Research On Access Control Vulnerability Detection And Repair Method Based On Sitemap

With the rapid development of information technology,the security of network applications has become more and more important,and the security testing of applications has become indispensable.Compared with other vulnerabilities in Web applications,the problem of identifying access control vulnerabilities is more complicated due to the lack of access control policy specifications.Traditional access control vulnerability analysis methods have low page coverage,high detection process overhead,and poor reusability and comprehensibility of repair strategies.In order to solve these problems,this paper conducts research on access control vulnerabilities,simulates users accessing applications through Web crawlers and collects requests and responses,then builds site maps and identifies potential access control vulnerabilities,and then conducts Position the access control mechanism,and finally use the constructed access control repair template to make up for the defects in the access control mechanism.Firstly,aiming at the problems of low crawling efficiency and low coverage of existing Web crawlers,a page deduplication method based on URL semantic similarity is proposed,and an automatic form filling method based on selenium-wire tool is designed to increase the coverage of Web crawlers.And efficiency are improved.Secondly,use the collected user execution trajectory to build a site map,deduce the access control strategy of the application program,and use the authentication mechanism based on the HTTP protocol to propose a test case generation technology based on the site map,through the directional modification of the legal test cases construct illegal test cases,reduce the randomness of illegal test case construction,and realize the detection of access control vulnerabilities.Thirdly,considering that the current work is mainly focused on the detection of access control vulnerabilities,an RBAC-based access control vulnerability repair method is proposed,and the access control mechanism is located by extracting sensitive information from the source code,thereby constructing an access control mechanism repair template,to achieve semi-automatic repair of access control vulnerabilities.Finally,validity verification is carried out on seven open-source applications.