通信学报2024,Vol.45Issue(6):117-130,14.DOI:10.11959/j.issn.1000-436x.2024078
基于博弈的Web应用程序中访问控制漏洞检测方法
Game-based detection method of broken access control vulnerabilities in Web application
摘要
Abstract
To solve the problem that the access control strategy of the program in the industrial Internet was difficult to extract from the source code,and that the user's access operation was difficult to trigger all access paths,which led to the difficulty of universal detection of logical vulnerabilities,game theory was applied to the access control logic vulner-ability detection for the first time.The vulnerabilities were identified by analyzing the game results of different partici-pants on resource pages in the Web application,so that the access logic of different users could be targeted to obtain.Ex-perimental results demonstrate that the proposed method successfully detect 31 vulnerabilities,including 8 unreported ones,out of 11 open-source applications,with a detection range exceeding 90%.关键词
Web应用程序安全/漏洞检测/访问控制漏洞/访问控制策略/博弈Key words
Web application security/vulnerability detection/access control vulnerability/access control rule/game分类
信息技术与安全科学引用本文复制引用
何海涛,许可,杨帅林,张炳,赵宇轩,李嘉政..基于博弈的Web应用程序中访问控制漏洞检测方法[J].通信学报,2024,45(6):117-130,14.基金项目
国家自然科学基金资助项目(No.62376240) (No.62376240)
河北省省级科技计划基金资助项目(No.226Z0701G,No.236Z0702G,No.236Z0304G) (No.226Z0701G,No.236Z0702G,No.236Z0304G)
河北省自然科学基金资助项目(No.F2022203026,No.F2022203089) (No.F2022203026,No.F2022203089)
河北省创新能力提升计划基金资助项目(No.22567637H) (No.22567637H)
河北省高等学校科学技术研究基金资助项目(No.BJK2022029)The National Natural Science Foundation of China(No.62376240),S&T Program of Hebei Province(No.226Z0701G,No.236Z0702G,No.236Z0304G),The Natural Science Foundation of Hebei Province(No.F2022203026,No.F2022203089),Innova-tion Capability Improvement Plan Project of Hebei Province(No.22567637H),Science and Technology Project of Hebei Education Department(No.BJK2022029) (No.BJK2022029)
