| 摘要: |
| Web越权漏洞是一种允许攻击者以未授权的身份访问其他用户数据的Web应用漏洞。目前常用的越权漏洞人工测试方法效率低下,且对测试人员的专业要求较高;而现有的自动化漏洞测试方法受网站业务逻辑异构性的影响,不适用于Web越权漏洞的检测。针对上述问题,本文提出了一种基于响应相似性判定的Web越权漏洞黑盒测试方法,该方法能够依据多用户访问流量自动识别越权待测接口,并通过替换访问请求中的身份标志,生成测试用例对待测接口进行测试,进而依据返回结果的相似性判定是否存在越权漏洞。在判定方法上采用Web响应结构相似性来判定属于同一接口的流量,采用Web响应内容相似性来判定越权待测接口和越权漏洞的存在与否。我们对开源网站和实际网站进行了测试,结果表明,该方法能检测出开源网站中所有已知的越权漏洞,同时检测出了若干个之前未知的越权漏洞,并通过人工方式得到了验证。 |
| 关键词: 越权漏洞 黑盒测试 Web安全 |
| DOI: |
| 投稿时间:2023-06-19修订日期:2023-08-03 |
| 基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目) |
|
| Black-box Test Method for Web Authentication Bypass Vulnerability Based on Response Similarity Determination |
|
Song Hong
|
| (Central South University) |
| Abstract: |
| Web authentication bypass vulnerability is a web application vulnerability which allows attackers to access other users’ data with unauthorized identity. At present, the commonly used manual vulnerability testing methods are inefficient, and have high professional requirements for testers; While the existing automated vulnerability testing methods are affected by the heterogeneity of website business logic, thus are not suitable for the detection of Web unauthorized vulnerabilities. In view of the above problems, we propose a black-box testing method for web authentication bypass vulnerability based on response similarity determination, which can automatically identify the unauthorized interface to be tested according to the multi-user access traffic, generate test cases to test the interface by replacing the identity mark of the access request, and then determine whether there is an unauthorized vulnerability according to the similarity of the returned results. In the determination method, the HTTP response structure similarity is adopted to determine traffic belonging to the same interface, as well as the HTTP response content similarity is adopted to determine the unauthorized interface to be tested and the existence of authentication bypass vulnerabilities. We test our method on open-source websites and actual websites. The results show that this new proposed method can detect all known authentication bypass vulnerabilities in the open-source websites and several previously unknown authentication bypass vulnerabilities which have been verified manually. |
| Key words: Authentication bypass vulnerability Black-box testing Web security |
