基于博弈的Web应用程序中访问控制漏洞检测方法OA北大核心CSTPCD
Game-based detection method of broken access control vulnerabilities in Web application
针对工业互联网中程序的访问控制策略隐藏在源码中难以提取,以及用户的访问操作难以触发所有访问路径而导致逻辑漏洞的通用化检测难以实现的问题,将博弈思想应用于访问控制逻辑漏洞检测中,通过分析不同参与者在Web应用程序中对资源页面的博弈结果来识别漏洞,使得不同用户的访问逻辑能被有针对性地获取.实验结果表明,所提方法在开源的11个程序中检测出31个漏洞,其中8个为未公开的漏洞,漏洞检测覆盖率均超过90%.
To solve the problem that the access control strategy of the program in the industrial Internet was difficult to extract from the source code,and that the user's access operation was difficult to trigger all access paths,which led to the difficulty of universal detection of logical vulnerabilities,game theory was applied to the access control logic vulner-ability detection for the first time.The vulnerabilities were identified by analyzing the game results of different partici-pants on resource pages in the Web application,so that the access logic of different users could be targeted to obtain.Ex-perimental results demonstrate that the proposed method successfully detect 31 vulnerabilities,including 8 unreported ones,out of 11 open-source applications,with a detection range exceeding 90%.
何海涛;许可;杨帅林;张炳;赵宇轩;李嘉政
燕山大学信息科学与工程学院,河北 秦皇岛 066004
计算机与自动化
Web应用程序安全漏洞检测访问控制漏洞访问控制策略博弈
Web application securityvulnerability detectionaccess control vulnerabilityaccess control rulegame
《通信学报》 2024 (006)
117-130 / 14
国家自然科学基金资助项目(No.62376240);河北省省级科技计划基金资助项目(No.226Z0701G,No.236Z0702G,No.236Z0304G);河北省自然科学基金资助项目(No.F2022203026,No.F2022203089);河北省创新能力提升计划基金资助项目(No.22567637H);河北省高等学校科学技术研究基金资助项目(No.BJK2022029)The National Natural Science Foundation of China(No.62376240),S&T Program of Hebei Province(No.226Z0701G,No.236Z0702G,No.236Z0304G),The Natural Science Foundation of Hebei Province(No.F2022203026,No.F2022203089),Innova-tion Capability Improvement Plan Project of Hebei Province(No.22567637H),Science and Technology Project of Hebei Education Department(No.BJK2022029)
评论