Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
CCS
2015
ACM
2015
ACM
FlowWatcher: Defending against Data Disclosure Vulnerabilities in Web Applications
Bugs in the authorisation logic of web applications can expose the data of one user to another. Such data disclosure vulnerabilities are common—they can be caused by a single omitted access control check in the application. We make the observation that, while the implementation of the authorisation logic is complex and therefore error-prone, most web applications only use simple access control models, in which each piece of data is accessible by a user or a group of users. This makes it possible to validate the correct operation of the authorisation logic externally, based on the observed data in HTTP traffic to and from an application. We describe FlowWatcher, an HTTP proxy that mitigates data disclosure vulnerabilities in unmodified web applications. FlowWatcher monitors HTTP traffic and shadows part of an application’s access control state based on a rule-based specification of the user-data-access (UDA) policy. The UDA policy states the intended data ownership and how it c...
Real-time Traffic| Added | 17 Apr 2016 |
| Updated | 17 Apr 2016 |
| Type | Journal |
| Year | 2015 |
| Where | CCS |
| Authors | Divya Muthukumaran, Dan O'Keeffe, Christian Priebe, David M. Eyers, Brian Shand, Peter R. Pietzuch |
Comments (0)
Researcher Info
|
