TY - JOUR ID - 132585 TI - IDOT: Black-Box Detection of Access Control Violations in Web Applications JO - The ISC International Journal of Information Security JA - ISECURE LA - en SN - 2008-2045 AU - Hadavi, Mohammad Ali AU - Bagherdaei, Arash AU - Ghasemi, Simin AD - Malek-Ashtar Univesity of Technology AD - Malek-Ashtar University of Technology AD - Department of Computer Engineering, Payame Noor University (PNU), Iran Y1 - 2021 PY - 2021 VL - 13 IS - 2 SP - 117 EP - 129 KW - Access Control KW - Insecure Direct Object Reference (IDOR) KW - parameter manipulation KW - Security KW - vulnerability KW - web application DO - N2 - < p>Automatic detection of access control violations in software applications is a challenging problem. Insecure Direct Object Reference (IDOR) is among top-ranked vulnerabilities, which violates access control policies and cannot be yet detected by automated vulnerability scanners. While such tools may detect the absence of access control by static or dynamic testing, they cannot verify if it is properly functioning when it is present. When a tool detects requesting access to an object, it is not aware of access control policies to infer whether the request is permitted. This completely depends on the access control logic and there is no automatic way to fully and precisely capture it from software behavior. Taking this challenge into consideration, this article proposes a black-box method to detect IDOR vulnerabilities in web applications without knowing access control logic. To this purpose, we first, gather information from the web application by a semi-automatic crawling process. Then, we tricksily manipulate legal requests to create effective attacks on the web application. Finally, we analyze received responses to check whether the requests are vulnerable to IDOR. The detection process in the analysis phase is supported by our set theory based formal modeling of such vulnerabilities. The proposed method has been implemented as an IDOR detection tool (IDOT) and evaluated on a couple of vulnerable web applications. Evaluation results show that the method can effectively detect IDOR vulnerabilities provided that enough information is gathered in the crawling phase. UR - https://www.isecure-journal.com/article_132585.html L1 - https://www.isecure-journal.com/article_132585_5183afbd2d3ae7b5e352660bde678f7c.pdf ER -