Toward Exploiting Access Control Vulnerabilities within MongoDB Backend Web Applications

Access control is an extremely important and error-prone practice during web application. The emergence of NoSQL databases and the flexible data models they bring impose new challenges on the implementation of access control within web applications. This paper presents Scout, a novel methodology for discovering access control vulnerabilities in existing web applications. Meanwhile (1) features of NoSQL database can be addressed and (2) neither application source code nor server-side session information from the developers is required. This paper implements a prototype of Scout, which targets MongoDB backend web applications. By automatically discovering the protocol layer in the web application stack, Scout introduces a data access operation model precisely representing the MongoDB actions performed in the web application, as well as inferring the access control policies. The prototype is shown to be able to identify comprehensive access control vulnerabilities in MongoDB backend web applications, and generate detailed report as the facilitator to manually fix the identified vulnerabilities.

[1]  V. N. Venkatakrishnan,et al.  WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction , 2011, CCS '11.

[2]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[3]  Andrey Gubarev,et al.  Dremel : Interactive Analysis of Web-Scale Datasets , 2011 .

[4]  Prasad Naldurg,et al.  MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications , 2014, CCS.

[5]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[6]  Adam Chlipala,et al.  Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications , 2010, OSDI.

[7]  Xiaowei Li,et al.  Automated black-box detection of access control vulnerabilities in web applications , 2014, CODASPY '14.

[8]  Xiaowei Li,et al.  BLOCK: a black-box approach for detection of state violation attacks towards web applications , 2011, ACSAC '11.

[9]  Davide Balzarotti,et al.  Toward Black-Box Detection of Logic Flaws in Web Applications , 2014, NDSS.

[10]  XiaoFeng Wang,et al.  InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations , 2013, NDSS.

[11]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.

[12]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[13]  Christopher Krügel,et al.  Fear the EAR: discovering and mitigating execution after redirect vulnerabilities , 2011, CCS '11.

[14]  V. N. Venkatakrishnan,et al.  NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications , 2010, CCS '10.

[15]  Ian Rae,et al.  F1: A Distributed SQL Database That Scales , 2013, Proc. VLDB Endow..

[16]  David M. Eyers,et al.  FlowWatcher: Defending against Data Disclosure Vulnerabilities in Web Applications , 2015, CCS.

[17]  Vitaly Shmatikov,et al.  RoleCast: finding missing security checks when you do not know what checks are , 2011, OOPSLA '11.

[18]  Zhendong Su,et al.  Static Detection of Access Control Vulnerabilities in Web Applications , 2011, USENIX Security Symposium.

[19]  Vitaly Shmatikov,et al.  Fix Me Up: Repairing Access-Control Bugs in Web Applications , 2013, NDSS.

[20]  Christopher Krügel,et al.  EARs in the wild: large-scale analysis of execution after redirect vulnerabilities , 2013, SAC '13.

[21]  Xiaowei Li,et al.  LogicScope: automatic discovery of logic vulnerabilities within web applications , 2013, ASIA CCS '13.

[22]  Christoforos E. Kozyrakis,et al.  Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications , 2009, USENIX Security Symposium.

[23]  Jun Sun,et al.  AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations , 2013, NDSS.

[24]  Xiaowei Li,et al.  SENTINEL: securing database from logic flaws in web applications , 2012, CODASPY '12.