计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (9): 416-424.doi: 10.11896/jsjkx.230900075

• 信息安全 • 上一篇    

基于站点地图的Web访问控制漏洞检测方法

任家东1,2, 李尚洋1, 任蓉1, 张炳1,2, 王倩1   

  1. 1 燕山大学信息科学与工程学院 河北 秦皇岛 066004
    2 河北省软件工程重点实验室 河北 秦皇岛 066004
  • 收稿日期:2023-09-13 修回日期:2024-07-15 出版日期:2024-09-15 发布日期:2024-09-10
  • 通讯作者: 张炳(bingzhang@ysu.edu.cn)
  • 作者简介:(jdren@ysu.edu.cn)
  • 基金资助:
    国家自然科学基金面上项目(62376240);河北省省级科技计划资助(226Z0701G,236Z0702G,236Z0304G);河北省自然科学基金(F2022203026,F2022203089);河北省高等学校科学技术研究项目(BJK2022029);河北省创新能力提升计划项目(22567637H)

Web Access Control Vulnerability Detection Approach Based on Site Maps

REN Jiadong1,2, LI Shangyang1, REN Rong1, ZHANG Bing1,2, WANG Qian1   

  1. 1 School of Information Science and Engineering,Yanshan University,Qinhuangdao,Hebei 066004,China
    2 The Key Laboratory of Software Engineering of Hebei Province,Qinhuangdao,Hebei 066004,China
  • Received:2023-09-13 Revised:2024-07-15 Online:2024-09-15 Published:2024-09-10
  • About author:REN Jiadong,born in 1967,Ph.D,professor,Ph.D supervisor,is a senier member of CCF(No.13382S).His main research interests include data mining and software security.
    ZHANG Bing,born in 1989,Ph.D,asso-ciate professor,Ph.D supervisor,is a member of CCF(No.H3272M).His main research interests include data mining and software security.
  • Supported by:
    National Natural Science Foundation of China(62376240),S&T Program of Hebei(226Z0701G,236Z0702G,236Z0304G),Natural Science Foundation of Hebei Province,China(F2022203026,F2022203089),Science and Technology Project of Hebei Education Department(BJK2022029) and Innovation Capability Improvement Plan Project of Hebei Province(22567637H).

PDF (PC)

347

摘要: 攻击者通常利用Web应用程序的访问控制漏洞实现对系统的非授权访问、信息窃取等恶意行为。针对Web应用程序的访问控制漏洞的检测问题,现有方法由于页面覆盖率低、检测过程开销大等问题,因此漏报率过高且效率低下。为此,基于动态分析,提出了一种基于站点地图的Web访问控制漏洞检测方法。该方法首先为不同角色下的用户分别建立各自的站点地图,并形成不同角色的完整站点地图,再通过对其分析生成Web应用程序预期访问控制策略,构建非法测试用例进行动态访问并分析执行结果实现对未授权访问、越权访问等类型访问控制漏洞的检测。最后,在7个真实开源Web应用程序中对所提方法进行验证,结果表明该方法能有效降低开销,其页面覆盖率达到90%以上;发现了10个真实漏洞,准确率达到了100%。

关键词: 访问控制, 站点地图, 测试用例, 漏洞检测, CVE分析

Abstract: Attackers usually exploit access control vulnerabilities in web applications to gain unauthorized access to systems or engage in malicious activities such as data theft.Existing methods for detecting access control vulnerabilities in web applications suffer from low page coverage and high detection overhead,resulting in high false negative rates and inefficient performance.To address this issue,a web access control vulnerability detection method based on sitemap is proposed using dynamic analysis.The method starts by establishing separate site maps for different user roles and combining them to create comprehensive site maps for each role.Then,by analyzing the site maps,the expected web application access control strategies are derived.Illegal test cases are constructed to dynamically access and analyze the execution results,enabling the detection of unauthorized access and privilege escalation vulnerabilities.Finally,the proposed method is validated on seven real-world open-source web applications.The results demonstrate that this approach significantly reduces overhead,achieves a page coverage rate of over 90%,and successfully detects 10 real vulnerabilities with a recall rate of 100%.

Key words: Access control, Site maps, Test cases, Vulnerability detection, CVE analysis

中图分类号: 

  • TP311
[1]Beijing Rising Information Technology Co.,Ltd.2020 China Cyber Security Report[J].Journal of Information Security Research,2021,7(2):102-109.
[2]OWASP.Open Web Application Security Project 2021[DB/OL].http://www.owasp.org.cn/OWASP-CHINA/owasp-project/2021-owasp-top-10/.
[3]DEEPA G,SANTHI P.Securing Web Applications from Injection and Logic Vulnerabilities:Approaches and Challenges[J].Information and Software Technology,2016,74(4):160-180.
[4]ZHANG B,LI J,REN J,et al.Efficiency and Effectiveness ofWeb Application Vulnerability Detection Approaches:A Review[J].ACM Computing Surveys(CSUR),2022,54(9):1-35.
[5]SUN F,XU L,SU Z.Static Detection of Access Control Vulne-rabilities in Web Applications[C]//Proceedings of the 20th USENIX Conference on Security.Berkeley,CA,USA:USENIX Association,2011:45-78.
[6]GAUTHIER F,MERLO E.Fast Detection of Access ControlVulnerabilities in PHP Applications[C]//19th Working Confe-rence on Reverse Engineering.Kingston:IEEE,2012:281-290.
[7]PAN K,WANG Q.Static Detection of Access Control Vulnerabilities in Vue Applications[J].Journal of Physics:Conference Series,2020,1646(1):12-21.
[8]MONSHIZADEH M,NALDURG P,VENKATAKRISHNANV N.MACE:Detecting Privilege Escalation Vulnerabilities in Web Applications[J].Bone,2014,47(Suppl 1):690-701.
[9]LE H T,NGUYEN C D,BRIAND L,et al.Automated Inference of Access Control Policies for Web Applications[J].ACM Transactions on Software Engineering and Methodology,2015,24(3):27-37.
[10]LI X,YUAN X.LogicScope:Automatic Discovery of Logic Vulnerabilities within Web Applications[C]//Acm Sigsac Sympo-sium on Information.Hangzhou,China,2013,2013(5):481-486.
[11]LI X,SI X,YUAN X.Automated Black-box Detection of Access Control Vulnerabilities in Web Applications[C]//ACM Conference on Data & Application Security & Privacy.ACM,San Antonio,Te-xas,USA,2014,2014(3):49-60.
[12]DEEPA G,THILAGAM P S,PRASEED A,et al.DetLogic:ABlack-box Approach for Detecting Logic Vulnerabilities in Web applications[J].Journal of Network & Computer Applications,2018,109(5):89-109.
[13]LI X,YUAN X.BLOCK:A Black-box Approach for Detection of State Violation Attacks Towards Web Applications[C]//Computer Security Applications Conference.ACM,Orlando,Florida,USA,2011:247-256.
[14]REN J,WU M,ZHANG B,et al.DetAC:Approach to Detect Access Control Vulnerability in Web application Based on Sitemap Model with Global Information Representation[J].International Journal of Software Engineering and Knowledge Engineering,2023,33(9):1327-1354.
[15]KUSHNIR M,FAVRE O,RENNHARD M,et al.Automated blackbox detection of HTTP GET request-based access control vulnerabilities in web applications[C]//ICISSP 2021.SciTePress,2021:204-216.
[16]LE H T,SHAR L K,BIANCULLI D,et al.Automated reverse engineering of role-based access control policies of web applications[J].Journal of Systems and Software,2022,184:111109.
[17]LIU X,JIANG W,ZHANG Y.A survey of access control mo-dels[J].IEEE Communications Surveys & Tutorials,2016,18(1):829-856.
[18]ZHANG Y,XIE T,LIU Y,et al.A Survey on Role-based Access Control Models[J].Journal of Computer Science and Technology,2021,36(3):439-466.
[19]LIU J X,MA S M,QI H L.Research and implementation of access-rights control in web systems[J].Computer Engineering and Design,2008,10:2550-2553.
[20]YANG J,SHEN X,CHEN W,et al.A Model Study on Collaborative Learning and Exploration of RBAC Roles[J].Wireless Communications and Mobile Computing,2021,2021(5):1-9.
[21]LI X,SI X,YUAN X.Automated Black-box Detection of Access Control Vulnerabilities in Web Applications[C]//ACM Confe-rence on Data & Application Security & Privacy.ACM,San Antonio,Texas,USA,2014,2014(3):49-60.
[22]MONSHIZADEH M,NALDURG P,VENKATAKRISHNANV N.MACE:Detecting Privilege Escalation Vulnerabilities in Web Applications[J].Bone,2014,47(Suppl 1):690-701.
[23]XIA Z J,PENG G J,HU H F.Detection of ac cess control vulnerabilities in Web applications based on privilege verification graph[J].Computer Engineering and Applications,2018,54(12):63-68.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发