Finding and Exploiting Access Control Vulnerabilities in Graphical User Interfaces

Explore a novel class of access control vulnerabilities in GUI-based applications called GEMs (GUI element misuse) in this 55-minute Black Hat conference talk. Dive into the classification of different GEMs arising from misuse of widget attributes, and learn about a general algorithm for identifying and confirming their presence in vulnerable applications. Discover GEM Miner, an implementation of GEM analysis for the Windows platform, and see its effectiveness demonstrated through real-world examples of previously unknown access control vulnerabilities in small business and enterprise applications. Gain insights into how common visual elements in graphical user interfaces can be exploited, and understand the importance of proper access control implementation beyond visual cues.