首页 | 本学科首页   官方微博 | 高级检索  
     

基于权限验证图的Web应用访问控制漏洞检测
引用本文:夏志坚,彭国军,胡鸿富. 基于权限验证图的Web应用访问控制漏洞检测[J]. 计算机工程与应用, 2018, 54(12): 63-68. DOI: 10.3778/j.issn.1002-8331.1702-0164
作者姓名:夏志坚  彭国军  胡鸿富
作者单位:武汉大学 计算机学院,武汉 430072
摘    要:针对Web应用中的访问控制漏洞缺乏有效检测手段的问题,提出了一种基于权限验证图的检测算法。首先,在程序控制流图(CFG)的基础上,识别权限验证节点和资源节点,通过T和F边将节点连成权限验证图。然后,遍历资源节点对应的所有权限验证路径,计算路径验证权限,与资源节点访问权限比较,检测是否存在访问控制漏洞。实验结果表明,在7个Web应用中,发现了8个已知和未知漏洞,相比较于已有的访问控制漏洞检测算法,该算法可以有效检测4种访问控制漏洞,扩大了漏洞检测范围。

关 键 词:Web应用  权限控制  权限验证图  漏洞检测  

Detection of access control vulnerabilities in Web applications based on privilege verification graph
XIA Zhijian,PENG Guojun,HU Hongfu. Detection of access control vulnerabilities in Web applications based on privilege verification graph[J]. Computer Engineering and Applications, 2018, 54(12): 63-68. DOI: 10.3778/j.issn.1002-8331.1702-0164
Authors:XIA Zhijian  PENG Guojun  HU Hongfu
Affiliation:School of Computer, Wuhan University, Wuhan 430072, China
Abstract:Concerning the problem that it is lack of effective ways to detect access control vulnerabilities in Web applications, a new detection algorithm based on privilege verification graph is proposed. Firstly, identify privilege verification nodes and source nodes, then connect nodes to a privilege verification graph by T or F edges based on the program Control Flaw Graph(CFG). Then, traverse all privilege verification routes corresponding to a source node to count the route verification privilege and compare it with the source node access privilege to detect whether existed a access control vulnerability. The experiment has detected eight known and unknown vulnerabilities in seven Web applications. Compared with the existing access control detection algorithms, the algorithm can effectively detect four kinds of access control vulnerabilities and expand the scope of vulnerability detection.
Keywords:Web application  access control  privilege verification graph  vulnerability detection  
点击此处可从《计算机工程与应用》浏览原始摘要信息
点击此处可从《计算机工程与应用》下载全文
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号