DETECTION OF BROKEN ACCESS CONTROL VULNERABILITY USING GRAPH REPRESENTATION
With the advancement of information technology, various forms of security vulnerability emerge. One of the most common vulnerabilities is broken access control. This vulnerability ranks first in 2021 OWASP Top 10 list. This vulnerability can lead to unauthorized information access, data modificat...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/82427 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| Summary: | With the advancement of information technology, various forms of security
vulnerability emerge. One of the most common vulnerabilities is broken access
control. This vulnerability ranks first in 2021 OWASP Top 10 list. This vulnerability
can lead to unauthorized information access, data modification, data deletion, and
allow users to perform business processes outside the user’s limits.
One of the methods to detect broken access control vulnerability is static code
analysis using graph representation. There are several tools that can do static code
analysis using graph representation, such as VGDetector and IVDetect. These tools
generate graph from the source code for static code analysis. One of the graphs that
has the potential to be used in the analysis is control flow graph because this graph
can represent access control mechanism in the code better than other graphs. Static
code analysis tool have fairly good performance with a recall value of 72.00% for
VGDetector and 84.60% for IVDetect. Techniques used by these tools are various,
some example including graph analysis to find vulnerability pattern, calculating
graph similarity, graph embedding, and deep learning using graph convolutional
network. However, there are some problems with existing tools such as tool’s
coverage that is limited to a language or framework and tool’s knowledge base that
still rely on the tool’s developer.
In this final project, a static code analysis tool using graph representation has
been developed. This tool uses graph analysis and exploration techniques to
detect broken access control vulnerability. This tool allow user can enter their
own knowledge base so that it can be adjusted to project needs, which is an
advantage compared to various tool that still rely on the tool’s developer for the
knowledge base. Since user can fill the knowledge base on their own, this tool
can detect vulnerabilities across framework. In theory, this tool is also able to
detect cross-language vulnerabilities. However, due to the limited time of the final
project, this tool can only detect vulnerabilities in Python code. From the testing
results on 16 projects, the tool has a recall value of 100% and a precision value
of 63.24%. The recall value that reach 100% and the significant number of false
positives occurred because the tool assumes that all detected code has a broken
access control vulnerability by default until access control check is found. |
|---|