Automatic detection of access control vulnerabilities in web applications by URL crawling and forced browsing

Abstract

Access control vulnerabilities can be disastrous in Web applications. The vulnerabilities might be introduced when developers set up unsafe policies in design phase or inconsistently implement safe policies. Attackers take advantage of the vulnerabilities to obtain the authority of administrator and the sensitive information of another user. Hence, the early detection of access control vulnerabilities is very important. This paper proposes a dynamic analysis that automatically detects access control vulnerabilities in web applications. Given a web site and authorities, accessible URLs for each authority are collected by crawling the web site, and then a chosen subset of the URLs are tested to check whether or not access control vulnerabilities exist for the given authority. We implemented the idea, experimented it with some selected web applications, and found some real access-control vulnerabilities