Toward Exploiting Access Control Vulnerabilities within MongoDB Backend Web Applications

“…They implemented their solution through two components sensor and analyzer, the sensor collects traffic such as SQL quires its responses along with session variables and communicates with the analyzer, while the analyzer performs offline training by extracting SQL signatures and infers the set of invariants associated with signatures, In runtime, the analyzer evaluates incoming SQL queries and directs the sensor to block any violating queries, SENTINAL overcomes some of the limitations in BLOCK since it takes in consideration the persistent state in the database, additionally its visibility on SQL queries provides more capability in blocking attacks targeted database integrity. SENTINAL limitations include that the solution does not take into consideration NoSQL [36] database backend web applications and can only be applied to the traditional flat relational data model, moreover, it can only address traditional SQL queries that have the same patterns in different languages [37], moreover, can only be applied to specific web development languages and platforms, another limitation from the performance point of view that it introduces performance overhead in SQL response time because of the communication overhead between sensor and analyzer and the analysis time during which analyzer extracts SQL signature and evaluates the query, SENTINAL provides a slight enhancement on false positive rate comparing to BLOCK but still requires some additional techniques to  ISSN: 2088-8708 suppress false positives. SENTINAL as well by design considers all unvisited paths or recorded invariants as attacks that also contribute to raising false positive rates, nevertheless, any change in the application structure or data layer will make the learned invariants invalid and require a new round of learning to avoid false positives and incorrect application wide blockage state.…”

Survey on detecting and preventing web application broken access control attacks

“…They implemented their solution through two components sensor and analyzer, the sensor collects traffic such as SQL quires its responses along with session variables and communicates with the analyzer, while the analyzer performs offline training by extracting SQL signatures and infers the set of invariants associated with signatures, In runtime, the analyzer evaluates incoming SQL queries and directs the sensor to block any violating queries, SENTINAL overcomes some of the limitations in BLOCK since it takes in consideration the persistent state in the database, additionally its visibility on SQL queries provides more capability in blocking attacks targeted database integrity. SENTINAL limitations include that the solution does not take into consideration NoSQL [36] database backend web applications and can only be applied to the traditional flat relational data model, moreover, it can only address traditional SQL queries that have the same patterns in different languages [37], moreover, can only be applied to specific web development languages and platforms, another limitation from the performance point of view that it introduces performance overhead in SQL response time because of the communication overhead between sensor and analyzer and the analysis time during which analyzer extracts SQL signature and evaluates the query, SENTINAL provides a slight enhancement on false positive rate comparing to BLOCK but still requires some additional techniques to  ISSN: 2088-8708 suppress false positives. SENTINAL as well by design considers all unvisited paths or recorded invariants as attacks that also contribute to raising false positive rates, nevertheless, any change in the application structure or data layer will make the learned invariants invalid and require a new round of learning to avoid false positives and incorrect application wide blockage state.…”

Survey on detecting and preventing web application broken access control attacks

“…Because of improper authentication and authorization of web users, AL vulnerability allows attackers to access confidential web pages and perform unauthorized operations in the application. Currently, the most popular application logic vulnerabilities include parameter manipulation [66], weak access control [15,98], workflow bypass [62] and workflow violation [129].…”

“…Awang et al [18] proposed an automated framework to first generate test cases of a web application by using SQLi attack patterns and permutation algorithms and then analyze the test results to detect the SQLi vulnerability. [15,98] extracted access-control constraints from models built based on execution traces and then generated test cases to test constraint violations.…”

“…[68] applied VCPM approach, it first performs static analysis to build sitemaps for different roles from CFG and then directly accesses privileged pages from unprivileged roles to detect missing or insufficient access checks. The approaches in [15,98] combine VCPM and GACP, which start with a dynamic analysis to identify database access operations that are allowed for each role and user and then generate test cases to verify whether a role or a user can perform a privilege escalation attack. Both tools in [15] and [98] reported low FPRs, but did not report FNRs.…”

“…The approaches in [15,98] combine VCPM and GACP, which start with a dynamic analysis to identify database access operations that are allowed for each role and user and then generate test cases to verify whether a role or a user can perform a privilege escalation attack. Both tools in [15] and [98] reported low FPRs, but did not report FNRs. • Session fixation.…”

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

VRS-DB: Computation Exploration on Encrypted Database