Is it possible to test Role Based Access Control with ZAP
532 views
Skip to first unread message
Dollar Strike
Apr 8, 2017, 2:00:02 AM4/8/17
to OWASP ZAP User Group
I faced a vulnerability OWASP A8 Role Based Access Control (RBAC) in my application.
Scenario: When two users A,B logging into application at the same time, second, milli second then user A got to see user B dashboard. And User B faced 5XX error.
issue: User A could modify B's data
issue: User A could modify B's data
To get this repro, we really tried hard and finally using PhantomJS and Selenium we could able to repro the issue by providing screenshots to the customer.
I just wonder, is this possible with ZAP? logging in two different users at same milli second?
Simon Bennetts
Apr 10, 2017, 7:05:05 AM4/10/17
to OWASP ZAP User Group
We do have an Access Control Testing add-on: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts
However I'm afraid it probably wont find this particular issue.
Timing issues are very hard to reproduce, as you have found :)
We could introduce a specific test for this problem, but I'm not sure how effective that would be without making a very large number of requests, and this sounds like a very application specific problem.
You could definitely use ZAP to test for this sort of thing using scripting, but I'm not sure a generic rule would help.
Cheers,
Simon
However I'm afraid it probably wont find this particular issue.
Timing issues are very hard to reproduce, as you have found :)
We could introduce a specific test for this problem, but I'm not sure how effective that would be without making a very large number of requests, and this sounds like a very application specific problem.
You could definitely use ZAP to test for this sort of thing using scripting, but I'm not sure a generic rule would help.
Cheers,
Simon
Dollar Strike
Apr 10, 2017, 9:57:34 AM4/10/17
to OWASP ZAP User Group
Thanks for the response Simon. I usually use ZAP & Burp for many reasons. Coming back to the issue, I have seen this issue in 4 different applications built on .NET & JSP as well(seems like sessions implementation flaw).
I could've sent two requests at same time using multi-thread in java but the reason behind using PhantomJs with selenium is to capture screenshots as a proof which was asked by client.
Scenario: Role Based Access Control Testing - When 100+ users login to application at same millisecond with their credentials. (Don't call it a DoS attack lol)
Don't you think testing this scenario need much effort? I am not sure how Facebook,Twitter tests this scenario with thousands of user at same second. And no other tool in the market has this feature. I've checked many tools online. Finally I thought to create a generic function using Python script
Anyway I'm not sure how this work in all kind of applications, it would be great if we have this feature in ZAP may be with Phantom or Python. Since zap already got provision of PhantomJS binary, it should be easy to build a feature on this scenario. It's just my opinion.
I could've sent two requests at same time using multi-thread in java but the reason behind using PhantomJs with selenium is to capture screenshots as a proof which was asked by client.
Scenario: Role Based Access Control Testing - When 100+ users login to application at same millisecond with their credentials. (Don't call it a DoS attack lol)
Don't you think testing this scenario need much effort? I am not sure how Facebook,Twitter tests this scenario with thousands of user at same second. And no other tool in the market has this feature. I've checked many tools online. Finally I thought to create a generic function using Python script
Anyway I'm not sure how this work in all kind of applications, it would be great if we have this feature in ZAP may be with Phantom or Python. Since zap already got provision of PhantomJS binary, it should be easy to build a feature on this scenario. It's just my opinion.
Reply all
Reply to author
Forward
0 new messages