HADE：一種用於偵測網站應用程式中過度資料暴露漏洞的混合式分析方法

Abstract

儘管網站應用程式早已被廣泛採用，現代網站系統日益增加的複雜度與規模，重新引發了對過度資料暴露（ExcessiveDataExposure,EDE）的關注。過度資料暴露違反了資料最小化原則，該原則要求系統僅處理與傳輸其功能所嚴格必要的資料。現有解決方案多透過動態分析來偵測後端API回傳的多餘資料；然而，這類方法雖具實用性，卻面臨執行階段成本高昂的問題，且因依賴以DOM為基礎的渲染機制，容易忽略非視覺性或隱性資料的使用情形。 為克服上述限制，本文提出一種以資料最小化為核心的新穎鍵匹配方法。該方法透過分析前端程式碼，追蹤實際被使用的API回應資料，並將其與後端回傳內容進行關聯分析，從而在不需執行程式或進行UI渲染的情況下，即可於原始碼層級提前偵測過度資料暴露。此外，本文結合靜態與動態JavaScript切片技術，將其整合至所提出的鍵匹配方法中，以進一步提升對於過度資料暴露偵測的準確率。 本方法於65個真實網站以及四個自行部署的測試網站上進行測試，平均偵測時間為6.86秒，準確率達93.29%。當結合靜態JavaScript切片技術時，平均偵測時間增加至56.32秒，而準確率提升至95.93%。進一步結合動態JavaScript切片技術後，平均偵測時間增加至79.15秒，準確率則提升至98.33%實驗結果顯示，本方法可成功應用於不同的測試案例，且效能優於既有方法，展現其高度適用性以及於實務與大規模部署上的潛力。

While web applications have long been widely adopted, the growing complexity and scale of modern web systems have raised renewed concerns about Excessive Data Exposure (EDE)—a violation of the data minimization principle, which requires systems to process and transmit only data strictly necessary for their functions. Existing solutions use dynamic analysis to detect superfluous data returned by backend APIs. While useful, they suffer from high runtime overhead and limitations caused by relying on DOM-based rendering, which can miss non-visual or implicit data usage. To overcome these issues, we propose a novel key matching approach grounded in data minimization. Our approach analyzes frontend code to track actual API response usage and correlates it with backend responses. This enables early, source-level detection of excessive data exposure without requiring runtime execution or UI rendering. Additionally, we integrate our key matching approach with both static and dynamic JavaScript slicing techniques to improve its accuracy in detecting Excessive Data Exposure. Tested on 65 real-world websites and four self-deployed test websites, our method achieves an average detection time of 6.86 seconds with 93.29% accuracy. When combined with static JavaScript slicing technique, the average detection time increases to 56.32 seconds while the accuracy improves to 95.93%. When combined with dynamic JavaScript slicing technique, the average detection time increases to 79.15 seconds while the accuracy improves to 98.33%. It successfully applies to different tested cases and outperforms previous approaches, highlighting its high applicability and strong potential for practical and large-scale deployment.