Tongxin xuebao (Jun 2024)
Game-based detection method of broken access control vulnerabilities in Web application
Abstract
To solve the problem that the access control strategy of the program in the industrial Internet was difficult to extract from the source code, and that the user’s access operation was difficult to trigger all access paths, which led to the difficulty of universal detection of logical vulnerabilities, game theory was applied to the access control logic vulnerability detection for the first time. The vulnerabilities were identified by analyzing the game results of different participants on resource pages in the Web application, so that the access logic of different users could be targeted to obtain. Experimental results demonstrate that the proposed method successfully detect 31 vulnerabilities, including 8 unreported ones, out of 11 open-source applications, with a detection range exceeding 90%.