WebApp Sec mailing list archives
Mapping an application - Access control testing - Helper tool
From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Sat, 11 Feb 2012 11:53:10 +0530
Hi All, Here is a very small tool that I recently wrote. This helps you when you're mapping an application out and want a list of all the combinations of access control that you want to check. So for example: There are 5 menus that are accessible only to an Admin level user and 4 other types of users (A,B,C and D). Now you'd want to check if any of these 4 users have unauthorized access to these menus. You'd repeat this exercise for each menu and each user level. This will result in a huge number of menus that you have to test from an access control perspective. So, while mapping an application out, you will make a list of the actions you want to test anyway. Write these into a text file. Write down all the user roles into another text file. Upload both of these to the application. The application will generate a list of all possible threats in an Excel file which is self explanatory. You can exclude threats that you do not want downloaded as well. Obviously, it is a very simple tool, but I feel it'll save you a little time and maybe prevent certain oversights as well...if you have a large number of menus to test across many privilege levels. You need Rails 3.2 and Ruby 1.9 along with MySQL 5.x to use this. Its downloadable at - https://github.com/arvinddoraiswamy/Threat_Model_Helper Please read the INSTALL file inside the project to find the exact steps you need to perform to Install this. It should work on Windows and Linux, although I only tested it on Ubuntu 10.04. There is a sample output file in the 'samples' directory. This is there just to save you the frustration of downloading the tool, testing it out and then finding it worthless :) If you feel this is useful somehow, or can be extended so it BECOMES useful..please let me know. You can reach me at arvind d o t doraiswamy attherate g m a . .. c0M Thnx Arvind This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Mapping an application - Access control testing - Helper tool arvind doraiswamy (Feb 12)