Article

Static detection of access control vulnerabilities in web applications

Authors:

Zhendong SuAuthors Info & Claims

SEC'11: Proceedings of the 20th USENIX conference on Security

Page 11

Published: 08 August 2011 Publication History

Abstract

Access control vulnerabilities, which cause privilege escalations, are among the most dangerous vulnerabilities in web applications. Unfortunately, due to the difficulty in designing and implementing perfect access checks, web applications often fall victim to access control attacks. In contrast to traditional injection flaws, access control vulnerabilities are application-specific, rendering it challenging to obtain precise specifications for static and runtime enforcement. On one hand, writing specifications manually is tedious and time-consuming, which leads to non-existent, incomplete or erroneous specifications. On the other hand, automatic probabilistic-based specification inference is imprecise and computationally expensive in general.

This paper describes the first static analysis that automatically detects access control vulnerabilities in web applications. The core of the analysis is a technique that statically infers and enforces implicit access control assumptions. Our insight is that source code implicitly documents intended accesses of each role and any successful forced browsing to a privileged page is likely a vulnerability. Based on this observation, our static analysis constructs sitemaps for different roles in a web application, compares per-role sitemaps to find privileged pages, and checks whether forced browsing is successful for each privileged page. We implemented our analysis and evaluated our tool on several real-world web applications. The evaluation results show that our tool is scalable and detects both known and new access control vulnerabilities with few false positives.

References

[1]

D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna. Multi-Module Vulnerability Analysis of Web-based Applications. In Proceedings of ACM Conference on Computer and Communications Security, pages 25-35, 2007.

Digital Library

[2]

D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of IEEE Symposium on Security and Privacy, pages 387-401, 2008.

Digital Library

[3]

W. Chang, B. Streiff, and C. Lin. Efficient and Extensible Security Enforcement Using Dynamic Data Flow Analysis. In Proceedings of ACM Conference on Computer and Communications Security, pages 39-50, 2008.

Digital Library

[4]

S. Chen, J. Dunagan, C. Verbowski, and Y.-M. Wang. A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities. In Proceedings of Network and Distributed System Security Symposium, 2005.

[5]

S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing Confidentiality and Integrity in Web Applications. In Proceedings of the Conference on USENIX Security Symposium, 2007.

Digital Library

[6]

M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, pages 63-86, 2007.

Digital Library

[7]

M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: Preventing Authentication and Access Control Vulnerabilities in Web Applications. In Proceedings of the USENIX Security Symposium, pages 267-282, 2009.

Digital Library

[8]

L. De Moura and N. Bjørner. Z3: An Efficient SMT Solver. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pages 337-340, 2008.

Digital Library

[9]

D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code. In Proceedings of the ACM Symposium on Operating Systems Principles, pages 57-72, 2001.

Digital Library

[10]

V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In Proceedings of the USENIX Security Symposium, pages 143-160, 2010.

Digital Library

[11]

A. Guha, S. Krishnamurthi, and T. Jim. Using Static Analysis for Ajax Intrusion Detection. In Proceedings of the International Conference on World Wide Web, pages 561-570, 2009.

Digital Library

[12]

W. G. J. Halfond and A. Orso. Automated identification of parameter mismatches in web applications. In Proceedings of the Symposium on Foundations of software engineering, 2008.

Digital Library

[13]

S. Hallé, T. Ettema, C. Bunch, and T. Bultan. Eliminating Navigation Errors in Web Applications via Model Checking and Runtime Enforcement of Navigation State Machines. In Proceedings of the International Conference on Automated Software Engineering, pages 235-244, 2010.

Digital Library

[14]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (short paper). In Proceedings of IEEE Symposium on Security and Privacy, pages 258-263, 2006.

Digital Library

[15]

A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: A Solver for String Constraints. In Proceedings of the International Symposium on Software Testing and Analysis, 2009.

Digital Library

[16]

T. Kremenek, P. Twohey, G. Back, A. Ng, and D. Engler. From Uncertainty to Belief: Inferring the Specification Within. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pages 12-12, 2006.

Digital Library

[17]

A. Krishnamurthy, A. Mettler, and D. Wagner. Fine-Grained Privilege Separation for Web Applications. In Proceedings of the International Conference on World Wide Web, pages 551-560, 2010.

Digital Library

[18]

B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: Specification Inference for Explicit Information Flow Problems. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 75-86, 2009.

Digital Library

[19]

V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the Conference on USENIX Security Symposium, pages 18-18, 2005.

Digital Library

[20]

D. Melski and T. Reps. Interconvertbility of Set Constraints and Context-Free Language Reachability. In Proceedings of the Symposium on Partial Evaluation and Semantics-Based Program Manipulation, 1997.

Digital Library

[21]

Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In Proceedings of the International Conference on World Wide Web, pages 432-441, 2005.

Digital Library

[22]

A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the IFIP International Information Security Conference, pages 372-382, 2005.

[23]

B. Parno, J. M. McCune, D. Wendlandt, D. G. Andersen, and A. Perrig. CLAMP: Practical Prevention of Large-Scale Data Leaks. In Proceedings of the IEEE Symposium on Security and Privacy, pages 154-169, 2009.

Digital Library

[24]

R. Sekar. An Efficient Black-box Technique for Defeating Web Application Attacks. In Proceedings of the Network and Distributed System Security Symposium, 2009.

[25]

Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In Proceedings of the Annual Symposium on Principles of Programming Languages, pages 372-382, 2006.

Digital Library

[26]

L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically Inferring Security Specifications and Detecting Violations. In Proceedings of the USENIX Security Symposium, pages 379-394, 2008.

Digital Library

[27]

O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: Effective Taint Analysis of Web Applications. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 87-97, 2009.

Digital Library

[28]

D. Wagner and D. Dean. Intrusion Detection via Static Analysis. In Proceedings of the IEEE Symposium on Security and Privacy, pages 156-168, 2001.

Digital Library

[29]

G. Wassermann and Z. Su. Sound and Precise Analysis ofWeb Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 32-41, 2007.

Digital Library

[30]

G. Wassermann and Z. Su. Static Detection of Cross-Site Scripting Vulnerabilities. In Proceedings of International Conference on Software Engineering, pages 171-180, 2008.

Digital Library

[31]

Y. wen Huang, F. Yu, C. Hang, C. hung Tsai, D. T. Lee, and S. yen Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the International Conference on World Wide Web, pages 40-52, 2004.

Digital Library

[32]

Y. Xie and A. Aiken. Static Detection of Security vulnerabilities in Scripting Languages. In Proceedings of the Conference on USENIX Security Symposium, 2006.

Digital Library

Cited By

Zhang BLi JRen JHuang G(2021)Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A ReviewACM Computing Surveys10.1145/347455354:9(1-35)Online publication date: 8-Oct-2021
https://dl.acm.org/doi/10.1145/3474553
Liu ZZhao HLi SLi QWei TWang YCao JHo Au MLin ZYung M(2021)Privilege-Escalation Vulnerability Discovery for Large-scale RPC ServicesProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3453076(565-577)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3453076
Ben Fadhel ABianculli DBriand LHuchard MKästner CFraser G(2018)Model-driven run-time enforcement of complex role-based access control policiesProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238167(248-258)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3238147.3238167
Show More Cited By

Static detection of access control vulnerabilities in web applications
1. Security and privacy
  1. Systems security

Recommendations

Mitigating Access Control Vulnerabilities through Interactive Static Analysis
SACMAT '15: Proceedings of the 20th ACM Symposium on Access Control Models and Technologies

Access control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities ...
Automated black-box detection of access control vulnerabilities in web applications
CODASPY '14: Proceedings of the 4th ACM conference on Data and application security and privacy

Access control vulnerabilities within web applications pose serious security threats to the sensitive information stored at back-end databases. Existing approaches are limited from several aspects, including the coarse granularity at which the access ...
Static analysis for detecting taint-style vulnerabilities in web applications

The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'11: Proceedings of the 20th USENIX conference on Security

August 2011

35 pages

Program Chair:
David Wagner
University of California, Berkeley

Sponsors

NSF: National Science Foundation
Google Inc.
IBMR: IBM Research
Microsoft Research: Microsoft Research
RSA: The Security Division of EMC

Publisher

USENIX Association

United States

Publication History

Published: 08 August 2011

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang BLi JRen JHuang G(2021)Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A ReviewACM Computing Surveys10.1145/347455354:9(1-35)Online publication date: 8-Oct-2021
https://dl.acm.org/doi/10.1145/3474553
Liu ZZhao HLi SLi QWei TWang YCao JHo Au MLin ZYung M(2021)Privilege-Escalation Vulnerability Discovery for Large-scale RPC ServicesProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3453076(565-577)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3453076
Ben Fadhel ABianculli DBriand LHuchard MKästner CFraser G(2018)Model-driven run-time enforcement of complex role-based access control policiesProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238167(248-258)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3238147.3238167
Compagna Ldos Santos DPonta SRanise SAhn GPretschner AGhinita G(2017)AegisProceedings of the Seventh ACM on Conference on Data and Application Security and Privacy10.1145/3029806.3029813(321-328)Online publication date: 22-Mar-2017
https://dl.acm.org/doi/10.1145/3029806.3029813
Cheng RScott WEllenbogen PHowell JRoesner FKrishnamurthy AAnderson T(2016)RadiatusProceedings of the Seventh ACM Symposium on Cloud Computing10.1145/2987550.2987571(237-250)Online publication date: 5-Oct-2016
https://dl.acm.org/doi/10.1145/2987550.2987571
Alhuzali AEshete BGjomemo RVenkatakrishnan VWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)ChainsawProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978380(641-652)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978380
Bocić IBultan TLo DApel SKhurshid S(2016)Finding access control bugs in web applications with CanCheckProceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering10.1145/2970276.2970350(155-166)Online publication date: 25-Aug-2016
https://dl.acm.org/doi/10.1145/2970276.2970350
Zhu JChu BLipford HWang XBauer LKerschbaum F(2016)Detecting Privilege Escalation Attacks through Instrumenting Web Application Source CodeProceedings of the 21st ACM on Symposium on Access Control Models and Technologies10.1145/2914642.2914661(73-80)Online publication date: 6-Jun-2016
https://dl.acm.org/doi/10.1145/2914642.2914661
Li ZHe WAkhawe DSong DFu K(2014)The emperor's new password managerProceedings of the 23rd USENIX conference on Security Symposium10.5555/2671225.2671255(465-479)Online publication date: 20-Aug-2014
https://dl.acm.org/doi/10.5555/2671225.2671255
Monshizadeh MNaldurg PVenkatakrishnan VAhn GYung MLi N(2014)MACEProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security10.1145/2660267.2660337(690-701)Online publication date: 3-Nov-2014
https://dl.acm.org/doi/10.1145/2660267.2660337
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten