1 results listed
Broken Access Control (BAC), ranked as 5th crucial
vulnerability in Open Web Application Security Project
(OWASP), appear to be critical in web applications because of its
adverse consequence i.e. privilege escalation that may lead to
huge financial loss and reputation damage of the company. The
intruder of a web system can get an unauthorized access or
upgraded access level by exploiting through the BAC
vulnerability due to inadequate validation of user credential,
misconfiguration of sensitive data disclosure, inappropriate use of
functions in the code, unmanaged exception handling,
uncontrolled redirection of webpage, etc. This paper presents the
awareness regarding the risk for the existence of BAC
vulnerability in the web application to its designer, developer,
administrator, and web owner considering the facts and findings
of the document before hosting the application on live. The
experiment was conducted on 330 web applications using manual
penetration testing method following double blind testing strategy
where 39.09% of the sites were found vulnerable with the same.
Access on redirection settings, misconfiguration of sensitive data
retrieval, and unauthorized cookie access exploitation techniques
performed on the sample sites among five sectors analyzed based
on the reason of BAC, platform, domain, and operating system.
Binary logistic regression, Pearson’s χ2- value, odd ratios and pvalue
tests were performed for analyzing correlations among
factors of BAC. This examination also revealed that ignoring
session misconfiguration and improper input validation problems
are the critical factors for creating BAC vulnerability in
application.
International Conference on Cyber Security and Computer Science
ICONCS
M. M. Hassan
M. A. Ali
T. Bhuiyan
M. H. Sharif
S. Biswas