Abstract: Concerning the problem that it is lack of effective ways to detect access control vulnerabilities in Web applications, a new detection algorithm based on privilege verification graph is proposed. Firstly, identify privilege verification nodes and source nodes, then connect nodes to a privilege verification graph by T or F edges based on the program Control Flaw Graph（CFG）. Then, traverse all privilege verification routes corresponding to a source node to count the route verification privilege and compare it with the source node access privilege to detect whether existed a access control vulnerability. The experiment has detected eight known and unknown vulnerabilities in seven Web applications. Compared with the existing access control detection algorithms, the algorithm can effectively detect four kinds of access control vulnerabilities and expand the scope of vulnerability detection.

Key words: Web application, access control, privilege verification graph, vulnerability detection

摘要： 针对Web应用中的访问控制漏洞缺乏有效检测手段的问题，提出了一种基于权限验证图的检测算法。首先，在程序控制流图（CFG）的基础上，识别权限验证节点和资源节点，通过T和F边将节点连成权限验证图。然后，遍历资源节点对应的所有权限验证路径，计算路径验证权限，与资源节点访问权限比较，检测是否存在访问控制漏洞。实验结果表明，在7个Web应用中，发现了8个已知和未知漏洞，相比较于已有的访问控制漏洞检测算法，该算法可以有效检测4种访问控制漏洞，扩大了漏洞检测范围。

关键词: Web应用, 权限控制, 权限验证图, 漏洞检测