Game-based detection method of broken access control vulnerabilities in Web application

HE Haitao; XU Ke; YANG Shuailin; ZHANG Bing; ZHAO Yuxuan; LI Jiazheng

doi:10.11959/j.issn.1000-436x.2024078

您当前的位置：

首页 >

文章列表页 >

Game-based detection method of broken access control vulnerabilities in Web application

Topics：Technologies of Industrial Internet Security | 更新时间：2024-08-08

- Game-based detection method of broken access control vulnerabilities in Web application
- Journal on Communications Vol. 45, Issue 6, Pages: 117-130(2024)
- 作者机构：
  
  燕山大学信息科学与工程学院，河北秦皇岛 066004
- 作者简介：
- 基金信息：
  
  The National Natural Science Foundation of China(62376240);S&T Program of Hebei Province(226Z0701G;236Z0702G;236Z0304G);The Natural Science Foundation of Hebei Province(F2022203026;F2022203089);Science and Technology Project of Hebei Education Department(BJK2022029)
- DOI：10.11959/j.issn.1000-436x.2024078
  CLC： TP393
- Received：31 October 2023，
  
  Revised：2024-02-01，
  
  Published：25 June 2024
- 稿件说明：
移动端阅览
何海涛,许可,杨帅林等.基于博弈的Web应用程序中访问控制漏洞检测方法[J].通信学报,2024,45(06):117-130.

HE Haitao,XU Ke,YANG Shuailin,et al.Game-based detection method of broken access control vulnerabilities in Web application[J].Journal on Communications,2024,45(06):117-130.
何海涛,许可,杨帅林等.基于博弈的Web应用程序中访问控制漏洞检测方法[J].通信学报,2024,45(06):117-130. DOI： 10.11959/j.issn.1000-436x.2024078.

HE Haitao,XU Ke,YANG Shuailin,et al.Game-based detection method of broken access control vulnerabilities in Web application[J].Journal on Communications,2024,45(06):117-130. DOI： 10.11959/j.issn.1000-436x.2024078.

摘要

针对工业互联网中程序的访问控制策略隐藏在源码中难以提取，以及用户的访问操作难以触发所有访问路径而导致逻辑漏洞的通用化检测难以实现的问题，将博弈思想应用于访问控制逻辑漏洞检测中，通过分析不同参与者在Web应用程序中对资源页面的博弈结果来识别漏洞，使得不同用户的访问逻辑能被有针对性地获取。实验结果表明，所提方法在开源的11个程序中检测出31个漏洞，其中8个为未公开的漏洞，漏洞检测覆盖率均超过90%。

Abstract

To solve the problem that the access control strategy of the program in the industrial Internet was difficult to extract from the source code

and that the user’s access operation was difficult to trigger all access paths

which led to the difficulty of universal detection of logical vulnerabilities

game theory was applied to the access control logic vulnerability detection for the first time. The vulnerabilities were identified by analyzing the game results of different participants on resource pages in the Web application

so that the access logic of different users could be targeted to obtain. Experimental results demonstrate that the proposed method successfully detect 31 vulnerabilities

including 8 unreported ones

out of 11 open-source applications

with a detection range exceeding 90%.

关键词

Keywords

references

中国信息安全测评中心 . 2022年网络空间安全漏洞分析研究报告 [R ] . 2022 .

China Information Technology Security Evaluation Center . 2022 cyberspace security vulnerability analysis and research report [R ] . 2022 .

SHAHID J , HAMEED M K , JAVED I T , et al . A comparative study of Web application security parameters: current trends and future directions [J ] . Applied Sciences , 2022 , 12 ( 8 ): 4077 - 4100 .

BENANTAR M . Access control systems: security, identity management and trust models [M ] . Berlin : Springer , 2010 .

BLUNDO C , CIMATO S , SINISCALCHI L . Managing constraints in role based access control [J ] . IEEE Access , 2020 , 8 : 140497 - 140511 .

ZAIDI T , USMAN M , AFTAB M U , et al . Fabrication of flexible role-based access control based on blockchain for Internet of things use cases [J ] . IEEE Access , 2023 , 11 : 106315 - 106333 .

MA B L , LIU Y , CHI C , et al . Research on access control and authority management of industrial Internet identification and resolution system [C ] // Proceedings of the 2022 3rd International Conference on Electronics, Communications and Information Technology (CECIT) . Piscataway : IEEE Press , 2022 : 78 - 82 .

ZHONG L . A survey of prevent and detect access control vulnerabilities [J ] . arXiv Preprint , arXiv: 2304.10600 , 2023 .

LI X W , YAN W , XUE Y . SENTINEL: securing database from logic flaws in Web applications [C ] // Proceedings of the Second ACM Conference on Data and Application Security and Privacy . New York : ACM Press , 2012 : 25 - 36 .

DEEPA G , THILAGAM P S , PRASEED A , et al . DetLogic: a black-box approach for detecting logic vulnerabilities in Web applications [J ] . Journal of Network and Computer Applications , 2018 , 109 : 89 - 109 .

LI X W , XUE Y . LogicScope: automatic discovery of logic vulnerabilities within Web applications [C ] // Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security . New York : ACM Press , 2013 : 481 - 486 .

LE H T , SHAR L K , BIANCULLI D , et al . Automated reverse engineering of role-based access control policies of Web applications [J ] . Journal of Systems and Software , 2022 , 184 : 111109 .

文硕 , 许静 , 苑立英 , 等 . 基于策略推导的访问控制漏洞测试用例生成方法 [J ] . 计算机学报 , 2017 , 40 ( 12 ): 2658 - 2670 .

WEN S , XU J , YUAN L Y , et al . A test case generation approach for exploiting access control vulnerabilities based on policy inference [J ] . Chinese Journal of Computers , 2017 , 40 ( 12 ): 2658 - 2670 .

夏志坚 , 彭国军 , 胡鸿富 . 基于权限验证图的Web应用访问控制漏洞检测 [J ] . 计算机工程与应用 , 2018 , 54 ( 12 ): 63 - 68 .

XIA Z J , PENG G J , HU H F . Detection of access control vulnerabilities in Web applications based on privilege verification graph [J ] . Computer Engineering and Applications , 2018 , 54 ( 12 ): 63 - 68 .

SON S , MCKINLEY K S , SHMATIKOV V . RoleCast: finding missing security checks when you do not know what checks are [C ] // Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications . New York : ACM Press , 2011 : 1069 - 1084 .

MONSHIZADEH M , NALDURG P , VENKATAKRISHNAN V N . MACE: detecting privilege escalation vulnerabilities in Web applications [C ] // Proceedings of the Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM Press , 2014 : 690 - 701 .

PAN K F , WANG Q . Static detection of access control vulnerabilities in vue applications [J ] . Journal of Physics: Conference Series . 2020 , 1646 ( 1 ): 012021 .

LI Q Y , LI Y , LIU S C , et al . Incomplete information stochastic game theoretic vulnerability management for wide-area damping control against cyber attacks [J ] . IEEE Journal on Emerging and Selected Topics in Circuits and Systems , 2022 , 12 ( 1 ): 124 - 134 .

WANG J , GONG J X , LIN Z Q , et al . Multidimensional depth oriented fuzzing method of java Web applications [J ] . Netinfo Security , 2024 , 24 ( 2 ): 282 - 292 .

SADINENI G , ARCHANA M , TANGUTURI R C . A highly efficient intrusion detection and packet tracking based on game theory approach [C ] // Proceedings of the 2021 Emerging Trends in Industry 4.0 (ETI 4.0) . Piscataway : IEEE Press , 2021 : 1 - 5 .

ARISDAKESSIAN S , ABDEL W O , MOURAD A , et al . A survey on IoT intrusion detection: federated learning, game theory, social psychology, and explainable AI as future directions [J ] . IEEE Internet of Things Journal , 2023 , 10 ( 5 ): 4059 - 4092 .

SUN F Q , XU L , SU Z D . Static detection of access control vulnerabilities in Web applications [C ] // Proceedings of the 20th USENIX Conference on Security . Berkeley : USENIX Association , 2011 : 1 - 16 .

GAUTHIER F , MERLO E . Fast detection of access control vulnerabilities in PHP applications [C ] // Proceedings of the 2012 19th Working Conference on Reverse Engineering . Piscataway : IEEE Press , 2012 : 247 - 256 .

REN J D , WU M Y , ZHANG B , et al . DetAC: approach to detect access control vulnerability in Web application based on sitemap model with global information representation [J ] . International Journal of Software Engineering and Knowledge Engineering , 2023 , 33 ( 9 ): 1327 - 1354 .

ZHOU W , CAO C , HUO D D , et al . Reviewing IoT security via logic bugs in IoT platforms and systems [J ] . IEEE Internet of Things Journal , 2021 , 8 ( 14 ): 11621 - 11639 .

Views

1014

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Smart contract vulnerability detection method based on Bi-modal cross-attention mechanism

Smart contract vulnerability detection method based on pre-training and novel timing graph neural network

MP2P high capacity and security resource node selection strategy based on Bayesian game

Data provision for IoT searches:an auction approach

High-throughput and low-overhead probabilistic routing based on multi-player bargaining game for opportunistic networks

Related Author

MIN Xirun

CAI Saihua

HU Xinyi

CHEN Jinfu

LI Yaolin

SUN Jianguo

WANG Cheng

FAN Zekai

Related Institution

School of Computer Science and Communication Engineering, Jiangsu University

Jiangsu Key Laboratory of Security Technology for Industrial Cyberspace, Jiangsu University

Collage of Computer Science and Technology, Harbin Engineering University

Hangzhou Institute of Technology, Xidian University

School of Computer Science and Technology,Beijing Institute of Technology

AI问答

⁰