Gaps in the enforcement of access control policy of a software system can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. We describe a novel technique to automatically detect missing and inconsistent authorization checks in web applications with static analysis and conclude with empirical results of using our approach on real-world applications.
The concept of granting different users different privileges dates back to early software systems. Gaps in the enforcement of access control policies can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. As software becomes more ubiquitous and is used for tasks ranging from shopping to scheduling doctor’s appointments, providing bulletproof access control remains an imperative.
Correct placement of authorization checks is a non-trivial task for developers that requires intimate knowledge of the system, its users, and their roles. These challenges are evidenced by the fact that missing authorization checks—like the one that allowed Bloomberg News to leak NetApps’s earnings results in 2010—are still among the most widespread and impactful vulnerabilities. Manually weeding out access control violations is cumbersome and requires a lot of expertise. Existing automated techniques are also inadequate and require either substantial human intervention or are effective only on very targeted code bases, such as operating systems.
This talk focuses on ensuring well-placed authorization checks in web applications. We discuss different ways access control requirements are specified in web applications, including configuration- and annotation-based approaches. Next, we describe a novel technique to automatically detect missing and inconsistent authorization checks. Our approach lets us detect missing checks statically rather than at runtime and allows us to provide remediation suggestions that allow developers to fix code before it goes to production.
We conclude with empirical results of our successful application of this approach to a number of real-world web applications. We discuss the classes of issues we found and review specific examples to shed light on the kinds of authorization mistakes developers are making today.