loading
Papers Papers/2022 Papers Papers/2022

Research.Publish.Connect.

Paper

Paper Unlock

Authors: Malte Kushnir 1 ; Olivier Favre 1 ; Marc Rennhard 1 ; Damiano Esposito 2 and Valentin Zahnd 2

Affiliations: 1 Institute of Applied Information Technology, Zurich University of Applied Sciences, Winterthur, Switzerland ; 2 scanmeter GmbH, Zurich, Switzerland

Keyword(s): Automated Web Application Security Testing, Access Control Security Testing, Black Box Security Testing.

Abstract: Automated and reproducible security testing of web applications is getting more and more important, driven by short software development cycles and constraints with respect to time and budget. Some types of vulnerabilities can already be detected reasonably well by automated security scanners, e.g., SQL injection or cross-site scripting vulnerabilities. However, other types of vulnerabilities are much harder to uncover in an automated way. This includes access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect access control vulnerabilities in the context of HTTP GET requests is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort that enables frequent and reproducible testi ng. An evaluation using four web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives relatively low. (More)

CC BY-NC-ND 4.0

Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 3.144.212.145

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Kushnir, M.; Favre, O.; Rennhard, M.; Esposito, D. and Zahnd, V. (2021). Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications. In Proceedings of the 7th International Conference on Information Systems Security and Privacy - ICISSP; ISBN 978-989-758-491-6; ISSN 2184-4356, SciTePress, pages 204-216. DOI: 10.5220/0010300102040216

@conference{icissp21,
author={Malte Kushnir. and Olivier Favre. and Marc Rennhard. and Damiano Esposito. and Valentin Zahnd.},
title={Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications},
booktitle={Proceedings of the 7th International Conference on Information Systems Security and Privacy - ICISSP},
year={2021},
pages={204-216},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010300102040216},
isbn={978-989-758-491-6},
issn={2184-4356},
}

TY - CONF

JO - Proceedings of the 7th International Conference on Information Systems Security and Privacy - ICISSP
TI - Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications
SN - 978-989-758-491-6
IS - 2184-4356
AU - Kushnir, M.
AU - Favre, O.
AU - Rennhard, M.
AU - Esposito, D.
AU - Zahnd, V.
PY - 2021
SP - 204
EP - 216
DO - 10.5220/0010300102040216
PB - SciTePress

- Science and Technology Publications, Lda.
RESOURCES

Proceedings

Papers

Authors

Ontology

CONTACTS

Science and Technology Publications, Lda
Avenida de S. Francisco Xavier, Lote 7 Cv. C,
2900-616 Setúbal, Portugal.

Phone: +351 265 520 185 (National fixed network call)
Fax: +351 265 520 186
Email: info@scitepress.org

EXTERNAL LINKS

PRIMORIS

INSTICC

SCITEVENTS

CROSSREF

PROCEEDINGS SUBMITTED FOR INDEXATION BY:

dblp

Ei Compendex

SCOPUS

Semantic Scholar

Google Scholar

Microsoft Academic