A conceptual model for preventing web bypass vulnerabilities

Abstract

This paper provides a conceptual model for reducing bypass vulnerabilities in web applications. The typical and primary two kinds of bypass vulnerabilities are authentication and access control vulnerabilities. Authentication attacks occur when a web application authenticates users incorrectly and grants access for users without appropriate credentials. Access control attacks happen when access control check is incorrect or missing, allowing unauthorized access to privileged resources. Such attacks are getting increasingly common and have occurred in many famous web applications such as IIS and WordPress, and 14% of surveyed web sites [5]. However, currently no available tools or methods can prevent these attacks efficiently. By using Dynamic Information Flow Tracking (DIFT) techniques to track the flow of user credentials through the application's language runtime, the model presented in this paper can automatically detect when an application safely and correctly authenticates users. Then the model combines authentication information with programmer-supplied access control rules to automatically ensure that only properly authenticated users are granted access to privileged resources or data.