DRacv: Detecting and auto-repairing vulnerabilities in role-based access control in web application

IF 7.7 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Network and Computer Applications Pub Date : 2025-04-20 DOI:10.1016/j.jnca.2025.104191

Ke Xu , Bing Zhang , Jingyue Li , Haitao He , Rong Ren , Jiadong Ren

{"title":"DRacv: Detecting and auto-repairing vulnerabilities in role-based access control in web application","authors":"Ke Xu , Bing Zhang , Jingyue Li , Haitao He , Rong Ren , Jiadong Ren","doi":"10.1016/j.jnca.2025.104191","DOIUrl":null,"url":null,"abstract":"<div><div>Traditional methods for analyzing Broken Access Control (BAC) vulnerabilities have limitations regarding low coverage of access control rules, high false positive rate (FPR). Additionally, state-of-the-art strategies for repairing BAC vulnerabilities utilizing statement-level replacement as a repair method may introduce new logical errors. To address these challenges, we propose a novel approach called DRacv (<u>D</u>etect and <u>R</u>epair <u>A</u>ccess <u>C</u>ontrol <u>V</u>ulnerabilities) to identify and auto-repair vulnerabilities in Role-Based Access Control (RBAC) mode used in web applications. To detect vulnerabilities, DRacv first constructs a Fine-grained Global Multi-attribute Architectural Navigation Graph model (<em>FG-MANG</em>) for web applications through dynamic execution and static analysis, which characterizes full relationships between roles, privileges, and accessible page resources. Based on access control rules extracted from <em>FG-MANG</em>, DRacv generates targeted attack payloads to detect BAC vulnerabilities, significantly reducing FPR and eliminating redundant attack payloads. To auto-repair the identified vulnerabilities, DRacv first precisely extracts access control privilege parameters, validation functions, and contextual statements to construct the patch code templates. These templates generate user- and role-level verification patch codes for different users and roles. Instead of changing the vulnerable code, the patch codes behave like firewalls. They are added as separate files and invoked by the web page with vulnerability to defend against access control compromises. DRacv was evaluated on 12 popular open-source web applications in PHP and JAVA. From the applications, DRacv identified 35 vulnerabilities (11 were new) with only one false positive, achieving an FPR of 2.78%. We also compared DRacv’s detection results with state-of-the-art studies. Results show that DRacv outperforms those studies regarding the number of vulnerabilities detected and FPR. Among the 35 vulnerabilities detected, DRacv automatically repaired 34 of them, achieving a repair rate of 97.14%. The evaluation results also show that DRacv auto-fixed more vulnerabilities than the two state-of-the-art auto-repairing methods.</div></div>","PeriodicalId":54784,"journal":{"name":"Journal of Network and Computer Applications","volume":"240 ","pages":"Article 104191"},"PeriodicalIF":7.7000,"publicationDate":"2025-04-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Computer Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1084804525000888","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Traditional methods for analyzing Broken Access Control (BAC) vulnerabilities have limitations regarding low coverage of access control rules, high false positive rate (FPR). Additionally, state-of-the-art strategies for repairing BAC vulnerabilities utilizing statement-level replacement as a repair method may introduce new logical errors. To address these challenges, we propose a novel approach called DRacv (Detect and Repair Access Control Vulnerabilities) to identify and auto-repair vulnerabilities in Role-Based Access Control (RBAC) mode used in web applications. To detect vulnerabilities, DRacv first constructs a Fine-grained Global Multi-attribute Architectural Navigation Graph model (FG-MANG) for web applications through dynamic execution and static analysis, which characterizes full relationships between roles, privileges, and accessible page resources. Based on access control rules extracted from FG-MANG, DRacv generates targeted attack payloads to detect BAC vulnerabilities, significantly reducing FPR and eliminating redundant attack payloads. To auto-repair the identified vulnerabilities, DRacv first precisely extracts access control privilege parameters, validation functions, and contextual statements to construct the patch code templates. These templates generate user- and role-level verification patch codes for different users and roles. Instead of changing the vulnerable code, the patch codes behave like firewalls. They are added as separate files and invoked by the web page with vulnerability to defend against access control compromises. DRacv was evaluated on 12 popular open-source web applications in PHP and JAVA. From the applications, DRacv identified 35 vulnerabilities (11 were new) with only one false positive, achieving an FPR of 2.78%. We also compared DRacv’s detection results with state-of-the-art studies. Results show that DRacv outperforms those studies regarding the number of vulnerabilities detected and FPR. Among the 35 vulnerabilities detected, DRacv automatically repaired 34 of them, achieving a repair rate of 97.14%. The evaluation results also show that DRacv auto-fixed more vulnerabilities than the two state-of-the-art auto-repairing methods.

查看原文本刊更多论文

drav: web应用中基于角色的访问控制漏洞的检测和自动修复

传统的访问控制漏洞分析方法存在访问控制规则覆盖率低、误报率高的局限性。此外，利用语句级替换作为修复方法修复BAC漏洞的最新策略可能会引入新的逻辑错误。为了应对这些挑战，我们提出了一种名为DRacv（检测和修复访问控制漏洞）的新方法，用于识别和自动修复web应用程序中使用的基于角色的访问控制（RBAC）模式中的漏洞。为了检测漏洞，DRacv首先通过动态执行和静态分析，为web应用构建了一个细粒度全局多属性架构导航图模型（FG-MANG），该模型描述了角色、权限和可访问页面资源之间的完整关系。draco基于FG-MANG提取的访问控制规则，生成针对性的攻击有效载荷，检测BAC漏洞，显著降低FPR，消除冗余攻击有效载荷。为了自动修复已识别的漏洞，DRacv首先精确提取访问控制权限参数、验证函数和上下文语句来构建补丁代码模板。这些模板为不同的用户和角色生成用户级和角色级的验证补丁码。补丁代码的行为就像防火墙，而不是改变易受攻击的代码。它们作为单独的文件添加，并由具有漏洞的web页面调用，以防止访问控制妥协。在12个流行的PHP和JAVA开源web应用程序上对DRacv进行了评估。从应用程序中，DRacv识别了35个漏洞（11个是新漏洞），只有一个假阳性，实现了2.78%的FPR。我们还将DRacv的检测结果与最先进的研究结果进行了比较。结果表明，在检测到的漏洞数量和FPR方面，DRacv优于那些研究。在检测到的35个漏洞中，DRacv自动修复了34个漏洞，修复率为97.14%。评估结果还表明，与两种最先进的自动修复方法相比，DRacv自动修复了更多的漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Network and Computer Applications 工程技术-计算机：跨学科应用

CiteScore

21.50

自引率

3.40%

发文量

142

审稿时长

37 days

期刊介绍： The Journal of Network and Computer Applications welcomes research contributions, surveys, and notes in all areas relating to computer networks and applications thereof. Sample topics include new design techniques, interesting or novel applications, components or standards; computer networks with tools such as WWW; emerging standards for internet protocols; Wireless networks; Mobile Computing; emerging computing models such as cloud computing, grid computing; applications of networked systems for remote collaboration and telemedicine, etc. The journal is abstracted and indexed in Scopus, Engineering Index, Web of Science, Science Citation Index Expanded and INSPEC.