Automatic detection method of API access control vulnerability based on dynamic behavior chain and session mutation

Technology of Information Security

App. Res. of Comp. Printed Article

Vol. 42, 2025 No. 12

3744-3751

Ren Guanrong^1,2

Gao Jian¹

Hu Siju¹

1. School of Cybersecurity, People's Public Security University of China, Beijing 100038, China

2. Chengdu Public Security Bureau, Chengdu 610017, China

DOI: 10.19734/j.issn.1001-3695.2025.04.0162

Abstract

To address low interface coverage, insufficient automation, and limited detection accuracy in API access control vulnerability detection under complex interactive scenarios, this study developed an automated detection method integrating dynamic behavior chains and session mutation. Multilayer action chains simulated user operation paths to trigger API calls, while a traffic proxy middleware dynamically linked front-end interactions with back-end API invocations to construct interface maps. Role-based and user-based session mutation attack vectors achieved comprehensive vulnerability coverage, and a rule engine combined with a large language model enhanced detection accuracy through collaborative response analysis. Comparative experiments on six mainstream frameworks including ShenYu and APISIX demonstrate: 89.2% interface coverage, successful identification of all 20 known vulnerabilities, and 95.2% detection precision, outperforming other detection tools and proving its effectiveness and superiority. Engineering applications reveal a horizontal privilege escalation vulnerability(CVE-2024-31006) in the SD-WEBUI AI image framework, validating the method's practical utility in complex interactive environments.

Key Words

API security access control vulnerability dynamic behavior chain session mutation vulnerability detection

Foundation Support

中国人民公安大学中央基本科研业务费资助项目(2024JKF17)

Publish Information

DOI: 10.19734/j.issn.1001-3695.2025.04.0162

Publish at: Application Research of Computers Printed Article, Vol. 42, 2025 No. 12

Section: Technology of Information Security

Pages: 3744-3751

Serial Number: 1001-3695(2025)12-028-3744-08

Publish History

[2025-08-21] Accepted Paper

[2025-12-05] Printed Article

Cite This Article

任官荣, 高见, 胡驷驹. 基于动态行为链和会话变异的API访问控制漏洞自动化检测方法 [J]. 计算机应用研究, 2025, 42 (12): 3744-3751. (Ren Guanrong, Gao Jian, Hu Siju. Automatic detection method of API access control vulnerability based on dynamic behavior chain and session mutation [J]. Application Research of Computers, 2025, 42 (12): 3744-3751. )

Abstract Key Words Foundation Support Publish Information Publish History Cite This Article

About the Journal

Application Research of Computers Monthly Journal
Journal ID ISSN 1001-3695
CN 51-1196/TP

Application Research of Computers, founded in 1984, is an academic journal of computing technology sponsored by Sichuan Institute of Computer Sciences under the Science and Technology Department of Sichuan Province.

Aiming at the urgently needed cutting-edge technology in this discipline, Application Research of Computers reflects the mainstream technology, hot technology and the latest development trend of computer application research at home and abroad in a timely manner. The main contents of the journal include high-level academic papers in this discipline, the latest scientific research results and major application results. The contents of the columns involve new theories of computer discipline, basic computer theory, algorithm theory research, algorithm design and analysis, blockchain technology, system software and software engineering technology, pattern recognition and artificial intelligence, architecture, advanced computing, parallel processing, database technology, computer network and communication technology, information security technology, computer image graphics and its latest hot application technology.

Application Research of Computers has many high-level readers and authors, and its readers are mainly senior and middle-level researchers and engineers engaged in the field of computer science, as well as teachers and students majoring in computer science and related majors in colleges and universities. Over the years, the total citation frequency and Web download rate of Application Research of Computers have been ranked among the top of similar academic journals in this discipline, and the academic papers published are highly popular among the readers for their novelty, academics, foresight, orientation and practicality.

Indexed & Evaluation

The Second National Periodical Award 100 Key Journals
Double Effect Journal of China Journal Formation
the Core Journal of China (Peking University 2023 Edition)
the Core Journal for Science
Chinese Science Citation Database (CSCD) Source Journals
RCCSE Chinese Core Academic Journals
Journal of China Computer Federation
2020-2022 The World Journal Clout Index (WJCI) Report of Scientific and Technological Periodicals
Full-text Source Journal of China Science and Technology Periodicals Database
Source Journal of China Academic Journals Comprehensive Evaluation Database
Source Journals of China Academic Journals (CD-ROM Version), China Journal Network
2017-2019 China Outstanding Academic Journals with International Influence (Natural Science and Engineering Technology)
Source Journal of Top Academic Papers (F5000) Program of China's Excellent Science and Technology Journals
Source Journal of China Engineering Technology Electronic Information Network and Electronic Technology Literature Database
Source Journal of British Science Digest (INSPEC)
Japan Science and Technology Agency (JST) Source Journal
Russian Journal of Abstracts (AJ, VINITI) Source Journals
Full-text Journal of EBSCO, USA
Cambridge Scientific Abstracts (Natural Sciences) (CSA(NS)) core journals
Poland Copernicus Index (IC)
Ulrichsweb (USA)