According to security rankings such as the SANS Top 25 and the OWASP Top 10, access-control vulnerabilities are still highly relevant. Even though developers use web frameworks such as Spring and Struts, which handle the entire access-control mechanism, their implementation can still be vulnerable because of misuses, errors, or inconsistent implementation from the design specification. We propose AuthCheck, a static analysis that tracks the program’s state using a finite state machine to report illegal states caused by vulnerable implementation. We implemented AuthCheck for the Spring framework and identified four types of mistakes that developers can make when using Spring Security. With AuthCheck, we analyzed an existing open-source Spring application with inserted vulnerable code and detected the vulnerabilities.
CITATION STYLE
Piskachev, G., Petrasch, T., Späth, J., & Bodden, E. (2020). AuthCheck: Program-state analysis for access-control vulnerabilities. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 12233 LNCS, pp. 557–572). Springer. https://doi.org/10.1007/978-3-030-54997-8_34
Mendeley helps you to discover research relevant for your work.