|国家科技期刊平台
| 注册
首页|期刊导航|信息安全研究|基于大语言模型增强的Java Web应用对象级授权漏洞静态检测方法

基于大语言模型增强的Java Web应用对象级授权漏洞静态检测方法

孟海宁 李炼

信息安全研究2026,Vol.12Issue(5):394-401,8.
信息安全研究2026,Vol.12Issue(5):394-401,8.DOI:10.12379/j.issn.2096-1057.2026.05.01

基于大语言模型增强的Java Web应用对象级授权漏洞静态检测方法

LLM-enhanced Static Analysis for Detecting Broken Object Level Authorization Vulnerabilities in Java Web Applications

孟海宁 1李炼2

作者信息

  • 1. 处理器芯片全国重点实验室(中国科学院计算技术研究所) 北京 100190
  • 2. 中国科学院大学 北京 100190
  • 折叠

摘要

Abstract

Broken object level authorization(BOLA)is currently one of the critical security threats to Web applications.As a typical unauthorized access vulnerability,BOLA arises when a system fails to properly validate a user's access permissions to target objects.The key to static detection of BOLA vulnerabilities lies in:accurately identifying object-level sensitive operations and analyzing unprotected access behaviors during path traversal.Since BOLA is an application logic-level vulnerability,its detection effectiveness directly depends on the precision of understanding the expected object-level authorization policies.However,existing detection methods predominantly rely on empirical heuristic rules to identify sensitive and protected operations,making them difficult to adapt to the actual business logic of different applications,resulting in high false positives and false negatives in detection results.To address this limitation,this paper innovatively proposes a large language model(LLM)-enhanced static detection method for BOLA vulnerabilities in Web applications,LLM4BOLA.First,leveraging LLM's advanced code comprehension and semantic reasoning capabilities to infer object-level sensitive operations and custom authorization policies in specific business scenarios.Then,identifying diverse permission protection mechanisms.Finally,comprehensively detecting missing object-level permission checks along the paths from request entry points to sensitive operations.Experimental results demonstrate that the proposed method not only effectively detects known vulnerabilities but also discovers unknown ones,significantly outperforming traditional rule-based approaches in detection accuracy.

关键词

对象级授权漏洞/静态分析/漏洞检测/Web应用安全/软件安全

Key words

broken object level authorization/static analysis/vulnerability detection/Web app-lication security/software security

分类

信息技术与安全科学

引用本文复制引用

孟海宁,李炼..基于大语言模型增强的Java Web应用对象级授权漏洞静态检测方法[J].信息安全研究,2026,12(5):394-401,8.

基金项目

国家自然科学基金项目(62132020) (62132020)

信息安全研究

2096-1057

访问量1
|
下载量0
段落导航相关论文