Abstract:
URL-based authentication provides a centralized and flexible way to safeguard sensitive resources in Java web applications by enforcing authentication checks based on URL paths. However, inconsistencies in handling flexible routing features (e.g., removing /./) between URL routing and authentication can be exploited to bypass authentication checks, resulting in URL-based Authentication Bypass Vulnerabilities (UABVulns). These vulnerabilities allow attackers to access sensitive resources without authentication, leading to serious security breaches. In this paper, we conduct the first in-depth study of 53 real-world UABVulns in Java web applications. Our study uncovers the root causes of UABVulns and identifies three key findings regarding URL routing, authentication, and sanitization. Guided by these findings, we design and implement UABScan, a static analysis tool that detects UABVulns by matching routing and authentication inconsistencies through pattern-based analysis. We evaluate UABScan on 529 popular Java web applications and successfully report 94 UABVulns across 72 applications, including 35 verified high-risk 0-days. Through manual investigation, UABScan achieves a recall of 87.50% and a precision of 80.00%, and significantly outperforms the state-of-the-art tool. To date, 31 CVE IDs have been assigned.