基于站点地图的Web访问控制漏洞检测方法  

作　　者：任家东[1,2] 李尚洋 任蓉 张炳 王倩 REN Jiadong;LI Shangyang;REN Rong;ZHANG Bing;WANG Qian(School of Information Science and Engineering,Yanshan University,Qinhuangdao,Hebei 066004,China;The Key Laboratory of Software Engineering of Hebei Province,Qinhuangdao,Hebei 066004,China)

机构地区：[1]燕山大学信息科学与工程学院,河北秦皇岛066004 [2]河北省软件工程重点实验室,河北秦皇岛066004

出　　处：《计算机科学》2024年第9期416-424,共9页Computer Science

基　　金：国家自然科学基金面上项目(62376240);河北省省级科技计划资助(226Z0701G,236Z0702G,236Z0304G);河北省自然科学基金(F2022203026,F2022203089);河北省高等学校科学技术研究项目(BJK2022029);河北省创新能力提升计划项目(22567637H)。

摘　　要：攻击者通常利用Web应用程序的访问控制漏洞实现对系统的非授权访问、信息窃取等恶意行为。针对Web应用程序的访问控制漏洞的检测问题,现有方法由于页面覆盖率低、检测过程开销大等问题,因此漏报率过高且效率低下。为此,基于动态分析,提出了一种基于站点地图的Web访问控制漏洞检测方法。该方法首先为不同角色下的用户分别建立各自的站点地图,并形成不同角色的完整站点地图,再通过对其分析生成Web应用程序预期访问控制策略,构建非法测试用例进行动态访问并分析执行结果实现对未授权访问、越权访问等类型访问控制漏洞的检测。最后,在7个真实开源Web应用程序中对所提方法进行验证,结果表明该方法能有效降低开销,其页面覆盖率达到90%以上;发现了10个真实漏洞,准确率达到了100%。Attackers usually exploit access control vulnerabilities in web applications to gain unauthorized access to systems or engage in malicious activities such as data theft.Existing methods for detecting access control vulnerabilities in web applications suffer from low page coverage and high detection overhead,resulting in high false negative rates and inefficient performance.To address this issue,a web access control vulnerability detection method based on sitemap is proposed using dynamic analysis.The method starts by establishing separate site maps for different user roles and combining them to create comprehensive site maps for each role.Then,by analyzing the site maps,the expected web application access control strategies are derived.Illegal test cases are constructed to dynamically access and analyze the execution results,enabling the detection of unauthorized access and privilege escalation vulnerabilities.Finally,the proposed method is validated on seven real-world open-source web applications.The results demonstrate that this approach significantly reduces overhead,achieves a page coverage rate of over 90%,and successfully detects 10 real vulnerabilities with a recall rate of 100%.

关 键 词：访问控制 站点地图 测试用例 漏洞检测 CVE分析 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]