Document Type : Research Article


1 Malek-Ashtar Univesity of Technology

2 Malek-Ashtar University of Technology

3 Department of Computer Engineering, Payame Noor University (PNU), Iran


< p>Automatic detection of access control violations in software applications is a challenging problem. Insecure Direct Object Reference (IDOR) is among top-ranked vulnerabilities, which violates access control policies and cannot be yet detected by automated vulnerability scanners. While such tools may detect the absence of access control by static or dynamic testing, they cannot verify if it is properly functioning when it is present. When a tool detects requesting access to an object, it is not aware of access control policies to infer whether the request is permitted. This completely depends on the access control logic and there is no automatic way to fully and precisely capture it from software behavior. Taking this challenge into consideration, this article proposes a black-box method to detect IDOR vulnerabilities in web applications without knowing access control logic. To this purpose, we first, gather information from the web application by a semi-automatic crawling process. Then, we tricksily manipulate legal requests to create effective attacks on the web application. Finally, we analyze received responses to check whether the requests are vulnerable to IDOR. The detection process in the analysis phase is supported by our set theory based formal modeling of such vulnerabilities. The proposed method has been implemented as an IDOR detection tool (IDOT) and evaluated on a couple of vulnerable web applications. Evaluation results show that the method can effectively detect IDOR vulnerabilities provided that enough information is gathered in the crawling phase.


[1] G. Deepa and P. Santhi Thilagam. Securing Web Applications From Injection and Logic Vulnerabilities: Approaches and Challenges. Information and Software Technology, 74(C):160–180, jun 2016.
[2] Melina Kulenovic and Dzenana Donko. A Survey of Static Code Analysis Methods for Security Vulnerabilities Detection. In 37th International Convention on Information and Communication Technology, Electronics and Microelectronics, pages 1381–1386, July 2014.
[3] Jun Li, Bodong Zhao, and Chao Zhang. Fuzzing: a Survey. CyberSecurity, 1(6):1–13, 2018.
[4] OWASP top 10 - 2017: The ten most critical web application security risks, version 4.2. available at: March 2021.
[5] Pontus Thulin. Evaluation of the Applicability of Security Testing Techniques in Continuous Integration Environments. Master’s thesis, Jan 2015.
[6] Vahid Dolati, Mohammad Ali Hadavi, and Hasan Mokhtari Sangchi. A Method for Black-box Detection of Insecure Direct Object Reference Vulnerability. In 21th Annual National Conference of Computer Society of Iran, Mar 2016. in Persian. 
[7] Elie Saad and Rick Mitchell. OWASP web security testing guide, version 4.2, 2020.
[8] Nisal Madhushan Vithanage and Neera Jeyamohan. WebGuardia - An Integrated Penetration Testing System to Detect Web Application Vulnerabilities. In International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), pages 221–227. IEEE, March 2016.
[9] Hasty Atashzar, Atefeh Torkaman, Marjan Bahrololum, and Mohammad H. Tadayon. A Survey on Web Application Vulnerabilities and Countermeasures. In 6th International Conference on Computer Sciences and Convergence Information Technology, pages 647–652, Nov 2011.
[10] Vanja Suhina. Exploiting and Automated Detection of Vulnerabilities in Web Applications. Technical report, Department of Electronics, Microelectronics, Computer and Intelligent Systems, Faculty of Electrical Engineering and Computing, University of Zagreb, 2007.
[11] Ajay Kumar. Shrestha, Pradip Singh Maharjan, and Santosh Paudel. Identification and Illustration of Insecure Direct Object References and Their Countermeasures. International Journal of Computer Applications, 114(18):39–44, 2015.
[12] Francois Gauthier and Ettore Merlo. Fast Detection of Access Control Vulnerabilities in PHP Applications. In 19th Working Conference on Reverse Engineering, pages 247–256. IEEE, Oct 2012.
[13] Fangqi Sun, Liang Xu, and Zhendong Su. Static Detection of Access Control Vulnerabilities in Web Applications. In Proceedings of the 20th USENIX Conference on Security, SEC’11, pages 11–11. USENIX Association, Aug 2011.
[14] Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. Fix Me Up: Repairing Access-Control
Bugs in Web Applications. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, pages 1–16. IEEE, Feb 2013.
[15] Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In Proceedings of the 19th USENIX Conference on Security, pages 10–10. USENIX
Association, Aug 2010.
[16] Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich. Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications. In 18th USENIX Security Symposium, USENIX Security’00, pages 267–282. USENIX
Association, Aug 2009.
[17] Xiaowei Li, Xujie Si, and Yuan Xue. Automated Black-box Detection of Access Control Vulnerabilities in Web Applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY ’14, pages 49–60. ACM, 2014.
[18] Maliheh Monshizadeh, Prasad Naldurg, and V.N.Venkatakrishnan. Mace: Detecting Privilege Escalation Vulnerabilities in Web Applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security,
CCS 2014, pages 690–701. ACM, 2014.
[19] Xiaowei Li, Wei Yan, and Yuan Xue. SENTINEL: Securing Database from Logic Flaws in Web Applications. In Proceedings of the Second ACM Conference on Data and Application Security and Privacy, CODASPY ’12, pages 25–36. ACM, Feb 2012.
[20] Xiaowei Li and Yuan Xue. BLOCK: A Blackbox Approach for Detection of State Violation Attacks Towards Web Applications. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC ’11, pages 247–256.
ACM, 2011.
[21] George Noseevich and Andrew Petukhov. Detecting Insufficient Access Control in Web Applications. In First SysSec Workshop, pages 11–18, jul 2011.
[22] Muath Alkhalaf, Shauvik Roy Choudhary, Mattia Fazzini, Tevfik Ultan, Alessandro Orso, and Christopher Kruegel. Viewpoints: Differential string analysis for discovering client- and serverside input validation inconsistencies. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pages 56–66. ACM, 2012.
[23] Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda. Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. In Proceedings of the 18th Network and Distributed System Security Symposium. IEEE, feb 2011.
[24] Nazari Skrupsky, Prithvi Bisht, Timothy Hinrichs, VN Venkatakrishnan, and Lenore Zuck. Tamperproof: A server-agnostic defense for parameter tampering attacks on web applications. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY ’13, pages 129–140. ACM, 2013.
[25] Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, and VN Venkatakrishnan. Notamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pages 607–618. ACM, 2010.
[26] Xiaowei Li and Yuan Xue. Logicscope: Automatic discovery of logic vulnerabilities within web applications. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS ’13,
pages 481–486. ACM, 2013.
[27] Berners T. Lee, L. Masinter, and M. Mccahill. RFC 1738: Uniform resource locator (URL), 1994.