SciTePress - Publication Details

More Web Proxy on the site http://driver.im/

Research.Publish.Connect.

*Please fill out at least one Field. *Value must be an number!

Title:
ISBN:
Year:
Acronym:
Subject:

Advanced Search Proceedings Search

If you're looking for an exact phrase use quotation marks on text fields.

*Please fill out at least one Field.

Title:
Author:
Affiliation:
Subject:

Advanced Search Papers Search

If you're looking for an exact phrase use quotation marks on text fields.

*Please fill out at least one Field.

Name:
Affiliation:
Country:
Conference:
Subject:

Advanced Search Authors Search

If you're looking for an exact phrase use quotation marks on text fields.

*Please fill out at least one Field.

Name:
Country:
Subject:

Advanced Search Affiliations Search

If you're looking for an exact phrase use quotation marks on text fields.

Proceedings

Proceedings Search *Please fill out at least one Field. *Value must be an number!

Title:
ISBN:
Year:
Acronym:
Subject:

Advanced Search Proceedings Search

If you're looking for an exact phrase use quotation marks on text fields.

Papers

Papers Search *Please fill out at least one Field.

Title:
Author:
Affiliation:
Subject:

Advanced Search Papers Search

If you're looking for an exact phrase use quotation marks on text fields.

Authors

Authors Search *Please fill out at least one Field.

Name:
Affiliation:
Country:
Conference:
Subject:

Advanced Search Authors Search

If you're looking for an exact phrase use quotation marks on text fields.

Advanced Search

Paper

Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications

Topics: Access and Usage Control; Security; Web Applications and Services

In Proceedings of the 7th International Conference on Information Systems Security and Privacy ICISSP - Volume 1, 204-216, 2021

Authors: Malte Kushnir ¹ ; Olivier Favre ¹ ; Marc Rennhard ¹ ; Damiano Esposito ² and Valentin Zahnd ²

Affiliations: ¹ Institute of Applied Information Technology, Zurich University of Applied Sciences, Winterthur, Switzerland ; ² scanmeter GmbH, Zurich, Switzerland

Keyword(s): Automated Web Application Security Testing, Access Control Security Testing, Black Box Security Testing.

Abstract: Automated and reproducible security testing of web applications is getting more and more important, driven by short software development cycles and constraints with respect to time and budget. Some types of vulnerabilities can already be detected reasonably well by automated security scanners, e.g., SQL injection or cross-site scripting vulnerabilities. However, other types of vulnerabilities are much harder to uncover in an automated way. This includes access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect access control vulnerabilities in the context of HTTP GET requests is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort that enables frequent and reproducible testi ng. An evaluation using four web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives relatively low. (More)

CC BY-NC-ND 4.0

Guest: Register as new SciTePress user now for free.

SciTePress user: please login.

My Papers

You are not signed in, therefore limits apply to your IP address 79.170.44.78

In the current month:

Recent papers: 100 available of 100 total

2⁺ years older papers: 200 available of 200 total

Paper citation in several formats:

Kushnir, M., Favre, O., Rennhard, M., Esposito, D. and Zahnd, V. (2021). Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications. In Proceedings of the 7th International Conference on Information Systems Security and Privacy - ICISSP; ISBN 978-989-758-491-6; ISSN 2184-4356, SciTePress, pages 204-216. DOI: 10.5220/0010300102040216

@conference{icissp21,
author={Malte Kushnir and Olivier Favre and Marc Rennhard and Damiano Esposito and Valentin Zahnd},
title={Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications},
booktitle={Proceedings of the 7th International Conference on Information Systems Security and Privacy - ICISSP},
year={2021},
pages={204-216},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010300102040216},
isbn={978-989-758-491-6},
issn={2184-4356},
}

TY - CONF

JO - Proceedings of the 7th International Conference on Information Systems Security and Privacy - ICISSP
TI - Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications
SN - 978-989-758-491-6
IS - 2184-4356
AU - Kushnir, M.
AU - Favre, O.
AU - Rennhard, M.
AU - Esposito, D.
AU - Zahnd, V.
PY - 2021
SP - 204
EP - 216
DO - 10.5220/0010300102040216
PB - SciTePress