计算机科学 ›› 2023, Vol. 50 ›› Issue (2): 346-352.doi: 10.11896/jsjkx.211100166
马琪灿, 武泽慧, 王允超, 王新蕾
MA Qican, WU Zehui, WANG Yunchao, WANG Xinlei
摘要: 攻击者可利用Web应用程序中存在的漏洞实施破坏应用功能、木马植入等恶意行为。针对Web应用程序的访问控制漏洞的检测问题,现有方法由于代码特征难提取、行为刻画不准确等问题导致误报率和漏报率过高,且效率低下。文中提出了一种基于状态偏离分析的Web访问控制漏洞检测方法,结合白盒测试技术,提取代码中与访问控制有关的约束,以此生成Web应用程序预期访问策略,再通过动态分析生成Web应用程序实际访问策略,将对访问控制漏洞的检测转换为对状态偏离的检测。使用提出的方法开发原型工具ACVD,可对访问控制漏洞中未授权访问、越权访问等类型的漏洞进行准确检测。在5个真实Web应用程序中进行测试,发现16个真实漏洞,查全率达到了98%,检测效率较传统黑盒工具提升了约300%。
中图分类号:
[1]KULENOVIC M,DONKO D.A survey of static code analysismethods for security vulnerabilities detection[C]//International Convention on Information and Communication Technology,Electronics and Microelectronics.2014:1381-1386. [2]YAMAGUCHI F,GOLDE N,ARP D,et al.Modeling and discovering vulnerabilities with code property graphs[C]//2014 IEEE Symposium on Security and Privacy.IEEE,2014:590-604. [3]KUSHNIR M,FAVRE O,RENNHARD M,et al.Automatedblack box detection of HTTP GET request-based access control vulnerabilities in web applications[C]//ICISSP 2021.SciTePress,2021:204-216. [4]GAO R,ZHOU C L,ZHU R.Research on vulnerability mining technology of network application program [J].Modern Electronics Technique,2018,41(3):115-119. [5]The OWASP Top 10 2021.[OL].https://owasp.org/Top10/. [6]SUN F,XU L,SU Z.Static Detection of Access Control Vulnerabilities in Web Applications[C]//USENIX Security Sympo-sium.2011. [7]MA L,YAN Y,XIE H.A new approach for detecting access control vulnerabilities[C]//2019 7th International Conference on Information,Communication and Networks(ICICN).IEEE,2019:109-113. [8]DEEPA G,THILAGAM P S,PRASEED A,et al.DetLogic:A black-box approach for detecting logic vulnerabilities in web applications[J].Journal of Network and Computer Applications,2018,109:89-109. [9]LI X,SI X,XUE Y.Automated black-box detection of accesscontrol vulnerabilities in web applications[C]//Proceedings of the 4th ACM Conference on Data and Application Security and Privacy.2014:49-60. [10]LI X,XUE Y.LogicScope:Automatic discovery of logic vulnerabilities within webapplications[C]//Proceedings of the 8th ACM SIGSAC Symposium on Information,Computer and Communications Security.2013:481-486. [11]FELMETSGER V,CAVEDON L,KRUEGEL C,et al.Toward automated detection of logic vulnerabilities in web applications[C]//USENIX Security Symposium.2010. [12]Acunetix Vulnerability Scanner 2021[OL].https://www.acunetix.com/vulnerability-scanner/. [13]HCLAppScan[OL].https://www.hcltechsw.com/appscan. [14]Fotify2021[OL].https://www.microfocus.com/enus/cyberres/application-security. [15]Coverity.2021[OL].https://scan.coverity.com/. [16]LI S H,SUN Q H,ZHAO M Y.A machine learning-based approach to detecting overrun vulnerabilities[J].China Security Protection Technology and Application,2021(2):67-72. [17]JIANG H T,GUO Y J,CHEN H,et al.State-machine based vulnerability detection method for mobile application overridden access[J].Journal of Nanjing University of Science and Technology,2017,41(4):434-441. [18]Qianlitp.2019.Crawlergo.A powerful browser crawler for web vulnerability scanners [OL].https://github.com/Qianlitp/crawlergo. [19]LI M L,LU Y L,HUANG H,et al.Guided Grey-Box Fuzzing Test Method Combining Distance and Weight[J].Computer Engineering,2021,47(3):147-154. [20]ZHANG J,JING W,CHEN F.Vulnerability detection of instant messaging network protocol based on passive clustering algorithm[J].Journal of Jilin University(Engineering and Technology Edition),2021,51(6):2253-2258. |
[1] | 冉丹, 陈哲, 孙毅, 杨志斌. 基于程序转化的SCADE模型检测 SCADE Model Checking Based on Program Transformation 计算机科学, 2021, 48(12): 125-130. https://doi.org/10.11896/jsjkx.201100080 |
[2] | 武晓春,高雪娟. 基于UML的计算机联锁软件的分析与建模 Analysis and Modeling of Computer Interlocking Software Based on UML 计算机科学, 2014, 41(2): 222-225. |
[3] | 林捷. 利用一个组合检测系统来减少对恶意请求的错误判断 Use Combination of Detection Systems to Reduce Errors of Judgment on Malicious Request 计算机科学, 2013, 40(Z6): 344-348. |
[4] | 李 璋,杜慧敏,张丽果. 基于分布式存储的正则表达式匹配算法设计与实现 Fine-grained Parallel Multi-pattern Matching for Backbone Network NIDS 计算机科学, 2013, 40(3): 74-76. |
[5] | 王芳,易平,吴越,王之旸. 基于规范的移动Ad Hoc网络分布式入侵检测 Specification-based Distributed Detection for Mobile Ad Hoc Networks 计算机科学, 2010, 37(10): 118-122. |
[6] | 叶新铭,王谱新,白翔宇,谢辉. 基于UML状态图的C/S模式软件系统的一致性测试例生成 Method of Conformance Test Case Generation for C/S Model System Based on UML State Chart 计算机科学, 2009, 36(7): 117-119. https://doi.org/10.11896/j.issn.1002-137X.2009.07.027 |
[7] | 郭亮,缪淮扣,王皙,陈圣波. UML模型到FSM模型的转换 Transformation from UML Model to FSM Model 计算机科学, 2009, 36(7): 113-116. https://doi.org/10.11896/j.issn.1002-137X.2009.07.026 |
[8] | 陈琳,李之棠,高翠霞. 一种自适应的动态取证机制 Self-adaptive Mechanism of Dynamic Forensics 计算机科学, 2009, 36(11): 65-67. |
[9] | 陈亮 郭雷 王雅萍 杜亚勤. 一种基于结构张量的MAS边缘检测算法 计算机科学, 2009, 36(1): 131-133. |
[10] | . 基于ORD和FSM的Web应用的建模与测试 计算机科学, 2008, 35(9): 278-281. |
[11] | 潘大四. 基于FLEX技术构建可离线Web应用程序的研究与实现 计算机科学, 2008, 35(7): 298-300. |
[12] | 梁伟晟 李磊. 基于与或逻辑的界面关系模型表示方法 计算机科学, 2008, 35(4): 203-204. |
[13] | . 一种基于业务流程执行描述语言的分布式Web服务发现方法 计算机科学, 2007, 34(7): 90-95. |
[14] | 胡蓉 缪淮扣 刘焕洲. 一种基于Web软件集成测试的建模方法 计算机科学, 2007, 34(6): 253-257. |
[15] | . 一种基于多UIO的一致性测试序列优化方法 计算机科学, 2007, 34(2): 274-276. |
|