Table of Contents
Fetching ...

Testing Access-Control Configuration Changes for Web Applications

Chengcheng Xiang, Li Zhong, Eric Mugnier, Nathaniel Nguyen, Yuanyuan Zhou, Tianyin Xu

TL;DR

ACtests introduce a practical, automated approach to test the impact of access-control configuration changes in web applications by running production-looking programs, configurations, and data within a safe, mini, ephemeral test environment. They provide a mechanism to identify requests whose access results change after ΔC, enabling administrators to validate intended effects and uncover vulnerabilities. The approach encompasses safe data access through Copy-on-Write file systems and read-only database access, virtualized network isolation, and a novel trimming-based acceleration that preserves ACC correctness while dramatically reducing test time. Evaluation on public Docker images revealed 168 new vulnerabilities (54 confirmed, 44 fixed), and deployment in five real systems demonstrated comprehensive detection of change impacts with significant performance benefits. Overall, ACtests offer a scalable, end-to-end means to test access-control changes, enabling proactive vulnerability detection and safer configuration management in production web applications.

Abstract

Access-control misconfigurations are among the main causes of today's data breaches in web applications. However, few techniques are available to support automatic and systematic testing for access-control changes and detecting risky changes to prevent severe consequences. As a result, those critical security configurations often lack testing, or are tested manually in an ad hoc way. This paper advocates that tests should be made available for users to test access-control configuration changes. The key challenges are such tests need to be run with production environments (to reason end-to-end behavior) and need to be performance-efficient. We present a new approach to create such tests, as a mini test environment incorporating production program and data, called ACtests. ACtests report the impacts of access-control changes, namely the requests that were denied but would be allowed after a change, and vice versa. Users can validate if the changed requests are intended or not and identify potential security vulnerabilities. We evaluate ACtests with 193 public configurations of widely-used web applications on Dockerhub. ACtests detect 168 new vulnerabilities from 72 configuration images. We report them to the image maintainers: 54 of them have been confirmed and 44 have been fixed. We also conduct in-depth experiments with five real-world deployed systems, including Wikipedia and a commercial company's web proxy. Our results show that ACtests effectively and efficiently detect all the change impacts.

Testing Access-Control Configuration Changes for Web Applications

TL;DR

ACtests introduce a practical, automated approach to test the impact of access-control configuration changes in web applications by running production-looking programs, configurations, and data within a safe, mini, ephemeral test environment. They provide a mechanism to identify requests whose access results change after ΔC, enabling administrators to validate intended effects and uncover vulnerabilities. The approach encompasses safe data access through Copy-on-Write file systems and read-only database access, virtualized network isolation, and a novel trimming-based acceleration that preserves ACC correctness while dramatically reducing test time. Evaluation on public Docker images revealed 168 new vulnerabilities (54 confirmed, 44 fixed), and deployment in five real systems demonstrated comprehensive detection of change impacts with significant performance benefits. Overall, ACtests offer a scalable, end-to-end means to test access-control changes, enabling proactive vulnerability detection and safer configuration management in production web applications.

Abstract

Access-control misconfigurations are among the main causes of today's data breaches in web applications. However, few techniques are available to support automatic and systematic testing for access-control changes and detecting risky changes to prevent severe consequences. As a result, those critical security configurations often lack testing, or are tested manually in an ad hoc way. This paper advocates that tests should be made available for users to test access-control configuration changes. The key challenges are such tests need to be run with production environments (to reason end-to-end behavior) and need to be performance-efficient. We present a new approach to create such tests, as a mini test environment incorporating production program and data, called ACtests. ACtests report the impacts of access-control changes, namely the requests that were denied but would be allowed after a change, and vice versa. Users can validate if the changed requests are intended or not and identify potential security vulnerabilities. We evaluate ACtests with 193 public configurations of widely-used web applications on Dockerhub. ACtests detect 168 new vulnerabilities from 72 configuration images. We report them to the image maintainers: 54 of them have been confirmed and 44 have been fixed. We also conduct in-depth experiments with five real-world deployed systems, including Wikipedia and a commercial company's web proxy. Our results show that ACtests effectively and efficiently detect all the change impacts.
Paper Structure (35 sections, 8 figures, 5 tables, 2 algorithms)

This paper contains 35 sections, 8 figures, 5 tables, 2 algorithms.

Figures (8)

  • Figure 1: A new access-control vulnerability we detected in a widely used Docker image (10M+ downloads) linuxserver. The vulnerability has been confirmed and fixed linuxserver_report.
  • Figure 2: A new vulnerability detected by ACtests in a third-party Docker image servarr of MediaWiki mediawiki. This vulnerability has been confirmed and fixed by the image maintainer. ACtests detect that anonymous users cannot access phpunit/eval-stdin.php by default, but can access it after the change.
  • Figure 3: A new vulnerability detected by ACtests in a third-party Docker imagevulfocus of Drupal drupal. ACtests detect that anonymous users cannot access the db dump file db/light.sql.gz before but can access it after the change.
  • Figure 4: Safe data access in ACtest.
  • Figure 5: Code pattern of access-control checks (ACCs). Each request is processed by an entry handler, which first does ACCs and then calls a sub-handler to execute the requested task. Strawman trimming removes the sub-handler call completely.
  • ...and 3 more figures