Game-based detection method of broken access control vulnerabilities in Web application

HE Haitao; XU Ke; YANG Shuailin; ZHANG Bing; ZHAO Yuxuan; LI Jiazheng

Tongxin xuebao (Jun 2024)

Game-based detection method of broken access control vulnerabilities in Web application

HE Haitao,
XU Ke,
YANG Shuailin,
ZHANG Bing,
ZHAO Yuxuan,
LI Jiazheng

Affiliations

HE Haitao
XU Ke
YANG Shuailin
ZHANG Bing
ZHAO Yuxuan
LI Jiazheng

Journal volume & issue: Vol. 45
pp. 117 – 130

Abstract

Read online

To solve the problem that the access control strategy of the program in the industrial Internet was difficult to extract from the source code, and that the user’s access operation was difficult to trigger all access paths, which led to the difficulty of universal detection of logical vulnerabilities, game theory was applied to the access control logic vulnerability detection for the first time. The vulnerabilities were identified by analyzing the game results of different participants on resource pages in the Web application, so that the access logic of different users could be targeted to obtain. Experimental results demonstrate that the proposed method successfully detect 31 vulnerabilities, including 8 unreported ones, out of 11 open-source applications, with a detection range exceeding 90%.

Web application security;vulnerability detection;access control vulnerability;access control rule;game

Published in Tongxin xuebao

ISSN: 1000-436X (Print)
Publisher: Editorial Department of Journal on Communications
Country of publisher: China
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Telecommunication
Website: http://www.infocomm-journal.com/txxb/EN/1000-436X/home.shtml

About the journal

Abstract

Keywords