This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Project Information:template Access Control Rules Tester Project"

From OWASP

Jump to: navigation, search

Latest revision as of 15:31, 25 July 2011

PROJECT IDENTIFICATION
Project Name	OWASP Access Control Rules Tester Project
Short Project Description	Often web applications contain sensitive data and provide functionality which should be protected from unauthorized access. Explicit access control policies can be leveraged for validating the access control, but, unfortunately, these policies are rarely defined in case of web applications. It is known that access control flaws in web applications may be revealed with black-box analysis, but the existing “differential analysis” approach has certain limitations. We believe that taking the state of the web application into account could help to overcome the limitations of exiting approach. This project proposes a novel approach to black-box web application testing, which utilizes a use-case graph. The graph contains classes of actions within the web application and their dependencies. By traversing the graph and applying differential analysis at each step of the traversal, it is possible to improve the accuracy of the method. This idea was implemented in the tool AcCoRuTe (Access Control Rules Tester).
Key Project Information	Project Leader Andrew Petukhov	Project Contributors George Noseevich	Mailing List Subscribe here Use here	License GNU General Public License v2	Project Type Tool	Sponsors OWASP SoC 08

Release Status	Main Links	Related Projects
Beta Quality Please see here for complete information.	Version 1.1 PPT Presentation from the 1st SysSec Workshop (an updated method presented) A paper from the 1st SysSec Workshop with an updated method described A new codebase can be checked out here Version 1.0 PPT Presentation from OWASP EU Summmit 2009 What are business logic vulnerabilities? - An attempt to define their scope AcCoRuTe approach described Google Code Project page AcCoRuTe version 1.0.0 binaries AcCoRuTe User Guide	If any, add link here

Release Status

Main Links

Related Projects

Beta Quality
Please see here for complete information.

Version 1.1

PPT Presentation from the 1st SysSec Workshop (an updated method presented)
A paper from the 1st SysSec Workshop with an updated method described
A new codebase can be checked out here

Version 1.0

PPT Presentation from OWASP EU Summmit 2009
What are business logic vulnerabilities? - An attempt to define their scope
AcCoRuTe approach described
Google Code Project page
AcCoRuTe version 1.0.0 binaries
AcCoRuTe User Guide

If any, add link here

Retrieved from "https://wiki.owasp.org/index.php?title=Project_Information:template_Access_Control_Rules_Tester_Project&oldid=114555"

@@ Line 7: / Line 7: @@
   |-
   | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
-  | colspan="6" style="width:85%; background:#cccccc" align="left"|I believe that web application business logic vulnerabilities will be under increasing attention in near future. Although input validation vulnerabilities (XSS, SQLI) are in overwhelming majority nowadays, many automated approaches have emerged that deal with them. On the contrary, there are no known approaches (and methodologies for security experts) to classify or even detect business logic vulnerabilities. Besides, business logic flaws usually expose web application to great risks (according to OWASP Testing Guide). The proposal is to make an attempt to create a systematic approach that addresses business logic vulnerabilities. To begin with, access control flaws are surveyed.
+  | colspan="7" style="width:85%; background:#cccccc" align="left"| Often web applications contain sensitive data and provide functionality which should be protected from unauthorized access. Explicit access control policies can be leveraged for validating the access control, but, unfortunately, these policies are rarely defined in case of web applications. It is known that access control flaws in web applications may be revealed with black-box analysis, but the existing “differential analysis” approach has certain limitations. We believe that taking the state of the web application into account could help to overcome the limitations of exiting approach.
+This project proposes a novel approach to black-box web application testing, which utilizes a use-case graph. The graph contains classes of actions within the web application and their dependencies. By traversing the graph and applying differential analysis at each step of the traversal, it is possible to improve the accuracy of the method. This idea was implemented in the tool AcCoRuTe (Access Control Rules Tester).
   |-
   | style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
   | style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Petand|'''Andrew Petukhov''']]
-  | style="width:15%; background:#cccccc" align="center"|Project Contributors<br>(if applicable)
+  | style="width:15%; background:#cccccc" align="center"|Project Contributors<br>George Noseevich
   | style="width:10%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp-access-control-rules-tester-project '''Subscribe here''']<br>[mailto:[email protected] '''Use here''']
   | style="width:17%; background:#cccccc" align="center"|License<br>[http://www.gnu.org/licenses/old-licenses/gpl-2.0.html '''GNU General Public License v2''']
@@ Line 24: / Line 25: @@
   |-
   | style="width:29%; background:#cccccc" align="center"|
-Provisory '''[[:Category:OWASP_Project_Assessment#Beta_Quality_Tool_Criteria|Beta Quality]]'''<br>(Waiting for First Review)<br>[[:Access Control Rules Tester Project - Assessment Frame|Please see here for complete information.]]
+'''[[:Category:OWASP_Project_Assessment#Beta_Quality_Tool_Criteria|Beta Quality]]'''<br>[[:Access Control Rules Tester Project - Assessment Frame|Please see here for complete information.]]
   | style="width:42%; background:#cccccc" align="center"|
-[http://accorute.googlecode.com/files/OWASP_EU_Summit_2008_AcCoRuTe.ppt PPT Presentation]<br>[http://accorute.googlecode.com/files/BusinessLogicVulnerabilities.pdf What are business logic vulnerabilities? - An attempt to define their scope]<br>[http://accorute.googlecode.com/files/AcCoRuTe.pdf AcCoRuTe approach described]<br>[http://code.google.com/p/accorute/ Google Code Project page]<br>[http://accorute.googlecode.com/files/AcCoRuTe-1.0.0.zip AcCoRuTe version 1.0.0 binaries]<br>[http://accorute.googlecode.com/files/AcCoRuTe-1.0.0-userguide.pdf AcCoRuTe User Guide]
+Version 1.1
+----------------------------------------
+[http://accorute.googlecode.com/files/syssec2011-slides.pdf PPT Presentation from the 1st SysSec Workshop (an updated method presented)]<br>
+[http://accorute.googlecode.com/files/syssec2011-slides.pdf A paper from the 1st SysSec Workshop with an updated method described]<br>
+[http://code.google.com/p/accorute/source/checkout A new codebase can be checked out here]<br>
+Version 1.0
+----------------------------------------
+[http://accorute.googlecode.com/files/OWASP_EU_Summit_2008_AcCoRuTe.ppt PPT Presentation from OWASP EU Summmit 2009]<br>[http://accorute.googlecode.com/files/BusinessLogicVulnerabilities.pdf What are business logic vulnerabilities? - An attempt to define their scope]<br>[http://accorute.googlecode.com/files/AcCoRuTe.pdf AcCoRuTe approach described]<br>[http://code.google.com/p/accorute/ Google Code Project page]<br>[http://accorute.googlecode.com/files/AcCoRuTe-1.0.0.zip AcCoRuTe version 1.0.0 binaries]<br>[http://accorute.googlecode.com/files/AcCoRuTe-1.0.0-userguide.pdf AcCoRuTe User Guide]
   | style="width:29%; background:#cccccc" align="center"|
 If any, add link here
   |}
 ----

Difference between revisions of "Project Information:template Access Control Rules Tester Project"

Latest revision as of 15:31, 25 July 2011

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools