Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis
Attackers can exploit vulnerabilities in Web applications to implement malicious behaviors such as disrupting application functionality and Trojan implantation.For the detection of access control vulnerabilities in Web applications,existing me-thods have high false alarm,leakage rates and low effici...
| Main Author: | |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Editorial office of Computer Science
2023-02-01
|
| Series: | Jisuanji kexue |
| Subjects: | |
| Online Access: | https://www.jsjkx.com/fileup/1002-137X/PDF/1002-137X-2023-50-2-346.pdf |
| _version_ | 1797845057752006656 |
|---|---|
| author | MA Qican, WU Zehui, WANG Yunchao, WANG Xinlei |
| author_facet | MA Qican, WU Zehui, WANG Yunchao, WANG Xinlei |
| author_sort | MA Qican, WU Zehui, WANG Yunchao, WANG Xinlei |
| collection | DOAJ |
| description | Attackers can exploit vulnerabilities in Web applications to implement malicious behaviors such as disrupting application functionality and Trojan implantation.For the detection of access control vulnerabilities in Web applications,existing me-thods have high false alarm,leakage rates and low efficiency due to the difficulty of extracting code features and inaccuratebeha-vior portrayal.This paper proposes a method for detecting Web access control vulnerabilities based on state deviation analysis,which combines white-box testing techniques to extract access control-related constraints in code to generate Web application expected access policies,and then generates Web application actual access policies through dynamic analysis,converting the detection of access control vulnerabilities into the detection of state deviation.Using this technology to develop the prototype tool ACVD,it is possible to accurately detect the types of access control vulnerabilities such as unauthorized access and ultra vires access.Tested in 5 real Web applications,16 real vulnerabilities are found,and the recall rate reaches 98%,which is about 300% higher than traditional black box tools. |
| first_indexed | 2024-04-09T17:33:29Z |
| format | Article |
| id | doaj.art-4c357f56541c4728b15cbdf0b11d6fd8 |
| institution | Directory Open Access Journal |
| issn | 1002-137X |
| language | zho |
| last_indexed | 2024-04-09T17:33:29Z |
| publishDate | 2023-02-01 |
| publisher | Editorial office of Computer Science |
| record_format | Article |
| series | Jisuanji kexue |
| spelling | doaj.art-4c357f56541c4728b15cbdf0b11d6fd82023-04-18T02:33:17ZzhoEditorial office of Computer ScienceJisuanji kexue1002-137X2023-02-0150234635210.11896/jsjkx.211100166Approach of Web Application Access Control Vulnerability Detection Based on State Deviation AnalysisMA Qican, WU Zehui, WANG Yunchao, WANG Xinlei0State Key Laboratory of Mathematical Engineering and Advanced Computing,Information Engineering University,Zhengzhou 450001,ChinaAttackers can exploit vulnerabilities in Web applications to implement malicious behaviors such as disrupting application functionality and Trojan implantation.For the detection of access control vulnerabilities in Web applications,existing me-thods have high false alarm,leakage rates and low efficiency due to the difficulty of extracting code features and inaccuratebeha-vior portrayal.This paper proposes a method for detecting Web access control vulnerabilities based on state deviation analysis,which combines white-box testing techniques to extract access control-related constraints in code to generate Web application expected access policies,and then generates Web application actual access policies through dynamic analysis,converting the detection of access control vulnerabilities into the detection of state deviation.Using this technology to develop the prototype tool ACVD,it is possible to accurately detect the types of access control vulnerabilities such as unauthorized access and ultra vires access.Tested in 5 real Web applications,16 real vulnerabilities are found,and the recall rate reaches 98%,which is about 300% higher than traditional black box tools.https://www.jsjkx.com/fileup/1002-137X/PDF/1002-137X-2023-50-2-346.pdfweb application|access control vulnerability|logic vulnerability|finite state machine |
| spellingShingle | MA Qican, WU Zehui, WANG Yunchao, WANG Xinlei Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis Jisuanji kexue web application|access control vulnerability|logic vulnerability|finite state machine |
| title | Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis |
| title_full | Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis |
| title_fullStr | Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis |
| title_full_unstemmed | Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis |
| title_short | Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis |
| title_sort | approach of web application access control vulnerability detection based on state deviation analysis |
| topic | web application|access control vulnerability|logic vulnerability|finite state machine |
| url | https://www.jsjkx.com/fileup/1002-137X/PDF/1002-137X-2023-50-2-346.pdf |
| work_keys_str_mv | AT maqicanwuzehuiwangyunchaowangxinlei approachofwebapplicationaccesscontrolvulnerabilitydetectionbasedonstatedeviationanalysis |