2 research outputs found
A Survey of Prevent and Detect Access Control Vulnerabilities
Broken access control is one of the most common security vulnerabilities in
web applications. These vulnerabilities are the major cause of many data breach
incidents, which result in privacy concern and revenue loss. However,
preventing and detecting access control vulnerabilities proactively in web
applications could be difficult. Currently, these vulnerabilities are actively
detected by bug bounty hunters post-deployment, which creates attack windows
for malicious access. To solve this problem proactively requires security
awareness and expertise from developers, which calls for systematic solutions.
This survey targets to provide a structured overview of approaches that
tackle access control vulnerabilities. It firstly discusses the unique feature
of access control vulnerabilities, then studies the existing works proposed to
tackle access control vulnerabilities in web applications, which span the
spectrum of software development from software design and implementation,
software analysis and testing, and runtime monitoring. At last we discuss the
open problem in this field
Practical information flow for legacy web applications
The popularity of web applications, coupled with the data they operate on, makes them prime targets for miscreants that want to misuse them. To make matters worse, a lot of these applications, have not been implemented with security in mind, while refactoring an existing, large web application to implement a security or privacy policy is prohibitively difficult. This pa-per presents LabelFlow, an extension of PHP that simplifies implementation of security policies in web applications. To enforce a policy, LabelFlow tracks the propagation of information throughout the application, transpar-ently and efficiently, both in the PHP runtime and through persistent stor-age. We provide strong theoretical guarantees for the policy enforcement in LabelFlow; we define its semantics for a simple calculus and prove that it protects against information leaks. LabelFlow is applicable to real-world large scale web applications. We used LabelFlow to add and enforce access control policies in three popular web application MediaWiki, Wordpress and OpenCart with minimal execution overhead and code changes.