IDOT: Black-Box Detection of Access Control Violations in Web Applications

Q: How can I download an article?

To download an article from SID, first log in to the site, search for the article title, and click on the 'Download Article' option.

Q: How can I download an ISI article?

To download an ISI article on SID, enter the keyword or article title in the search bar, view the relevant results, click on the desired article, and select the 'Download Article' option.

Q: How can I access the SID database?

To access the SID database, visit SID.ir, create an account, and log in to access scientific resources.

Q: Is downloading articles from SID free?

Some articles on SID are available for free, while others require payment. Details are specified on the article's page.

HADAVI MOHAMMAD ALI; Bagherdaei Arash; GHASEMI SIMIN

مرکز اطلاعات علمی Scientific Information Database (SID) - Trusted Source for Research and Academic Resources

Journal Paper

Paper Information

Journal: THE ISC INTERNATIONAL JOURNAL OF INFORMATION SECURITY Year:2021 | Volume:13 | Issue:2 Page(s): 117-129

Download Full-Text

View:

Download:

162

Cites:

Information Journal Paper

Title

IDOT: Black-Box Detection of Access Control Violations in Web Applications

Author(s)

HADAVI MOHAMMAD ALI | Bagherdaei Arash | GHASEMI SIMIN | Issue Writer Certificate

Keywords

Access Control

Insecure Direct Object Reference (IDOR)

Parameter Manipulation

Security

Vulnerability

Web Application

Abstract

Automatic detection of Access Control violations in software applications is a challenging problem. Insecure direct object reference (IDOR) is among top-ranked vulnerabilities, which violates Access Control policies and cannot be yet detected by automated Vulnerability scanners. While such tools may detect the absence of Access Control by static or dynamic testing, they cannot verify if it is properly functioning when it is present. When a tool detects requesting access to an object, it is not aware of Access Control policies to infer whether the request is permitted. This completely depends on the Access Control logic and there is no automatic way to fully and precisely capture it from software behavior. Taking this challenge into consideration, this article proposes a black-box method to detect IDOR vulnerabilities in Web Applications without knowing Access Control logic. To this purpose, we first, gather information from the Web Application by a semi-automatic crawling process. Then, we tricksily manipulate legal requests to create effective attacks on the Web Application. Finally, we analyze received responses to check whether the requests are vulnerable to IDOR. The detection process in the analysis phase is supported by our set theory based formal modeling of such vulnerabilities. The proposed method has been implemented as an IDOR detection tool (IDOT) and evaluated on a couple of vulnerable Web Applications. Evaluation results show that the method can effectively detect IDOR vulnerabilities provided that enough information is gathered in the crawling phase.

Multimedia

No record.

Cites

No record.

References

No record.

Cite

APA: Copy

HADAVI, MOHAMMAD ALI, Bagherdaei, Arash, & GHASEMI, SIMIN. (2021). IDOT: Black-Box Detection of Access Control Violations in Web Applications. THE ISC INTERNATIONAL JOURNAL OF INFORMATION SECURITY, 13(2), 117-129. SID. https://sid.ir/paper/979417/en

Vancouver: Copy

HADAVI MOHAMMAD ALI, Bagherdaei Arash, GHASEMI SIMIN. IDOT: Black-Box Detection of Access Control Violations in Web Applications. THE ISC INTERNATIONAL JOURNAL OF INFORMATION SECURITY[Internet]. 2021;13(2):117-129. Available from: https://sid.ir/paper/979417/en

IEEE: Copy

MOHAMMAD ALI HADAVI, Arash Bagherdaei, and SIMIN GHASEMI, “IDOT: Black-Box Detection of Access Control Violations in Web Applications,” THE ISC INTERNATIONAL JOURNAL OF INFORMATION SECURITY, vol. 13, no. 2, pp. 117–129, 2021, [Online]. Available: https://sid.ir/paper/979417/en

Related Journal Papers

No record.

Related Seminar Papers

No record.

Related Plans

No record.

Recommended Workshops