[Owasp-access-control-rules-tester-project] Access Control Rules Tester review

OWASP Access Control Rules Tester Project owasp-access-control-rules-tester-project at lists.owasp.org
Thu Oct 9 15:43:27 EDT 2008

Unfortunately I am not a native English speaker, but I'll try my best to revise the docs. I have some other ideas but need to clean my mind to type them in text.


----- Original Message ----
From: Andrew Petukhov <petand at lvk.cs.msu.su>
To: Min Chen <mg_chen at yahoo.com>
Cc: owasp-access-control-rules-tester-project at lists.owasp.org
Sent: Thursday, October 9, 2008 2:42:26 PM
Subject: Re: Access Control Rules Tester review

 Min Chen wrote:


This is a good start. The algorithm, design, and the tool are in good
shape. Well done Andrew.

It's not uncommon to change the design or requirement during the
implementation phase, it would be nice to update the project
requirement to reflect the real implementation.


Original Message ----
From: Andrew Petukhov <petand at lvk.cs.msu.su>
To: Min Chen <mg_chen at yahoo.com>
Cc: owasp-access-control-rules-tester-project at lists.owasp.org
Sent: Wednesday, October 8, 2008 12:16:23 PM
Subject: Re: Access Control Rules Tester review

 Min Chen wrote:

Two things seem missing:

1. The document does not clearly answer "Is it possible to build precise access control matrix for a web application and how"

2. I can't find Rhino library or source code in the tool, did I miss somthing?


1. The model, which I utilize is built on the concept of resource.
Resource is URI, and actions are read (GET) and execute/write (POST).
This scope of view is induced from the black box testing requirement. 
In this terms, the access control matrix in CURRENT web application
state is the mapping USER * URI * {GET, POST} -> {allow, deny}
Of course, this matrix can change.
My document gives procedures how to record use case dependency graph
for a group of users (one user per role). 
But in the terms stated above these recordings form a sequence of the
access control matrices perceived by users. 
The question is - how to obtain the sequence of real access
control matrices? The answer is:
- union all perceived matrices;
- probe for all resources from current user at current state.
My tool gives in the report the set of resources that are included in
the real access matrix that are not contained in the percieved access matrix.

Do I speak clear? 
Maybe I should add this remarks at the end of my formal document?

2. Rhino. This was intended as a JavaScript processing part of web
spider that I was going to develop. Initially, I was going to include
web spider as a part of my tool. However, the spider part appeared to
be too complex. As a result a combination of existing tools
was chosen that is able to perform the Sitemap generation according to
the developed method. Thus, the Spider module was not developed: it saved time and effort, and another Spider-clone with the
same functionality was not set free. However, AJAX and Javascript web
application still require manual navigation (if they contain resource
that are not accessible via static links). The development of
fully-enabled Javascript spider appeared to be a significant work.
However, the initial P022 proposal did not contain the strict
requirement for a spider: http://www.owasp.org/index.php/OWASP_Request_for_Proposal_List#P022_-_OWASP_Access_Control_Rules_Tester

After my experience, I would say that AcCoRuTe should not be integrated
with the spider. But, the javascript-enabled spider should be developed
instead of Burp Spider currently in use.



Hi all! Thanks, Min.
I am very glad to hear these words from you. The biggest problem now is
where to place an about box in the command line tool :)
And it is a perfect suggestion to add XSD tool to the project.
Regarding elaborating use cases and constructing a dependency graph...
I thought about the complexity of this stage. For now, the best idea
that I have is to include a number of case studies (or name it best
practices) of web applications in different domains (i.e. distance
learning, HR, banking, online shopping, blogging). I had another idea
to utilize UML somehow, but i have not precise vision of it at this

There is also an objective defect in my documents - the way I express
my thoughts. English is not my native language and it is possible that
some parts of my documents look obfuscated. So maybe you have marked
some sections in the documents that require revisioning (maybe rephrase
them with the help of native speakers)? 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-access-control-rules-tester-project/attachments/20081009/7dd6251f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 9858 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-access-control-rules-tester-project/attachments/20081009/7dd6251f/attachment-0001.jpe 

More information about the Owasp-access-control-rules-tester-project mailing list