/static/assets/36.png

Finding security bugs in web applications using a catalog of access control patterns

Joseph P. Near
2016
0
Downloads
219
Views
0
Upvotes
Cite this Paper
0
Downloads
219
Views
0
Upvotes

Description

We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, Space, checks that every data exposure allowed by an application's code matches an allowed exposure from a security pattern in our catalog. The only user-provided input is a mapping from application types to the types of the catalog; the rest of the process is entirely automatic. In an evaluation on the 50 most watched Ruby on Rails applications on Github, Space reported 33 possible bugs---23 previously unknown security bugs, and 10 false positives.
Terms of use

Comments