Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications
Source: Stanford University
There is a new method to prevent attacks on authentication and access control bypass in web based applications. This method is called Nemesis. How Nemesis works is that it uses Dynamic Information Flow Tracking to identify whenever users that are application specific are being authenticated and then makes use of an additional HTTP cookie to create a shadow authentication system that will then track user authentication state. In Nemesis access control lists can be specified by programmers for numerous resources be it files or database entries for application-specific users. What Nemesis does is that it automatically enforces these at runtime. The shadow authentication systems that are provided coupled with strong authorization checks Nemesis is able to overcome significant attacks on web applications' authentication and access controls. The method also find usage in improving precision in different security tools as well, for example, in SQL injection bugs by bypassing false positives for requests that are properly authenticated. In an experiment to test the efficiency of Nemesis, a prototype of Nemesis was also implemented in the PHP interpreter and its security was subjected to evaluation for protecting seven real web based applications. All the seven applications were successfully protected by the Nemesis prototype, introducing no false positives and also demanding only a small amount of work from the application developer. Less than hundred lines of code were required to be written by the developer for most applications to avoid authentication vulnerabilities.