|
|
| (13 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| | + | ---- |
| | {| style="width:100%" border="0" align="center" | | {| style="width:100%" border="0" align="center" |
| | ! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT IDENTIFICATION''' | | ! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT IDENTIFICATION''' |
| Line 6: |
Line 7: |
| | |- | | |- |
| | | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description''' | | | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description''' |
| − | | colspan="6" style="width:85%; background:#cccccc" align="left"|I believe that web application business logic vulnerabilities will be under increasing attention in near future. Although input validation vulnerabilities (XSS, SQLI) are in overwhelming majority nowadays, many automated approaches have emerged that deal with them. On the contrary, there are no known approaches (and methodologies for security experts) to classify or even detect business logic vulnerabilities. Besides, business logic flaws usually expose web application to great risks (according to OWASP Testing Guide). The proposal is to make an attempt to create a systematic approach that addresses business logic vulnerabilities. To begin with, access control flaws are surveyed. | + | | colspan="7" style="width:85%; background:#cccccc" align="left"| Often web applications contain sensitive data and provide functionality which should be protected from unauthorized access. Explicit access control policies can be leveraged for validating the access control, but, unfortunately, these policies are rarely defined in case of web applications. It is known that access control flaws in web applications may be revealed with black-box analysis, but the existing “differential analysis” approach has certain limitations. We believe that taking the state of the web application into account could help to overcome the limitations of exiting approach. |
| | + | This project proposes a novel approach to black-box web application testing, which utilizes a use-case graph. The graph contains classes of actions within the web application and their dependencies. By traversing the graph and applying differential analysis at each step of the traversal, it is possible to improve the accuracy of the method. This idea was implemented in the tool AcCoRuTe (Access Control Rules Tester). |
| | |- | | |- |
| | | style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information''' | | | style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information''' |
| | | style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Petand|'''Andrew Petukhov''']] | | | style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Petand|'''Andrew Petukhov''']] |
| − | | style="width:15%; background:#cccccc" align="center"|Project Contributors<br>(if applicable) | + | | style="width:15%; background:#cccccc" align="center"|Project Contributors<br>George Noseevich |
| | | style="width:10%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp-access-control-rules-tester-project '''Subscribe here''']<br>[mailto: [email protected] '''Use here'''] | | | style="width:10%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp-access-control-rules-tester-project '''Subscribe here''']<br>[mailto: [email protected] '''Use here'''] |
| − | | style="width:17%; background:#cccccc" align="center"|License<br>[http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0'''] | + | | style="width:17%; background:#cccccc" align="center"|License<br>[http://www.gnu.org/licenses/old-licenses/gpl-2.0.html '''GNU General Public License v2'''] |
| | | style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Beta_Status_Projects|'''Tool''']] | | | style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Beta_Status_Projects|'''Tool''']] |
| | | style="width:15%; background:#cccccc" align="center"|Sponsors<br>[[OWASP Summer of Code 2008|'''OWASP SoC 08''']] | | | style="width:15%; background:#cccccc" align="center"|Sponsors<br>[[OWASP Summer of Code 2008|'''OWASP SoC 08''']] |
| | |} | | |} |
| | | | |
| − | | + | {| style="width:100%" border="0" align="center" |
| − | | + | ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Release Status''' |
| − | | + | ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Main Links''' |
| − | {| style="width:100%" border="0" align="center" | + | ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Projects''' |
| − | ! colspan="6" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT MAIN LINKS''' | |
| − | |-
| |
| − | | style="width:100%; background:#cccccc" align="center"|
| |
| − | * What are business logic vulnerabilities? An attempt to define their scope: http://accorute.googlecode.com/files/BusinessLogicVulnerabilities.pdf
| |
| − | * AcCoRuTe approach described http://accorute.googlecode.com/files/AcCoRuTe.pdf
| |
| − | * Google Code Project page: http://code.google.com/p/accorute/
| |
| − | * AcCoRuTe version 1.0.0 binaries: http://accorute.googlecode.com/files/AcCoRuTe-1.0.0.zip
| |
| − | * AcCoRuTe User Guide http://accorute.googlecode.com/files/AcCoRuTe-1.0.0-userguide.pdf
| |
| − | * Presentation from OWASP EU Summit 2008 http://accorute.googlecode.com/files/OWASP_EU_Summit_2008_AcCoRuTe.ppt
| |
| − | |}
| |
| − | {| style="width:100%" border="0" align="center"
| |
| − | ! colspan="6" align="center" style="background:#4058A0; color:white"|<font color="white">'''SPONSORS & GUIDELINES''' | |
| − | |- | |
| − | | style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| |
| − | | style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#P022 - OWASP Access Control Rules Tester|'''Sponsored Project/Guidelines/Roadmap''']]
| |
| − | |}
| |
| − | {| style="width:100%" border="0" align="center"
| |
| − | ! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
| |
| | |- | | |- |
| − | | style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer''' | + | | style="width:29%; background:#cccccc" align="center"| |
| − | | style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation'''<br>(applicable for Alpha Quality & further)
| + | '''[[:Category:OWASP_Project_Assessment#Beta_Quality_Tool_Criteria|Beta Quality]]'''<br>[[:Access Control Rules Tester Project - Assessment Frame|Please see here for complete information.]] |
| − | | style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer'''<br>(applicable for Alpha Quality & further)
| + | | style="width:42%; background:#cccccc" align="center"| |
| − | | style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer'''<br>(applicable for Beta Quality & further)
| + | Version 1.1 |
| − | | style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member'''<br>(applicable just for Release Quality)
| + | ---------------------------------------- |
| − | |-
| + | [http://accorute.googlecode.com/files/syssec2011-slides.pdf PPT Presentation from the 1st SysSec Workshop (an updated method presented)]<br> |
| − | | style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| + | [http://accorute.googlecode.com/files/syssec2011-slides.pdf A paper from the 1st SysSec Workshop with an updated method described]<br> |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes''' <br>---------<br>The project undergoes 100% review straight away
| + | [http://code.google.com/p/accorute/source/checkout A new codebase can be checked out here]<br> |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>[[Project Information:template Access Control Rules Tester Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes''' <br>---------<br>The project undergoes 100% review straight away | |
| − | | style="width:22%; background:#C2C2C2" align="center"|X
| |
| − | |-
| |
| − | | style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes''' <br>---------<br>Which status has been reached?<br>'''Beta Quality''' <br>---------<br>[[Project Information:template Access Control Rules Tester Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Season of Code''' - (To update)<br>---------<br>[[Project Information:template Access Control Rules Tester Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes''' <br>---------<br>Which status has been reached?<br>'''Beta Quality'''<br>---------<br>[[Project Information:template Access Control Rules Tester Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| |
| − | | style="width:22%; background:#C2C2C2" align="center"|X
| |
| − | |-
| |
| − | |}
| |
| − | | |
| − | | |
| − | | |
| − | | |
| | | | |
| − | {| style="width:100%" border="0" align="center"
| + | Version 1.0 |
| − | ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT IDENTIFICATION'''
| + | ---------------------------------------- |
| − | |-
| + | [http://accorute.googlecode.com/files/OWASP_EU_Summit_2008_AcCoRuTe.ppt PPT Presentation from OWASP EU Summmit 2009]<br>[http://accorute.googlecode.com/files/BusinessLogicVulnerabilities.pdf What are business logic vulnerabilities? - An attempt to define their scope]<br>[http://accorute.googlecode.com/files/AcCoRuTe.pdf AcCoRuTe approach described]<br>[http://code.google.com/p/accorute/ Google Code Project page]<br>[http://accorute.googlecode.com/files/AcCoRuTe-1.0.0.zip AcCoRuTe version 1.0.0 binaries]<br>[http://accorute.googlecode.com/files/AcCoRuTe-1.0.0-userguide.pdf AcCoRuTe User Guide] |
| − | | style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| + | | style="width:29%; background:#cccccc" align="center"| |
| − | | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Access Control Rules Tester Project'''
| + | If any, add link here |
| − | |-
| |
| − | | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| |
| − | | colspan="6" style="width:85%; background:#cccccc" align="left"|I believe that web application business logic vulnerabilities will be under increasing attention in near future. Although input validation vulnerabilities (XSS, SQLI) are in overwhelming majority nowadays, many automated approaches have emerged that deal with them. On the contrary, there are no known approaches (and methodologies for security experts) to classify or even detect business logic vulnerabilities. Besides, business logic flaws usually expose web application to great risks (according to OWASP Testing Guide). The proposal is to make an attempt to create a systematic approach that addresses business logic vulnerabilities. To begin with, access control flaws are surveyed.
| |
| − | |-
| |
| − | | style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| |
| − | | style="width:14%; background:#cccccc" align="center"|Project Leader<br>[mailto:petand(at)lvk.cs.msu.su '''Andrew Petukhov''']
| |
| − | | style="width:14%; background:#cccccc" align="center"|Project Contributors<br>(if applicable)<br>[mailto:to(at)change '''Name&Email''']
| |
| − | | style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-access-control-rules-tester-project '''Mailing List/Subscribe''']<br>
| |
| − | | |
| − | | style="width:14%; background:#cccccc" align="center"|First Reviewer<br>[mailto:santon(at)owasp.org '''Steve Antoniewicz''']
| |
| − | | style="width:14%; background:#cccccc" align="center"|Second Reviewer<br>[mailto:mg_chen(at)yahoo.com '''Min Chen''']<br>[http://www.linkedin.com/in/mgchen Profile]
| |
| − | | style="width:15%; background:#cccccc" align="center"|OWASP Board Member<br>(if applicable)<br>[mailto:name(at)name '''Name&Email''']
| |
| − | |}
| |
| − | {| style="width:100%" border="0" align="center"
| |
| − | ! colspan="6" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT MAIN LINKS'''
| |
| − | |-
| |
| − | | style="width:100%; background:#cccccc" align="center"|
| |
| − | * What are business logic vulnerabilities? An attempt to define their scope: http://accorute.googlecode.com/files/BusinessLogicVulnerabilities.pdf
| |
| − | * AcCoRuTe approach described http://accorute.googlecode.com/files/AcCoRuTe.pdf
| |
| − | * Google Code Project page: http://code.google.com/p/accorute/
| |
| − | * AcCoRuTe version 1.0.0 binaries: http://accorute.googlecode.com/files/AcCoRuTe-1.0.0.zip
| |
| − | * AcCoRuTe User Guide http://accorute.googlecode.com/files/AcCoRuTe-1.0.0-userguide.pdf
| |
| − | * Presentation from OWASP EU Summit 2008 http://accorute.googlecode.com/files/OWASP_EU_Summit_2008_AcCoRuTe.ppt
| |
| − | |}
| |
| − | {| style="width:100%" border="0" align="center"
| |
| − | ! colspan="6" align="center" style="background:#4058A0; color:white"|<font color="white">'''SPONSORS & GUIDELINES'''
| |
| − | |-
| |
| − | | style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| |
| − | | style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#P022 - OWASP Access Control Rules Tester|'''Sponsored Project/Guidelines/Roadmap''']] | |
| − | |}
| |
| − | {| style="width:100%" border="0" align="center"
| |
| − | ! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
| |
| − | |-
| |
| − | | style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| |
| − | | style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation'''<br>(applicable for Alpha Quality & further)
| |
| − | | style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer'''<br>(applicable for Alpha Quality & further)
| |
| − | | style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer'''<br>(applicable for Beta Quality & further)
| |
| − | | style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member'''<br>(applicable just for Release Quality)
| |
| − | |-
| |
| − | | style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes''' <br>---------<br>The project undergoes 100% review straight away
| |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>[[Project Information:template Access Control Rules Tester Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes''' <br>---------<br>The project undergoes 100% review straight away
| |
| − | | style="width:22%; background:#C2C2C2" align="center"|X
| |
| − | |-
| |
| − | | style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes''' <br>---------<br>Which status has been reached?<br>'''Beta Quality''' <br>---------<br>[[Project Information:template Access Control Rules Tester Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Season of Code''' - (To update)<br>---------<br>[[Project Information:template Access Control Rules Tester Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| |
| − | | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes''' <br>---------<br>Which status has been reached?<br>'''Beta Quality'''<br>---------<br>[[Project Information:template Access Control Rules Tester Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| |
| − | | style="width:22%; background:#C2C2C2" align="center"|X
| |
| − | |-
| |
| | |} | | |} |
| | + | ---- |
