WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Mapping an application - Access control testing - Helper tool

From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Sat, 11 Feb 2012 11:53:10 +0530
Hi All,
Here is a very small tool that I recently wrote. This helps you when
you're mapping an application out and want a list of all the
combinations of access control that you want to check. So for example:
There are 5 menus that are accessible only to an Admin level user and
4 other types of users (A,B,C and D). Now you'd want to check if any
of these 4 users have unauthorized access to these menus. You'd repeat
this exercise for each menu and each user level. This will result in a
huge number of menus that you have to test from an access control
perspective.

So, while mapping an application out, you will make a list of the
actions you want to test anyway. Write these into a text file. Write
down all the user roles into another text file. Upload both of these
to the application. The application will generate a list of all
possible threats in an Excel file which is self explanatory. You can
exclude threats that you do not want downloaded as well.

Obviously, it is a very simple tool, but I feel it'll save you a
little time and maybe prevent certain oversights as well...if you have
a large number of menus to test across many privilege levels.

You need Rails 3.2 and Ruby 1.9 along with MySQL 5.x to use this. Its
downloadable at -
https://github.com/arvinddoraiswamy/Threat_Model_Helper

Please read the INSTALL file inside the project to find the exact
steps you need to perform to Install this. It should work on Windows
and Linux, although I only tested it on Ubuntu 10.04. There is a
sample output file in the 'samples' directory. This is there just to
save  you the frustration of downloading the tool, testing it out and
then finding it worthless :)

If you feel this is useful somehow, or can be extended so it BECOMES
useful..please let me know. You can reach me at arvind d o t
doraiswamy attherate g m a . .. c0M

Thnx
Arvind



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: