Unauthorized access vulnerability is a logical flaw. It is also a common security vulnerability of web applications. Similar to access control, sensitive information are generally involved. When the unauthorized access vulnerability is exploited, the damage is relatively large. In general, an unauthorized access attack has several different appearances, such as missed operation, added operation, disordered operation sequence, etc.
Missed operation is to execute a next step operation directly, such as bypassing an authorization operation. For example, during a multi-step process, a shopping operation is executed directly, bypassing a payment operation. In such process, the access to a webpage depends on an authorization result from another webpage. Due to implementation errors, mutual dependent relationships are incorrectly implemented, as long as an attacker learns about the next-step or next-stage webpage which should be accessed in the next step or stage, the attacker may be able to access the webpage directly, leading to unauthorized access vulnerability.
Added operation is to execute operations not under one's authority. For example, when this vulnerability is exploited, an attacker, after logging on a private account, may view other people's orders by modifying the order numbers and other parameters, etc.
Disordered operation sequence is to execute operations not in accordance with a predefined operation sequence to avoid the risk of program verification.
Because the unauthorized access is a normal website access operation, and security gateways often cannot distinguish between a normal application and an abnormal application. Therefore, unlike other cyber attacks, which can be detected through an automated detecting environment, the unauthorized access vulnerability is very difficult to be discovered.
It should be noted that the above information is only used to assist in understanding the technical aspects of the present invention, and it does not represent that such information is prior art. The disclosed methods and systems are directed to solve one or more problems set forth above and other problems in the art.