Research On Access Control Vulnerability Detection Methods Based On A Combination Of Dynamic And Static

Access control vulnerabilities are one of the most dangerous vulnerabilities in Web applications,and compared with other vulnerabilities,access control vulnerabilities are more harmful and more difficult to detect.Most of the existing detection methods use dynamic or static analysis techniques alone,which have high manual involvement,low automation,high leakage rate,low page coverage and other deficiencies.To this end,this paper proposes an access control vulnerability detection method based on a combination of dynamic and static detection techniques,and the main contents of this paper are as follows.First,to address the problem that the existing models for detecting access control vulnerabilities are not well expressed and the types of access control vulnerabilities are not comprehensive,a site map model with global information representation is proposed,which can completely represent the expected behavior of the application and express the control flow and data flow characteristics of the application.Second,a combination of static and dynamic analysis is proposed in the construction of the site map model with global information representation.In the process of static analysis,static preloading algorithm and redundant link extraction method of Web application are proposed to generate static site-wide site map model and obtain static control flow characteristics of the application.After that,the dynamic analysis technique automatically executes the application and extracts the execution trajectory information,generates the sitemap modle with global information representation,and obtains the dynamic control flow and data flow characteristics of the application.Again,an access control vulnerability detection model based on the sitemap model and fuzzy hash algorithm is established.The model first proposes the access control policy extraction method and the attack vector generation method corresponding to the vulnerability,and then determines whether the application page is vulnerable by comparing the similarity between the HTTP responses obtained from normal access to the Web application server and the HTTP responses obtained from the attack vector access.Finally,this paper designs and implements a prototype system,DetAC,to do vulnerability detection on several benchmark applications.The experimental results show that the method proposed in this paper can effectively detect access control vulnerabilities,and performs well under the evaluation indexes of detection leakage rate,false alarm rate,and page coverage rate.