Computer Science

Computer Science ›› 2024, Vol. 51 ›› Issue (9): 416-424.doi: 10.11896/jsjkx.230900075

• Information Security • Previous Articles    

Web Access Control Vulnerability Detection Approach Based on Site Maps

REN Jiadong1,2, LI Shangyang1, REN Rong1, ZHANG Bing1,2, WANG Qian1   

  1. 1 School of Information Science and Engineering,Yanshan University,Qinhuangdao,Hebei 066004,China
    2 The Key Laboratory of Software Engineering of Hebei Province,Qinhuangdao,Hebei 066004,China
  • Received:2023-09-13 Revised:2024-07-15 Online:2024-09-15 Published:2024-09-10
  • About author:REN Jiadong,born in 1967,Ph.D,professor,Ph.D supervisor,is a senier member of CCF(No.13382S).His main research interests include data mining and software security.
    ZHANG Bing,born in 1989,Ph.D,asso-ciate professor,Ph.D supervisor,is a member of CCF(No.H3272M).His main research interests include data mining and software security.
  • Supported by:
    National Natural Science Foundation of China(62376240),S&T Program of Hebei(226Z0701G,236Z0702G,236Z0304G),Natural Science Foundation of Hebei Province,China(F2022203026,F2022203089),Science and Technology Project of Hebei Education Department(BJK2022029) and Innovation Capability Improvement Plan Project of Hebei Province(22567637H).

PDF (PC)

344

Abstract: Attackers usually exploit access control vulnerabilities in web applications to gain unauthorized access to systems or engage in malicious activities such as data theft.Existing methods for detecting access control vulnerabilities in web applications suffer from low page coverage and high detection overhead,resulting in high false negative rates and inefficient performance.To address this issue,a web access control vulnerability detection method based on sitemap is proposed using dynamic analysis.The method starts by establishing separate site maps for different user roles and combining them to create comprehensive site maps for each role.Then,by analyzing the site maps,the expected web application access control strategies are derived.Illegal test cases are constructed to dynamically access and analyze the execution results,enabling the detection of unauthorized access and privilege escalation vulnerabilities.Finally,the proposed method is validated on seven real-world open-source web applications.The results demonstrate that this approach significantly reduces overhead,achieves a page coverage rate of over 90%,and successfully detects 10 real vulnerabilities with a recall rate of 100%.

Key words: Access control, Site maps, Test cases, Vulnerability detection, CVE analysis

CLC Number: 

  • TP311
[1]Beijing Rising Information Technology Co.,Ltd.2020 China Cyber Security Report[J].Journal of Information Security Research,2021,7(2):102-109.
[2]OWASP.Open Web Application Security Project 2021[DB/OL].http://www.owasp.org.cn/OWASP-CHINA/owasp-project/2021-owasp-top-10/.
[3]DEEPA G,SANTHI P.Securing Web Applications from Injection and Logic Vulnerabilities:Approaches and Challenges[J].Information and Software Technology,2016,74(4):160-180.
[4]ZHANG B,LI J,REN J,et al.Efficiency and Effectiveness ofWeb Application Vulnerability Detection Approaches:A Review[J].ACM Computing Surveys(CSUR),2022,54(9):1-35.
[5]SUN F,XU L,SU Z.Static Detection of Access Control Vulne-rabilities in Web Applications[C]//Proceedings of the 20th USENIX Conference on Security.Berkeley,CA,USA:USENIX Association,2011:45-78.
[6]GAUTHIER F,MERLO E.Fast Detection of Access ControlVulnerabilities in PHP Applications[C]//19th Working Confe-rence on Reverse Engineering.Kingston:IEEE,2012:281-290.
[7]PAN K,WANG Q.Static Detection of Access Control Vulnerabilities in Vue Applications[J].Journal of Physics:Conference Series,2020,1646(1):12-21.
[8]MONSHIZADEH M,NALDURG P,VENKATAKRISHNANV N.MACE:Detecting Privilege Escalation Vulnerabilities in Web Applications[J].Bone,2014,47(Suppl 1):690-701.
[9]LE H T,NGUYEN C D,BRIAND L,et al.Automated Inference of Access Control Policies for Web Applications[J].ACM Transactions on Software Engineering and Methodology,2015,24(3):27-37.
[10]LI X,YUAN X.LogicScope:Automatic Discovery of Logic Vulnerabilities within Web Applications[C]//Acm Sigsac Sympo-sium on Information.Hangzhou,China,2013,2013(5):481-486.
[11]LI X,SI X,YUAN X.Automated Black-box Detection of Access Control Vulnerabilities in Web Applications[C]//ACM Conference on Data & Application Security & Privacy.ACM,San Antonio,Te-xas,USA,2014,2014(3):49-60.
[12]DEEPA G,THILAGAM P S,PRASEED A,et al.DetLogic:ABlack-box Approach for Detecting Logic Vulnerabilities in Web applications[J].Journal of Network & Computer Applications,2018,109(5):89-109.
[13]LI X,YUAN X.BLOCK:A Black-box Approach for Detection of State Violation Attacks Towards Web Applications[C]//Computer Security Applications Conference.ACM,Orlando,Florida,USA,2011:247-256.
[14]REN J,WU M,ZHANG B,et al.DetAC:Approach to Detect Access Control Vulnerability in Web application Based on Sitemap Model with Global Information Representation[J].International Journal of Software Engineering and Knowledge Engineering,2023,33(9):1327-1354.
[15]KUSHNIR M,FAVRE O,RENNHARD M,et al.Automated blackbox detection of HTTP GET request-based access control vulnerabilities in web applications[C]//ICISSP 2021.SciTePress,2021:204-216.
[16]LE H T,SHAR L K,BIANCULLI D,et al.Automated reverse engineering of role-based access control policies of web applications[J].Journal of Systems and Software,2022,184:111109.
[17]LIU X,JIANG W,ZHANG Y.A survey of access control mo-dels[J].IEEE Communications Surveys & Tutorials,2016,18(1):829-856.
[18]ZHANG Y,XIE T,LIU Y,et al.A Survey on Role-based Access Control Models[J].Journal of Computer Science and Technology,2021,36(3):439-466.
[19]LIU J X,MA S M,QI H L.Research and implementation of access-rights control in web systems[J].Computer Engineering and Design,2008,10:2550-2553.
[20]YANG J,SHEN X,CHEN W,et al.A Model Study on Collaborative Learning and Exploration of RBAC Roles[J].Wireless Communications and Mobile Computing,2021,2021(5):1-9.
[21]LI X,SI X,YUAN X.Automated Black-box Detection of Access Control Vulnerabilities in Web Applications[C]//ACM Confe-rence on Data & Application Security & Privacy.ACM,San Antonio,Texas,USA,2014,2014(3):49-60.
[22]MONSHIZADEH M,NALDURG P,VENKATAKRISHNANV N.MACE:Detecting Privilege Escalation Vulnerabilities in Web Applications[J].Bone,2014,47(Suppl 1):690-701.
[23]XIA Z J,PENG G J,HU H F.Detection of ac cess control vulnerabilities in Web applications based on privilege verification graph[J].Computer Engineering and Applications,2018,54(12):63-68.
[1] TIAN Hongliang, XIAN Mingjie, GE Ping. Fine Grained Security Access Control Mechanism Based on Blockchain [J]. Computer Science, 2024, 51(6A): 230400080-7.
[2] TONG Fei, SHAO Ranran. Study on Blockchain Based Access Control Model for Cloud Data [J]. Computer Science, 2023, 50(9): 16-25.
[3] ZHANG Shue, TIAN Chengwei, LI Baogang. Review of Identity Authentication Research Based on Blockchain Technology [J]. Computer Science, 2023, 50(5): 329-347.
[4] LIU Zerun, ZHENG Hong, QIU Junjie. Smart Contract Vulnerability Detection Based on Abstract Syntax Tree Pruning [J]. Computer Science, 2023, 50(4): 317-322.
[5] HE Jie, CAI Ruijie, YIN Xiaokang, LU Xuanting, LIU Shengli. Detection of Web Command Injection Vulnerability for Cisco IOS-XE [J]. Computer Science, 2023, 50(4): 343-350.
[6] MA Qican, WU Zehui, WANG Yunchao, WANG Xinlei. Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis [J]. Computer Science, 2023, 50(2): 346-352.
[7] MEN Ruirui, JIA Hongyong, DU Jinru. Study on Stream Data Authorization Revocation Scheme Based on Smart Contracts [J]. Computer Science, 2023, 51(10): 372-379.
[8] CHEN Ruixiang, JIAO Jian, WANG Ruohua. Smart Contract Vulnerability Detection System Based on Ontology Reasoning [J]. Computer Science, 2023, 50(10): 336-342.
[9] GUO Peng-jun, ZHANG Jing-zhou, YANG Yuan-fan, YANG Shen-xiang. Study on Wireless Communication Network Architecture and Access Control Algorithm in Aircraft [J]. Computer Science, 2022, 49(9): 268-274.
[10] YANG Zhen, HUANG Song, ZHENG Chang-you. Study on Crowdsourced Testing Intellectual Property Protection Technology Based on Blockchain and Improved CP-ABE [J]. Computer Science, 2022, 49(5): 325-332.
[11] ZHANG Ying-li, MA Jia-li, LIU Zi-ang, LIU Xin, ZHOU Rui. Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts [J]. Computer Science, 2022, 49(3): 52-61.
[12] CHEN Qiao-song, HE Xiao-yang, XU Wen-jie, DENG Xin, WANG Jin, PIAO Chang-hao. Reentrancy Vulnerability Detection Based on Pre-training Technology and Expert Knowledge [J]. Computer Science, 2022, 49(11A): 211200182-8.
[13] WANG Qing-xu, DONG Li-jun, JIA Wei, LIU Chao, YANG Guang, WU Tie-jun. Vector Representation and Computation Based Dynamic Access Control in Open Environment [J]. Computer Science, 2022, 49(11A): 210900217-7.
[14] GUO Xian, WANG Yu-yue, FENG Tao, CAO Lai-cheng, JIANG Yong-bo, ZHANG Di. Blockchain-based Role-Delegation Access Control for Industrial Control System [J]. Computer Science, 2021, 48(9): 306-316.
[15] CHENG Xue-lin, YANG Xiao-hu, ZHUO Chong-kui. Research and Implementation of Data Authority Control Model Based on Organization [J]. Computer Science, 2021, 48(6A): 558-562.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.