Detecting Broken Authentication Vulnerabilities in Web Applications
Detecting Broken Authentication Vulnerabilities in Web Applications
Supervisor(s): | Fabian Franzen |
Status: | finished |
Topic: | Others |
Author: | Sebastian Wörner |
Submission: | 2025-04-01 |
Type of Thesis: | Bachelorthesis |
DescriptionThe amount of content and services in the world-wide-web is growing steadily - so does the number of vulnerabilities. A significant amount of these can be grouped under the term Broken Authentication. The OWASP Top Ten 2021 mentions over 300,000 cases of Broken Authentication. This thesis presents different heuristics to detect admin-related content in web applications. The goal is to use these to scan webpages for Broken Authentication vulnerabilities by labeling content and checking which user has access. The results of this thesis show that it is difficult to automatically classify adminsensitive webpages. By using AI to automatically label content, you can get an estimate of whether a page is admin-related. However, you cannot fully rely on the results of these models as the performance is highly dependent on the model used and LLMs never provide fully deterministic results. Another approach is to use Facebook’s Fasttext to label webpages, but this has a worse performance than the AI heuristic. To scan a page this paper used a Black-Box scanner that uses the Fasttext heuristic. |