计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (2): 346-352.doi: 10.11896/jsjkx.211100166

• 信息安全 • 上一篇    下一篇

基于状态偏离分析的Web访问控制漏洞检测方法

马琪灿, 武泽慧, 王允超, 王新蕾   

  1. 信息工程大学数学工程与先进计算国家重点实验室 郑州 450001
  • 收稿日期:2021-11-15 修回日期:2022-06-21 出版日期:2023-02-15 发布日期:2023-02-22
  • 通讯作者: 武泽慧(wuzehui2010@foxmail.com)
  • 作者简介:(expolit@88.com)
  • 基金资助:
    国家重点研发计划(2019QY0501)

Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis

MA Qican, WU Zehui, WANG Yunchao, WANG Xinlei   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing,Information Engineering University,Zhengzhou 450001,China
  • Received:2021-11-15 Revised:2022-06-21 Online:2023-02-15 Published:2023-02-22
  • Supported by:
    National Key Research and Development Program of China(2019QY0501)

PDF (PC)

332

摘要: 攻击者可利用Web应用程序中存在的漏洞实施破坏应用功能、木马植入等恶意行为。针对Web应用程序的访问控制漏洞的检测问题,现有方法由于代码特征难提取、行为刻画不准确等问题导致误报率和漏报率过高,且效率低下。文中提出了一种基于状态偏离分析的Web访问控制漏洞检测方法,结合白盒测试技术,提取代码中与访问控制有关的约束,以此生成Web应用程序预期访问策略,再通过动态分析生成Web应用程序实际访问策略,将对访问控制漏洞的检测转换为对状态偏离的检测。使用提出的方法开发原型工具ACVD,可对访问控制漏洞中未授权访问、越权访问等类型的漏洞进行准确检测。在5个真实Web应用程序中进行测试,发现16个真实漏洞,查全率达到了98%,检测效率较传统黑盒工具提升了约300%。

关键词: Web应用程序, 访问控制漏洞, 逻辑漏洞, 有限状态机

Abstract: Attackers can exploit vulnerabilities in Web applications to implement malicious behaviors such as disrupting application functionality and Trojan implantation.For the detection of access control vulnerabilities in Web applications,existing me-thods have high false alarm,leakage rates and low efficiency due to the difficulty of extracting code features and inaccuratebeha-vior portrayal.This paper proposes a method for detecting Web access control vulnerabilities based on state deviation analysis,which combines white-box testing techniques to extract access control-related constraints in code to generate Web application expected access policies,and then generates Web application actual access policies through dynamic analysis,converting the detection of access control vulnerabilities into the detection of state deviation.Using this technology to develop the prototype tool ACVD,it is possible to accurately detect the types of access control vulnerabilities such as unauthorized access and ultra vires access.Tested in 5 real Web applications,16 real vulnerabilities are found,and the recall rate reaches 98%,which is about 300% higher than traditional black box tools.

Key words: Web application, Access control vulnerability, Logic vulnerability, Finite state machine

中图分类号: 

  • TP311
[1]KULENOVIC M,DONKO D.A survey of static code analysismethods for security vulnerabilities detection[C]//International Convention on Information and Communication Technology,Electronics and Microelectronics.2014:1381-1386.
[2]YAMAGUCHI F,GOLDE N,ARP D,et al.Modeling and discovering vulnerabilities with code property graphs[C]//2014 IEEE Symposium on Security and Privacy.IEEE,2014:590-604.
[3]KUSHNIR M,FAVRE O,RENNHARD M,et al.Automatedblack box detection of HTTP GET request-based access control vulnerabilities in web applications[C]//ICISSP 2021.SciTePress,2021:204-216.
[4]GAO R,ZHOU C L,ZHU R.Research on vulnerability mining technology of network application program [J].Modern Electronics Technique,2018,41(3):115-119.
[5]The OWASP Top 10 2021.[OL].https://owasp.org/Top10/.
[6]SUN F,XU L,SU Z.Static Detection of Access Control Vulnerabilities in Web Applications[C]//USENIX Security Sympo-sium.2011.
[7]MA L,YAN Y,XIE H.A new approach for detecting access control vulnerabilities[C]//2019 7th International Conference on Information,Communication and Networks(ICICN).IEEE,2019:109-113.
[8]DEEPA G,THILAGAM P S,PRASEED A,et al.DetLogic:A black-box approach for detecting logic vulnerabilities in web applications[J].Journal of Network and Computer Applications,2018,109:89-109.
[9]LI X,SI X,XUE Y.Automated black-box detection of accesscontrol vulnerabilities in web applications[C]//Proceedings of the 4th ACM Conference on Data and Application Security and Privacy.2014:49-60.
[10]LI X,XUE Y.LogicScope:Automatic discovery of logic vulnerabilities within webapplications[C]//Proceedings of the 8th ACM SIGSAC Symposium on Information,Computer and Communications Security.2013:481-486.
[11]FELMETSGER V,CAVEDON L,KRUEGEL C,et al.Toward automated detection of logic vulnerabilities in web applications[C]//USENIX Security Symposium.2010.
[12]Acunetix Vulnerability Scanner 2021[OL].https://www.acunetix.com/vulnerability-scanner/.
[13]HCLAppScan[OL].https://www.hcltechsw.com/appscan.
[14]Fotify2021[OL].https://www.microfocus.com/enus/cyberres/application-security.
[15]Coverity.2021[OL].https://scan.coverity.com/.
[16]LI S H,SUN Q H,ZHAO M Y.A machine learning-based approach to detecting overrun vulnerabilities[J].China Security Protection Technology and Application,2021(2):67-72.
[17]JIANG H T,GUO Y J,CHEN H,et al.State-machine based vulnerability detection method for mobile application overridden access[J].Journal of Nanjing University of Science and Technology,2017,41(4):434-441.
[18]Qianlitp.2019.Crawlergo.A powerful browser crawler for web vulnerability scanners [OL].https://github.com/Qianlitp/crawlergo.
[19]LI M L,LU Y L,HUANG H,et al.Guided Grey-Box Fuzzing Test Method Combining Distance and Weight[J].Computer Engineering,2021,47(3):147-154.
[20]ZHANG J,JING W,CHEN F.Vulnerability detection of instant messaging network protocol based on passive clustering algorithm[J].Journal of Jilin University(Engineering and Technology Edition),2021,51(6):2253-2258.
[1] 冉丹, 陈哲, 孙毅, 杨志斌.
基于程序转化的SCADE模型检测
SCADE Model Checking Based on Program Transformation
计算机科学, 2021, 48(12): 125-130. https://doi.org/10.11896/jsjkx.201100080
[2] 武晓春,高雪娟.
基于UML的计算机联锁软件的分析与建模
Analysis and Modeling of Computer Interlocking Software Based on UML
计算机科学, 2014, 41(2): 222-225.
[3] 林捷.
利用一个组合检测系统来减少对恶意请求的错误判断
Use Combination of Detection Systems to Reduce Errors of Judgment on Malicious Request
计算机科学, 2013, 40(Z6): 344-348.
[4] 李 璋,杜慧敏,张丽果.
基于分布式存储的正则表达式匹配算法设计与实现
Fine-grained Parallel Multi-pattern Matching for Backbone Network NIDS
计算机科学, 2013, 40(3): 74-76.
[5] 王芳,易平,吴越,王之旸.
基于规范的移动Ad Hoc网络分布式入侵检测
Specification-based Distributed Detection for Mobile Ad Hoc Networks
计算机科学, 2010, 37(10): 118-122.
[6] 叶新铭,王谱新,白翔宇,谢辉.
基于UML状态图的C/S模式软件系统的一致性测试例生成
Method of Conformance Test Case Generation for C/S Model System Based on UML State Chart
计算机科学, 2009, 36(7): 117-119. https://doi.org/10.11896/j.issn.1002-137X.2009.07.027
[7] 郭亮,缪淮扣,王皙,陈圣波.
UML模型到FSM模型的转换
Transformation from UML Model to FSM Model
计算机科学, 2009, 36(7): 113-116. https://doi.org/10.11896/j.issn.1002-137X.2009.07.026
[8] 陈琳,李之棠,高翠霞.
一种自适应的动态取证机制
Self-adaptive Mechanism of Dynamic Forensics
计算机科学, 2009, 36(11): 65-67.
[9] 陈亮 郭雷 王雅萍 杜亚勤.
一种基于结构张量的MAS边缘检测算法

计算机科学, 2009, 36(1): 131-133.
[10] .
基于ORD和FSM的Web应用的建模与测试

计算机科学, 2008, 35(9): 278-281.
[11] 潘大四.
基于FLEX技术构建可离线Web应用程序的研究与实现

计算机科学, 2008, 35(7): 298-300.
[12] 梁伟晟 李磊.
基于与或逻辑的界面关系模型表示方法

计算机科学, 2008, 35(4): 203-204.
[13] .
一种基于业务流程执行描述语言的分布式Web服务发现方法

计算机科学, 2007, 34(7): 90-95.
[14] 胡蓉 缪淮扣 刘焕洲.
一种基于Web软件集成测试的建模方法

计算机科学, 2007, 34(6): 253-257.
[15] .
一种基于多UIO的一致性测试序列优化方法

计算机科学, 2007, 34(2): 274-276.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发