actions that should be available to particular user at certain time So how do we infer access control rules having the black-box scope of view? Assumption : if user is not presented a link to resource or action, he is not supposed to access it
  • 9. Tasks of access control tester Be able to build a set of GET- resources and POST-actions accessible through HTML user interface to a user at a given web application state Given sets of accessible resources and actions (R a and R b ) for two different users at certain web application state: Be able to verify whether inaccessible resources via user interface are indeed inaccessible through direct requests Issue direct requests for {R b a } while logged in as user a and for {R a b } while logged in as user b Be able to perform checks for different web application states for different users
  • 10. Deliveries of the Project A formal model and algorithm for web application access control assessment A guide how to decompose web application into states and transitions A workflow how to build Sitemap for a given web application state A command line tool, which actually performs access control testing: Input: an XML file describing web application States and Transitions and Sitemaps representing each state Output: an HTML report (XML is in near future) specifying broken access control URIs and participating users
  • 13. Features and Limitations Automatically maintains the logged-in state while performing access control testing, relogins after forceful session expiration Always submits current values extracted from the latest HTTP-responses (instead of recorded ones) for such parameters as session IDs, ASP.NET __EVENTVALIDATION and __EVENTSTATE variables. The set of non-replayable parameters is customizable 100% result on the HacMe Bank v2.0 web application No support for AJAX No support for multi-factor authentication No support for anti-automation (CAPTCHAs) Toilsome Sitemap building process for web applications containing JavaScript –based navigation and lots of forms
  • 14. Future work Perform in-depth evaluation on real-world web applications Add XSD schema for WebApplication.xml and perform validation against it Make the tool generate XML reports, create XSLT transformation style sheets Implement GUI for creating WebApplication.xml file Fix mistakes in English in the documentation (need help form native speakers!!!)
  • 15. Thank You! Any questions?