摘要
目前Web应用上存在接口枚举、越权与敏感信息回传三种逻辑漏洞,在SaaS服务模式的背景下,攻击者利用这些漏洞可以非法获取云端数据,给厂商和用户造成损失.主流的检测方案未实现自动化,依赖测试者经验的渗透测试,难以全面覆盖复杂的Web应用业务逻辑.本文分析云数据服务Web应用的业务逻辑,建立抽象三种逻辑漏洞的威胁模型,设计漏洞Fuzzing检测算法和系统框架,并实现了原型系统.实验结果表明,本文方案可检测造成云数据泄露的三种逻辑漏洞,与人工经验相结合,实现自动化的渗透测试.测试真实Web应用,发现了未被修补的三种逻辑漏洞,并已经得到厂商确认,提升了漏洞挖掘的覆盖度.
The business logic vulnerabilities such as interface enumeration,unauthorized access and sensitive information postback widely exist in the present web application,which can be exploited to leak sensitive cloud data under the SaaS service mode,bringing the economic loss to vendors and users.The penetration test,the most popular solution,cannot be applied automatically,for its performance is based on the test experts' experience and not perfect enough under the complex web application architecture.In this situation,in this paper we explored how to automatically detect the vulnerabilities which cause the cloud data leak,based on fuzzing.We analyzed and modeled the business logic of cloud data service web applications,provided a threat model of three representative business logic vulnerabilities,designed a vulnerability detection system,and implemented a prototype system.The experimental results show that the solution could detect potential vulnerabilities,and assist security experts to improve performance on coverage in the penetration test.
作者
姜百合
傅建明
王应军
王亚丽
黄坚伟
JIANG Baihe;FU Jianming;WANG Yingjun;WANG Yali;HUANG Jianwei(Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan University, Wuhan 430072, Hubei, China;School of Computer, Wuhan University, Wuhan 430072, Hubei, China;Information Center, 62101 Unit, Wuhan 430072, Hubei, China)
出处
《武汉大学学报(理学版)》
CAS
CSCD
北大核心
2018年第2期115-120,共6页
Journal of Wuhan University:Natural Science Edition
基金
国家自然科学基金资助项目(U1636107,61373168,61202387)
