| 引用本文: |
-
宋虹,马俊龙,王伟平,诸亿郎,王建新.基于响应相似性判定的Web越权漏洞测试方法[J].信息安全学报,2025,10(2):17-29 [点击复制]
- SONG Hong,MA Junlong,WANG Weiping,ZHU Yilang,WANG Jianxing.Black-box Testing Method for Web Authentication Bypass Vulnerability Based on Response Similarity Determination[J].Journal of Cyber Security,2025,10(2):17-29 [点击复制]
|
|
| 摘要: |
| Web越权漏洞是一种允许攻击者以未授权的身份访问其他用户数据的高频Web应用漏洞。目前常用的越权漏洞人工测试方法主要依赖于安全专家对Web应用进行人工测试,效率低下,且对测试人员的专业要求较高;而现有的自动化漏洞测试方法主要针对Web应用中常见的XSS、SQL注入等漏洞,受网站业务逻辑异构性的影响,不适用于Web越权漏洞的检测。针对上述问题,本文提出了一种基于响应相似性判定的Web越权漏洞黑盒测试方法,该方法能够依据不同身份用户对同一访问接口的返回结果之间的差异性,推测接口需要的访问控制权限,从而发现具有访问权限要求的越权待测接口,降低了模糊测试所需的测试用例。然后通过替换访问请求中的身份标志,生成原用户的正常请求和越权用户的越权请求作为测试用例对待测接口进行测试,进而依据返回结果的相似性判定是否存在越权漏洞。在判定方法上采用Web响应结构相似性来判定属于同一接口的流量,采用Web响应内容相似性来判定越权待测接口和越权漏洞的存在与否。我们对开源网站和实际网站数据集进行了测试,结果表明,该方法能检测出开源网站中所有已知的越权漏洞,同时检测出了若干个之前未知的越权漏洞,并通过人工方式得到了验证。 |
| 关键词: 越权漏洞 黑盒测试 Web安全 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.03.02 |
| 投稿时间:2023-06-19修订日期:2023-08-03 |
| 基金项目:本课题得到国家自然科学基金(No. 62272486)资助。 |
|
| Black-box Testing Method for Web Authentication Bypass Vulnerability Based on Response Similarity Determination |
|
SONG Hong, MA Junlong, WANG Weiping, ZHU Yilang, WANG Jianxing
|
| (School of Computer Science and Engineering, Central South University, Changsha 410012, China) |
| Abstract: |
| Web authentication bypass vulnerability is a prevalent web application vulnerability which allows attackers to access other users’ data with unauthorized identity. Commonly, Web authentication bypass vulnerabilities are tested by manual methods, which heavily rely on security expert knowledge. Manual testing leads to low efficiency and high professional requirements for testers. And due to the impact of website business logic heterogeneity, the existing automated vulnerability testing methods are not suitable for the detection of Web unauthorized vulnerabilities, because they primarily target common vulnerabilities in web applications, such as XSS vulnerability and SQL injection. In view of the above problems, we propose a black-box testing method for web authentication bypass vulnerability based on response similarity determination. The proposed method can automatically identify unauthorized interface according to the required access control permissions inferred by the difference among the returned results of various users’ accessing the same interface. These identified unauthorized interfaces can used to yield test cases of specific access permissions, reducing some purposeless test cases and improving the efficiency of fuzz testing. Then, the new method replaces identity marks in access requests, generates request test cases for authorized users and unauthorized users to attempt testing bypass authentication actions of the targeted interfaces. Finally, according to the similarity of the returned results, the proposed method determines that whether there is an unauthorized vulnerability. At the determination stage of new method, the HTTP response structure similarity is adopted to determine the traffic of same interface, as well as the HTTP response content similarity is adopted to determine the unauthorized interface to be tested and the existence of authentication bypass vulnerabilities. In order to verify the effectiveness and feasibility of the proposed method, we use the data sets of open-source websites and actual websites. Results show that our new proposed method can detect all known-authentication bypass vulnerabilities in the open-source websites and several previously unknown authentication bypass vulnerabilities which have been verified manually. |
| Key words: authentication bypass vulnerability black-box testing web security |
