基于动态行为链和会话变异的API访问控制漏洞自动化检测方法

打开文本图片集

²（1．，；2．，）

关键词：API安全；访问控制漏洞；动态行为链；会话变异；漏洞检测中图分类号：TP393 文献标志码：A 文章编号：1001-3695(2025)12-028-3744-08doi:10.19734/j.issn.1001-3695.2025.04.0162

Automatic detection method of API access control vulnerability based on dynamic behavior chain and session mutation

Ren Guanrong1，Gao Jian，Hu Siju(1.Schlofbeseuityeople'sblicurityUiestfinejingohna;.edPubcuriyurdu 610017,China）

Abstract:Toaddress lowinterface coverage，insufficientautomation，andlimiteddetectionacuracyinAPIaccescontrol vulnerabilitydetectionundercomplexinteractivescenarios,thisstudydevelopedanautomateddetectionmethod integrating dynamic behaviorchains andsesion mutation.Multilayeractionchains simulateduseroperationpaths totriggerAPIcas,，while atrafic proxymiddlewaredynamicalllinkedfront-endinteractionswithback-endAPIinvocationstoconstruct interfacemaps. Role-basedanduser-basedsessonmutationatackvectorsachievedcomprehensivevulnerabilitycoverage，andaruleengine combined witha large languagemodel enhanced detectionaccuracy through colaborativeresponseanalysis.Comparative experiments on six mainstream frameworks including ShenYu and APISIX demonstrate: 89.2% interface coverage，successful identification of all 2O known vulnerabilities，and 95.2% detection precision，outperforming other detection tools and proving itsefectivenessandsuperiorityEngineringapplicationsrevealahorizontalprivilegeescalationvulnerability（CVE-2024- 31006）intheSD-WEBUIAIimageframework，validating themethod’spracticalutilityincomplexinteractiveenvironments. Key words:API security；accesscontrol vulnerability；dynamic behavior chain；session mutation；vulnerabilitydetection

0 引言

随着数字化技术的高速发展，在云原生化和微服务化的趋势下，API成为应用程序和服务之间交换数据的重要通道，越来越多的企业和组织使用API实现业务流程的自动化、数据的集成与共享，API的数量和应用范围出现爆发性增长的趋势，广泛应用于政务、金融和互联网等行业。（剩余25457字）