Towards automated discovery of access control vulnerabilities

Abstract

This thesis is a research into developing a methodology and implementation of automated gray-box Broken Access Control Scanning (BACS) in web applications. Broken access controls take first place in the OWASP Top Ten Web Application Security Risks 2021. The need for this research comes from the observation that testing for broken access controls in web applications is labor-intensive, time-consuming, and error-prone. Therefore, security researchers require a modern methodology and toolset for exhaustively discovering access control vulnerabilities in web applications.

The posited hypothesis is that the contextual awareness required for access controls can be achieved by assuming that users are only authorized to perform actions accessible via the UI for that particular user. The methodology developed in this research consists of four phases: 1) A crawl phase where an application is crawled as multiple users. 2) A request selection phase, where potentially vulnerable requests are selected. 3) A request replay phase, where selected requests are replayed in the session context of another user. 4) A response comparison phase to identify whether an access control vulnerability has occurred. An implementation is provided and evaluated during web application penetration tests of DongIT. The results show that critical and structural access control issues can be identified when all four stages are completed. However, the intricacies of web applications often pose challenges for one or more of the four stages. From the results, it is concluded that the BACS methodology is a viable strategy and a valuable tool in the toolbelt of a security tester.