Jisuanji kexue (Sep 2024)
Web Access Control Vulnerability Detection Approach Based on Site Maps
Abstract
Attackers usually exploit access control vulnerabilities in web applications to gain unauthorized access to systems or engage in malicious activities such as data theft.Existing methods for detecting access control vulnerabilities in web applications suffer from low page coverage and high detection overhead,resulting in high false negative rates and inefficient performance.To address this issue,a web access control vulnerability detection method based on sitemap is proposed using dynamic analysis.The method starts by establishing separate site maps for different user roles and combining them to create comprehensive site maps for each role.Then,by analyzing the site maps,the expected web application access control strategies are derived.Illegal test cases are constructed to dynamically access and analyze the execution results,enabling the detection of unauthorized access and privilege escalation vulnerabilities.Finally,the proposed method is validated on seven real-world open-source web applications.The results demonstrate that this approach significantly reduces overhead,achieves a page coverage rate of over 90%,and successfully detects 10 real vulnerabilities with a recall rate of 100%.
Keywords
