Toward exploiting access control vulnerabilities within MongoDB backend web applications

Wen, S, Xue, Y, Xu, J, Yang, H, Li, X, Song, W and Si, G (2016) 'Toward exploiting access control vulnerabilities within MongoDB backend web applications.' In: Reisman, S, Ahamed, S.I, Liu, L, Milojicic, D, Claycomb, W, Matskin, M, Sato, H, Nakamura, M, Cimato, S, Lung, C.H and Zhang, Z, eds. Proceedings: 2016 IEEE 40th Annual Computer Software and Applications Conference Workshops. IEEE Computer Society, Los Alamitos, pp. 143-153. ISBN 9781467388450

Official URL:


Access control is an extremely important and error-prone practice during web application. The emergence of NoSQL databases and the flexible data models they bring impose new challenges on the implementation of access control within web applications. This paper presents Scout, a novel methodology for discovering access control vulnerabilities in existing web applications. Meanwhile (1) features of NoSQL database can be addressed and (2) neither application source code nor server-side session information from the developers is required. This paper implements a prototype of Scout, which targets MongoDB backend web applications. By automatically discovering the protocol layer in the web application stack, Scout introduces a data access operation model precisely representing the MongoDB actions performed in the web application, as well as inferring the access control policies. The prototype is shown to be able to identify comprehensive access control vulnerabilities in MongoDB backend web applications, and generate detailed report as the facilitator to manually fix the identified vulnerabilities.

Item Type: Book Chapter or Section

ISSN 0730-3157

Keywords: Access control, Data models, Electronic mail, Blogs, Indexes, Protocols
Divisions: Bath School of Design
Identification Number:
Date Deposited: 05 Mar 2017 20:17
Last Modified: 05 Jan 2022 16:07
URI / Page ID:
Request a change to this item or report an issue Request a change to this item or report an issue
Update item (repository staff only) Update item (repository staff only)