logicvulnerabilities are largely dependent on the expected functions of web applications. Their appearance depends on both application logic and related security policy which may change based on modifications in busi...
详细信息
logicvulnerabilities are largely dependent on the expected functions of web applications. Their appearance depends on both application logic and related security policy which may change based on modifications in business requirements. Accordingly, there are no specific and common patterns for logicvulnerabilities moreover, a security policy is required for their detection. In this study, a vulnerability detection method is proposed to detect logicvulnerabilities via analysing the program source code. Security checks enforce some constraints in the application so that the application behaves according to the logic intended by the programmer. The main goal is to find the vulnerabilities caused by bypassing some security checks. In this method, known as annotation-based vulnerability detection approach (ANOVUL), control and data flows are analysed to detect the application logicvulnerabilities. To analyse the flows of the program, access control and authenticity labelling are used. To evaluate ANOVUL, the authors have collected a data set. This comprises of PHP applications with reported logicvulnerabilities that have common vulnerabilities and exposures (CVE) identifiers. Based on the results, a 73% detection rate was achieved in the data set. The proposed method can detect logicvulnerabilities that are not detectable using conventional methods.
暂无评论