Research On Access Control Vulnerability Detection Method Based On Dynamic Execution And Fuzzy Test

With the rapid development and increasing popularity of the Internet,web applications have become a fairly important part of people’s lives,but with it comes the problem that web security vulnerabilities are also becoming more and more serious.Access control is a defense measure against unauthorized use of system resources,and is an essential module for almost all Web applications,so access control vulnerability is a kind of Web application vulnerability with wide impact and great threat.Therefore,this thesis studies and discusses the detection of access control vulnerabilities based on the full study of crawler technology,vulnerability detection technology and the principle of access control vulnerabilities.The main research work of this thesis is as follows.Firstly,to address the problems of redundant and messy information crawling by traditional crawlers and the lack of depth of crawling caused by only crawling the surface web page but not the deep web page information that can be generated only after the form is submitted,an improved web crawler is proposed to efficiently obtain and detect the sitewide links of the website,and Selenium automation technology is used to realize the automatic filling of the form in the crawling process,which can obtain the form deep pages after filling,effectively improving the coverage rate of the crawler.And based on the track information collected by the crawler to derive the expected access control policy.Secondly,to address the problems of low test case coverage and low detection efficiency of traditional vulnerability detection techniques,this thesis improves on the original detection method and proposes a directed fuzzy testing technique based on the session mechanism,which constructs attack vectors by parsing the identity information of legal users and replacing them with illegal user identities in a directed manner,avoiding the use of randomly generated test cases for submission and effectively improving the This technique can effectively improve the accuracy of attack vector hits in fuzzy testing,thus detecting access control vulnerabilities in applications more efficiently.Finally,this thesis designs and implements an access control vulnerability detection model based on dynamic execution and fuzzy testing,and conducts experimental evaluation of vulnerability detection using a set of benchmark open source Web applications,using crawler time consumption,crawl coverage,vulnerability detection rate,and leakage rate as metrics.The effectiveness of the access control vulnerability detection model implemented in this thesis is verified through experiments.