Static Detection of Access Control Vulnerabilities in Vue Applications

In this article, we reviewed the research progress of mainstream methods for detecting access control vulnerabilities, and designed a method for detecting access control vulnerabilities in Vue applications based on previous research. After that, we tested our detection method on the vulnerability test set designed by ourselves, and basically achieved the research goal of this article.


Introduction
Web applications play an important role in modern society because they play a huge role in e-commerce, social networking, and finance. With their openness and wide deployment, a large number of criminals attempt to obtain user data and resources from them. Therefore, the security of Web applications has become an extremely important issue.
Access control technology is to prevent unauthorized access to any resources, thereby ensuring the security of each user data in the application and the stability of the system. Web applications store a large amount of user privacy data. In order to ensure the security of privacy data, developers will adopt strict access control in applications. In WEB applications, every time a user accesses privileged resources, a new HTTP request needs to be parsed to identify the previously logged-in user, which leads to stricter requirements for access control policies in WEB applications.
There are several reasons for the access control vulnerabilities. First of all, the access control functions of WEB applications are written by developers, but during the development process, they often pay more attention to the development of other key functions, so missed access control detections may occur. Secondly, Web applications often have multiple authorization roles, and the logic of access control policies is very complex. Limited by the coding ability of developers and lack of knowledge about access control design, incomplete or wrong access control often occurs. In addition, a Web application usually connects directly to the database as a super user, and it has the highest authority. Any small error in the authorization logic may cause serious data damage.
Since the 1990s, researchers have proposed many methods and tools for access control vulnerability detection. We have investigated relevant documents since 2011, which are mainly static detection methods. Through this work, we try to design a detection method to detect access control vulnerabilities in Vue applications.
The contributions in this paper are:  Summarizes four common detection techniques in the field of access control vulnerability detection.  Based on previous studies, we have optimized the relevant algorithms and selected a more suitable parser and solver to adapt to Vue.

Related Work
There are two common detection methods for access control vulnerability detection, namely dynamic detection and static precision detection. Dynamic detection methods are often difficult to find hidden pages and to obtain the expected access permissions of each user. In addition, since user input is usually restricted, the pages covered by dynamic detection are often shallow and incomplete. Sun et al. [7] first proposed a static detection method for access control vulnerabilities at the UIXUSE conference in 2011. The static detection method has better coverage than the dynamic detection method. After that, static detection has become the mainstream direction of the academic research on access control vulnerability detection. At present, the biggest difficulty that researchers face in static detection methods is to extract accurate access control strategies. On the one hand, there are many types of web applications, and their access control strategies are often different from each other. On the other hand, developers often do not write an access control strategy specifically for web applications, which requires researchers to extract the strategy from the source code. Analyzing the source code involves extremely cumbersome manual work, and also faces the situation that developers have errors in their implementation. In response to these problems, researchers have proposed some solutions. We can summarize them into the following four types: Force browsing, Context-based Detection Technique, Model-based Detection Technique, Graph-Based Detection Technique.
In this section, we specifically introduce the technical routes of these four static detection methods and briefly analyze their characteristics.

Force Browsing
Force browsing means the act of directly accessing a page, that is, the visitor does not access the page through a link displayed on the page, but through some brute force techniques. For an attacker, the URLs of certain pages in the application are highly predictable, such as files named by date. Researchers believe that when the HTML page obtained through force browsing is the same as the HTML page obtained through normal access, and there is no redirection, exception or error during the page rendering process, the force browsing is successful.
Force browsing technology is often used to simulate the behavior of low-level users accessing resources of high-level users. This technique was first proposed by Sun et al [7].

Context-based Detection Technique
Context-based Detection Technique first needs to extract security-sensitive operations in the program. Researchers generally use context-free grammars and other means to accomplish this. Researchers believe that the same security-sensitive operation should have the same context and set of redirects. By analyzing the consistency of the two, you can determine whether the program has access control vulnerabilities [9].
This technology does not require access control policies for web applications. In web applications, access control policies are usually hidden in the code and are difficult to extract. This technology is cleverly avoiding this problem.

Model-based Detection Technique
Developers often use some frameworks to implement access control functions, and this technology is for access control in such web applications. Researchers first need to analyze an access control implementation framework, and then define a model to describe this framework. In the model, access control attributes are included. Finally, use the model to analyze whether the web application correctly implements the access control strategy to determine whether there are vulnerabilities [10].
The biggest difficulty of this technology is to describe the relationship between access control attributes and other attributes in the model. Different frameworks often have different definitions. And the characteristics of various development languages are different. This technology can only be implemented for a specific framework in a development language, and cannot detect access control vulnerabilities in other types of web applications.

Graph-Based Detection Technique
There are many ways to implement this detection technology. Some researchers use control flow graphs to describe web applications, some use site maps to describe them, and some use permission verification graphs. The nodes in the graph often represent a page or a resource in a web application. Researchers often use algorithm constraints, flow analysis and other methods to detect the reachability between nodes. If an unprivileged user can access a privileged node by some means, then the node has access control vulnerabilities [7] [8] [11].
This technology has excellent scalability, and suitable methods can be selected according to the characteristics of the web application during node detection. Therefore, most researchers have adopted this technique.

Detection Method
We use context-free grammar to describe the site map of each character, in the form of CFG = (V T , V N ,P,S). In this article, we mark each page as a symbol, where V T is a set of terminal symbols. The inactive node is defined as the terminator of a role's site map. V N is the non-terminal set. We use the active node as the non-terminal. P is the production set. We use the production to calculate the reachability of the node. S represents the start symbol. We use the entry node of each character in the Vue application as the value of the start symbol.
Assume that there are two different roles a, b in the Vue application, and the permissions of a are higher than b. We obtain the privileged nodes by comparing the site maps of role a and role b. We believe that when a user belonging to role b accesses a privileged node through a navigation path allowed by the system, we believe that this node is vulnerable to an access control vulnerability. Therefore, our detection algorithm is divided into the following two steps: 1. According to the input specifications and regular expressions, construct two context-free grammars with different permission roles. 2. The privileged node is obtained by comparing the site maps of the two roles. Privileged nodes are detected through forced access, and the vulnerabilities are analyzed by comparing the context-free grammars and redirection sets obtained. The Sitemap builder is the most important part of our detection method. It has two components: link extractor and context-free grammar constructor. We construct a context-free grammar for each page and use a link extraction algorithm to extract links from it, so that we can find the outgoing edge of each node.
A Vue page contains three pieces of content. HTML code is written in the <template> module, CSS code is written in the <style> module, and javascript code is written in the <script> module. In order to generate each character site map, we need to analyze the HTML code block and javascript code block in the Vue page.
The <script> module contains the code of access control detection. These codes detect whether the current access role is the authorized role of the page, and determine whether the current role has the permission to jump to the next page. The <template> module contains the link to the next node that the current page can reach. We need to extract these links to find the edge of the current node. Figure 1 shows the process to construct context-free grammars. First convert the js source code to AST through Acorn, and then convert it to IR through Jimple. Collect algorithm constraints by traversing IR, and then solve the constraints by Z3 solver to update the context-free grammar. Finally build a site map of the role. Traversing the IR in a top-down manner, constantly updating the system's algorithm constraints during the analysis, especially the value of conditional control statements, determines the actual execution path of the program. The conditional expression in the if statement generally uses an expression that is equal to or not equal to this return Boolean type to determine whether the user is an authorized user. Therefore, our system aims to collect such path constraints when traversing the IR.

Context-free Grammar Constructor
For solving the algorithm constraints that have been established, we refer to the SMT (Satisfiability Modulo Theories) solver Z3. We take the role's access control information as input, including the role type, role status information, etc., and solve the algorithm constraints through the solver. If there is a solution, we think that the role can access the node.
We use user information and nodes as tokens. For users who can access the current node after solving, we can generate a new generation rule. According to this rule, in this context-free grammar, a grammatical result of a path that an authorized user is allowed to access can be obtained.
In this way, we continuously update the context-free grammar of each role, and eventually the CFG will be able to generate the grammatical results of all access paths of the role. At this point, the construction of a character's context-free grammar is complete.

Link Extractor
The algorithm for link extraction is as follows: EXTRACTLLINKS(template, dfa) 1.
return LINKS Unlike traditional HTML, links in Vue pages sometimes do not appear in tags, but use new tag attributes to bind data, as in the following example: < a v − bind: href = 'link' ></ > The v-bind attribute here indicates that the href attribute of the a tag is determined by the link variable in the data. Only using the above method can only obtain the variable name of link, but not the actual link address.
In Vue, the template string in <template> is dynamically converted into a real DOM node through checkuser function to simulate this.  Table 1 shows the analysis results of 4 Vue applications. As can be seen from the data in the table, our tool detected one vulnerability in AccVulPrototype1, AccVulPrototype2, which indicates that our tool detected all vulnerabilities and did not occur Missed reports and false positives, and no false positives occurred in the non-vulnerable version of the application. It can be seen that our detection method has a good accuracy.

Conclusion
This article is based on previous work. Based on the characteristics of Vue application, this paper improves the relevant algorithms and selects a more suitable parser and solver to implement our tool. Compared to existing tools, this paper improves the context-free grammar constructor and link extraction algorithm to adapt to VUE. In applications developed in the PHP language, the HTML code is displayed in the code segment, and the Vue application needs to parse the template string to get the real HTML code. This article first parses the template string into an AST, and then converts the AST into a DOM node to obtain HTML code. And in the process of conversion, the value of the variable is extracted from the javascript code, and it is even more accurate to extract the link.
Our work has basically achieved the research goals and achieved some results, but at the same time also found some new problems and areas that need to be improved from the work of this article. This article does not deal with the object-oriented features of the ES6 standard, which prevents us from parsing related Vue pages. We hope to add support for more features of the ES6 standard including object-oriented features in future work, making the analysis more accurate.

Acknowledgments
This work is supported by the National Key Research and Development Program of China (No. 2017YFB1400805). Sun Jinan is the corresponding author.