Computer Science

Computer Science ›› 2023, Vol. 50 ›› Issue (2): 346-352.doi: 10.11896/jsjkx.211100166

• Information Security • Previous Articles     Next Articles

Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis

MA Qican, WU Zehui, WANG Yunchao, WANG Xinlei   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing,Information Engineering University,Zhengzhou 450001,China
  • Received:2021-11-15 Revised:2022-06-21 Online:2023-02-15 Published:2023-02-22
  • Supported by:
    National Key Research and Development Program of China(2019QY0501)

PDF (PC)

348

Abstract: Attackers can exploit vulnerabilities in Web applications to implement malicious behaviors such as disrupting application functionality and Trojan implantation.For the detection of access control vulnerabilities in Web applications,existing me-thods have high false alarm,leakage rates and low efficiency due to the difficulty of extracting code features and inaccuratebeha-vior portrayal.This paper proposes a method for detecting Web access control vulnerabilities based on state deviation analysis,which combines white-box testing techniques to extract access control-related constraints in code to generate Web application expected access policies,and then generates Web application actual access policies through dynamic analysis,converting the detection of access control vulnerabilities into the detection of state deviation.Using this technology to develop the prototype tool ACVD,it is possible to accurately detect the types of access control vulnerabilities such as unauthorized access and ultra vires access.Tested in 5 real Web applications,16 real vulnerabilities are found,and the recall rate reaches 98%,which is about 300% higher than traditional black box tools.

Key words: Web application, Access control vulnerability, Logic vulnerability, Finite state machine

CLC Number: 

  • TP311
[1]KULENOVIC M,DONKO D.A survey of static code analysismethods for security vulnerabilities detection[C]//International Convention on Information and Communication Technology,Electronics and Microelectronics.2014:1381-1386.
[2]YAMAGUCHI F,GOLDE N,ARP D,et al.Modeling and discovering vulnerabilities with code property graphs[C]//2014 IEEE Symposium on Security and Privacy.IEEE,2014:590-604.
[3]KUSHNIR M,FAVRE O,RENNHARD M,et al.Automatedblack box detection of HTTP GET request-based access control vulnerabilities in web applications[C]//ICISSP 2021.SciTePress,2021:204-216.
[4]GAO R,ZHOU C L,ZHU R.Research on vulnerability mining technology of network application program [J].Modern Electronics Technique,2018,41(3):115-119.
[5]The OWASP Top 10 2021.[OL].https://owasp.org/Top10/.
[6]SUN F,XU L,SU Z.Static Detection of Access Control Vulnerabilities in Web Applications[C]//USENIX Security Sympo-sium.2011.
[7]MA L,YAN Y,XIE H.A new approach for detecting access control vulnerabilities[C]//2019 7th International Conference on Information,Communication and Networks(ICICN).IEEE,2019:109-113.
[8]DEEPA G,THILAGAM P S,PRASEED A,et al.DetLogic:A black-box approach for detecting logic vulnerabilities in web applications[J].Journal of Network and Computer Applications,2018,109:89-109.
[9]LI X,SI X,XUE Y.Automated black-box detection of accesscontrol vulnerabilities in web applications[C]//Proceedings of the 4th ACM Conference on Data and Application Security and Privacy.2014:49-60.
[10]LI X,XUE Y.LogicScope:Automatic discovery of logic vulnerabilities within webapplications[C]//Proceedings of the 8th ACM SIGSAC Symposium on Information,Computer and Communications Security.2013:481-486.
[11]FELMETSGER V,CAVEDON L,KRUEGEL C,et al.Toward automated detection of logic vulnerabilities in web applications[C]//USENIX Security Symposium.2010.
[12]Acunetix Vulnerability Scanner 2021[OL].https://www.acunetix.com/vulnerability-scanner/.
[13]HCLAppScan[OL].https://www.hcltechsw.com/appscan.
[14]Fotify2021[OL].https://www.microfocus.com/enus/cyberres/application-security.
[15]Coverity.2021[OL].https://scan.coverity.com/.
[16]LI S H,SUN Q H,ZHAO M Y.A machine learning-based approach to detecting overrun vulnerabilities[J].China Security Protection Technology and Application,2021(2):67-72.
[17]JIANG H T,GUO Y J,CHEN H,et al.State-machine based vulnerability detection method for mobile application overridden access[J].Journal of Nanjing University of Science and Technology,2017,41(4):434-441.
[18]Qianlitp.2019.Crawlergo.A powerful browser crawler for web vulnerability scanners [OL].https://github.com/Qianlitp/crawlergo.
[19]LI M L,LU Y L,HUANG H,et al.Guided Grey-Box Fuzzing Test Method Combining Distance and Weight[J].Computer Engineering,2021,47(3):147-154.
[20]ZHANG J,JING W,CHEN F.Vulnerability detection of instant messaging network protocol based on passive clustering algorithm[J].Journal of Jilin University(Engineering and Technology Edition),2021,51(6):2253-2258.
[1] LI Zi-dong, YAO Yi-fei, WANG Wei-wei, ZHAO Rui-lian. Web Application Page Element Recognition and Visual Script Generation Based on Machine Vision [J]. Computer Science, 2022, 49(11): 65-75.
[2] GUO Jun-xia, GUO Ren-fei, XU Nan-shan and ZHAO Rui-lian. Study on Construction of EFSM Model for Web Application Based on Session [J]. Computer Science, 2018, 45(4): 203-207.
[3] HE Tao,MIAO Huai-kou and QIAN Zhong-sheng. Modeling and Test Case Generation for Ajax-based WA [J]. Computer Science, 2014, 41(8): 219-223.
[4] ZHENG Di-wen,SHEN Li-wei,PENG Xin and ZHAO Wen-yun. Component Composition Technology and Tool Based on AJAX for Web Application [J]. Computer Science, 2014, 41(11): 152-156.
[5] FANG Yi-meng,MA Yun,LIU Xuan-zhe and HUANG Gang. MobiTran:A Technique of Transforming PC Web Application for Smart Phones [J]. Computer Science, 2014, 41(11): 74-78.
[6] LIN Jie. Use Combination of Detection Systems to Reduce Errors of Judgment on Malicious Request [J]. Computer Science, 2013, 40(Z6): 344-348.
[7] LIU Yong-po,WU Ji and LIU Shuang-mei. Research of Generic Codec for Web Application Testing [J]. Computer Science, 2013, 40(8): 157-160.
[8] GUO Hua,LI Zhou-jun,ZHUANG Lei,JI Hong-lin. New Approach for Analyzing of E-commerce Protocol [J]. Computer Science, 2010, 37(8): 56-60.
[9] LU Xiao-li,DONG Yun-wei,ZHAO Hong-bin. Object-oriented Web Application Testing Model [J]. Computer Science, 2010, 37(7): 134-136.
[10] PENG Shu-shen,GU Qing,CHEN Dao-xu. Study of Test Case Generation for Web Applications [J]. Computer Science, 2010, 37(6): 159-163.
[11] LU Xiao-lil,DONG Yun-wei. Research on Structural Testing of Web Applications [J]. Computer Science, 2010, 37(12): 110-113.
[12] HU Yan-su,DAI Guan-zhong,GAO Ang,PAN Wen-ping. Differentiated Services of Multi-tier Web Applications [J]. Computer Science, 2010, 37(11): 89-91.
[13] WANG Fang,YI Ping,WU Yue,WANG Zhi-yang. Specification-based Distributed Detection for Mobile Ad Hoc Networks [J]. Computer Science, 2010, 37(10): 118-122.
[14] TANG Yun-ji,MIAO Huai-kou,QIAN Zhong-sheng. Approach to Modeling and Testing Web Applications Based on Functional Components [J]. Computer Science, 2009, 36(7): 124-127.
[15] HUANG Juan, ZHANG Wei-qun ,WEN Xiao, LIANG Zhi-yuan (College of Computer and Information Science, Southwest University,Chongqing 400715,China). [J]. Computer Science, 2009, 36(3): 277-280.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.