Web applications have become a de facto standard for delivering services on the Internet. Often they contain sensitive data and provide functionality which should be protected from unauthorized access. Explicit access control policies can be leveraged for validating the access control, but, unfortunately, these policies are rarely defined in case of web applications. Previous research shows that access control flaws in web applications may be revealed with black-box analysis, but the existing “differential analysis” approach has certain limitations. We believe that taking the state of the web application into account could help to overcome the limitations of exiting approach. In this paper we propose a novel approach to black-box web application testing, which utilizes a use-case graph. The graph contains classes of actions within the web application and their dependencies. By traversing the graph and applying differential analysis at each step of the traversal, we were able to improve the accuracy of the method. The proposed method was implemented in the proof-of-concept tool AcCoRuTe. Evaluation with several real-world web applications shows better results in comparison to simple differential analysis.

1. Detecting Insufficient Access Control in
Web Applications
George Noseevich, Andrew Petukhov
{ngo, petand}@lvk.cs.msu.ru
Security research group of the Computer Systems Lab,
Computer Science Department, Lomonosov Moscow State University,
1st SysSec Workshop

2. Overview
What?
• Detecting broken access control in web applications
How?
• Modified “differential analysis”, black-box
Results
• A method and a tool, AcCoRuTe
• Evaluation on real-word web applications
• Previously-unknown vulnerabilities discovered

3. Access control testing - challenges
• Web applications provide for virtually unlimited set of
interactions and sequences thereof
• How do we distinguish an authorized worflow from
unauthorized without explicit specifications?
• How do we select a limited subset of actions to check for
access control violations?

4. Assumption
User should only be allowed to perform
actions listed in his web interface

5. Basic “differential analysis”
Build web application Try to access URLs visible to
sitemaps for each user one user on behalf of the other
Limitations
• Failiure to capture action interdependencies leads to
incomplete sitemaps
• Uncontrolled state changes during sitemap crawling result
in incorrect testing conditions

6. Possible solution
• Perform “differential analysis” in a series of web
application states
• Preserve state whithin each “differential analysis” round
Questions arise
• How do we select appropriate states?
• How do we tell apart state-changing and state-preserving
requests?

7. Proposed approach: information gathering step
Browser extension captures operator’s knowledge about web
application business logic
• Roles, users and their credentials
• Administrator, Moderator, User
• State-changing actions
• Post message, Delete forum, Assign forum to moderator
• Action dependencies and cancellations
• to delete a message one must write a message
• after a message is deleted it can no longer be modified

8. Proposed approach: automated scanning step
Web application scanner performs automated access control
test using gathered information
• Recorded actions are organized
in a use-case graph
• Actions from the graph are
carried out in a specific order
• After each performed action,
“differential analysis” is
performed
• State-changing actions are not
performed during the sitemap
crawling

9. Alternative method
White-box approach [Felmetsger et al, 2010]:
• Extract “likely invariants” during web application normal
operation using dynamic analysis
• Use model checking to check web application source code
for invariant violations
• Was evaluated on Easy JSP forum web application
(open source message board, approx. 1500 lines of code)
3 vulnerabilities found, 1 false positive, 5 h. running time

10. Evaluation
• Easy JSP forum: 5 vulnerabilities found and 1 missed, 1
false positive, 1 h running time (incl. 25 minutes of
operator work)
• PyForum: discovered previously-unknown vulnerability
that allows editing arbitrary user profiles, including the
ability to change passwords (confirmed by developer).

11. Work in progress
Limitations
• Limited (yet) javascript and AJAX support
• Some alerts do not represent real vulnerabilities
• Hidden content is not discovered
Next steps
• Further automate the process by using static analysis to
separate state-changing and state-preserving actions

12. Questions?