Explore a novel technique for automatically detecting missing and inconsistent authorization checks in web applications through static analysis. Learn about the challenges of implementing proper access control policies and the impact of gaps in enforcement. Discover different methods for specifying access control requirements in web applications, including configuration- and annotation-based approaches. Gain insights into the speaker's approach for static detection of missing checks and remediation suggestions. Examine empirical results from applying this technique to real-world applications, understanding common authorization mistakes made by developers. Delve into the importance of robust access control in modern software systems and the potential consequences of privilege escalation vulnerabilities.
Automatic Detection of Inadequate Authorization Checks in Web Applications
Overview
Syllabus
Introduction
Title
About Divya
Outline of the talk
Difference between code level bugs and design flow
What is a design flaw
What is a code flaw
Web application example
Static analysis
Design review
Design flaws
Current approaches
Threestep approach
Creating the specification
Examples
Apache Shido
Work Specification
Suggest Remediation
Summary
Realworld examples
The most critical level
Next steps
Taught by
OWASP Foundation
