WAScope: Detecting privacy data leakage with web application-specific API confusion

IF 6.8 2区工程技术 Q1 ENGINEERING, MULTIDISCIPLINARY

alexandria engineering journal Pub Date : 2025-08-26 DOI:10.1016/j.aej.2025.08.006

Yu Nie , Jianming Fu , Xinghang Lv , Chao Li , Shixiong Yang , Guojun Peng

{"title":"WAScope: Detecting privacy data leakage with web application-specific API confusion","authors":"Yu Nie , Jianming Fu , Xinghang Lv , Chao Li , Shixiong Yang , Guojun Peng","doi":"10.1016/j.aej.2025.08.006","DOIUrl":null,"url":null,"abstract":"<div><div>The number of web applications deployed on the internet has exceeded one billion, accumulating vast amounts of user privacy data. The compromise of such data may lead to severe consequences. While existing research has primarily focused on data exfiltration through system APIs, the security risks posed by application-specific APIs have been largely overlooked. These APIs directly manage the collection, processing, and transmission of sensitive user data, making them critical attack surfaces. This study systematically investigates privacy data leakage caused by unauthorized access through web application-specific APIs. We presented <em>WAScope (Web Application-specific API Scope)</em>, a dynamic analysis tool that detects privacy leakage by combining API confusion techniques with a customized privacy dictionary. We conducted experiments on 100 real-world web applications using <em>WAScope. The tool identified 15,593 privacy-aware API data flows across 76 applications, among which 2,757 APIs were manually confirmed to expose sensitive data due to improper access controls.</em> Manual validation further validated the findings, revealing a 9% false positive rate. We reported these vulnerabilities to the China National Vulnerability Database (CNVD), receiving 10 official CNVD-IDs that demonstrate the effectiveness of <em>WAScope</em>.</div></div>","PeriodicalId":7484,"journal":{"name":"alexandria engineering journal","volume":"128 ","pages":"Pages 1145-1158"},"PeriodicalIF":6.8000,"publicationDate":"2025-08-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"alexandria engineering journal","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1110016825008774","RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"ENGINEERING, MULTIDISCIPLINARY","Score":null,"Total":0}

引用次数: 0

Abstract

The number of web applications deployed on the internet has exceeded one billion, accumulating vast amounts of user privacy data. The compromise of such data may lead to severe consequences. While existing research has primarily focused on data exfiltration through system APIs, the security risks posed by application-specific APIs have been largely overlooked. These APIs directly manage the collection, processing, and transmission of sensitive user data, making them critical attack surfaces. This study systematically investigates privacy data leakage caused by unauthorized access through web application-specific APIs. We presented WAScope (Web Application-specific API Scope), a dynamic analysis tool that detects privacy leakage by combining API confusion techniques with a customized privacy dictionary. We conducted experiments on 100 real-world web applications using WAScope. The tool identified 15,593 privacy-aware API data flows across 76 applications, among which 2,757 APIs were manually confirmed to expose sensitive data due to improper access controls. Manual validation further validated the findings, revealing a 9% false positive rate. We reported these vulnerabilities to the China National Vulnerability Database (CNVD), receiving 10 official CNVD-IDs that demonstrate the effectiveness of WAScope.

查看原文本刊更多论文

WAScope：检测隐私数据泄漏与web应用程序特定的API混淆

互联网上部署的web应用程序数量已超过10亿，积累了大量用户隐私数据。这些数据泄露可能会导致严重的后果。虽然现有的研究主要集中在通过系统api进行数据泄露，但特定于应用程序的api所带来的安全风险在很大程度上被忽视了。这些api直接管理敏感用户数据的收集、处理和传输，使其成为关键的攻击面。本研究系统地调查了通过web应用程序特定api未经授权访问所导致的隐私数据泄漏。我们介绍了WAScope (Web Application-specific API Scope)，这是一个动态分析工具，通过将API混淆技术与自定义隐私字典相结合来检测隐私泄露。我们使用WAScope在100个真实的web应用程序上进行了实验。该工具在76个应用程序中识别了15,593个隐私感知API数据流，其中2,757个API由于访问控制不当而被手动确认为暴露敏感数据。人工验证进一步验证了结果，显示出9%的假阳性率。我们向中国国家漏洞数据库（CNVD）报告了这些漏洞，收到了10个官方CNVD- id，证明了WAScope的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

alexandria engineering journal Engineering-General Engineering

CiteScore

11.20

自引率

4.40%

发文量

1015

审稿时长

43 days

期刊介绍： Alexandria Engineering Journal is an international journal devoted to publishing high quality papers in the field of engineering and applied science. Alexandria Engineering Journal is cited in the Engineering Information Services (EIS) and the Chemical Abstracts (CA). The papers published in Alexandria Engineering Journal are grouped into five sections, according to the following classification: • Mechanical, Production, Marine and Textile Engineering • Electrical Engineering, Computer Science and Nuclear Engineering • Civil and Architecture Engineering • Chemical Engineering and Applied Sciences • Environmental Engineering