Description
The amount of content and services in the world-wide-web is growing steadily - so
does the number of vulnerabilities. A significant amount of these can be grouped under
the term Broken Authentication. The OWASP Top Ten 2021 mentions over 300,000 cases
of Broken Authentication.
This thesis presents different heuristics to detect admin-related content in web
applications. The goal is to use these to scan webpages for Broken Authentication
vulnerabilities by labeling content and checking which user has access.
The results of this thesis show that it is difficult to automatically classify adminsensitive
webpages.
By using AI to automatically label content, you can get an estimate of whether a
page is admin-related. However, you cannot fully rely on the results of these models as
the performance is highly dependent on the model used and LLMs never provide fully
deterministic results. Another approach is to use Facebook’s Fasttext to label webpages,
but this has a worse performance than the AI heuristic.
To scan a page this paper used a Black-Box scanner that uses the Fasttext heuristic.
|
