Jisuanji kexue (Feb 2023)
Approach of Web Application Access Control Vulnerability Detection Based on State Deviation Analysis
Abstract
Attackers can exploit vulnerabilities in Web applications to implement malicious behaviors such as disrupting application functionality and Trojan implantation.For the detection of access control vulnerabilities in Web applications,existing me-thods have high false alarm,leakage rates and low efficiency due to the difficulty of extracting code features and inaccuratebeha-vior portrayal.This paper proposes a method for detecting Web access control vulnerabilities based on state deviation analysis,which combines white-box testing techniques to extract access control-related constraints in code to generate Web application expected access policies,and then generates Web application actual access policies through dynamic analysis,converting the detection of access control vulnerabilities into the detection of state deviation.Using this technology to develop the prototype tool ACVD,it is possible to accurately detect the types of access control vulnerabilities such as unauthorized access and ultra vires access.Tested in 5 real Web applications,16 real vulnerabilities are found,and the recall rate reaches 98%,which is about 300% higher than traditional black box tools.
Keywords
