DetAC: Approach to Detect Access Control Vulnerability in Web Application Based on Sitemap Model with Global Information Representation

Abstract

Access control vulnerabilities that lead to elevated privileges are among the most dangerous vulnerabilities in Web applications. Most of the existing detection methods use dynamic or static analysis techniques alone, which suffer from high manual involvement, low automation, high leakage rate, low page coverage, and other deficiencies. To this end, this paper proposes a novel access control vulnerability detection method (DetAC) based on a sitemap model with global information representation. This method first constructs a static site-wide sitemap model based on the page link addresses in the Web application source code through static analysis techniques. After that, the application is logged in and executed dynamically with different role users. During this process, execution traces and request parameters are collected and converted into annotations to fill the corresponding edges of the static site-wide sitemap model. Then, the sitemap model with global information representation is obtained. This model can represent both the global control flow and data flow of the application. Then DetAC analyzes the role-based and user-based access control policies of the Web application based on the node reachability and annotated data features of the model. And according to the information such as role, user, and access resources, it generates attack vectors to achieve different roles and the same role of different users to access each other’s resources. Finally, access control vulnerabilities are detected based on the equivalence of the results obtained using attack vector access and normal access to the Web application server. DetAC was validated on five real open-source Web applications, and the results showed that DetAC successfully detected up to 12 access control vulnerabilities, which are more than those of the traditional seven tools. The dynamic analysis page coverage rate was significantly improved during the detection process, reaching an average of 91.37%.